Kerio VPN Client enables connection from a client's host to a remote private network via an encrypted communication channel (in the operating system, this channel is represented by the kvnet0 virtual network interface). The Kerio Control VPN server assigns to this interface an IP address belonging to the particular private network.
The client's operating system must be aware of routes to individual subnets of a corresponding remote network. For this purpose, Kerio VPN Client performs automatic update of the client's routing table (it adds new routes directed to remote subnets).
During these updates, routes to all remote subnets (or a route to other networks defined in the VPN server configuration) are added except those IP addresses of which collide with IP addresses of the local network to which the client is connected. Kerio VPN Client never changes the default route (i.e. configuration of the default gateway). The encrypted traffic channel is used only for connection to a remote private network. For connection to the Internet, clients use their current Internet connections.
The VPN server also assigns the client an address for the primary, and optionally also secondary DNS server and DNS domain extension. This allows to specify remote hosts with their names.
The change of DNS configuration has such effect that all DNS queries from the client host are sent to a DNS server in a remote private network. Users usually do not even notice any change. Upon closing of the VPN connection, the original DNS configuration will be recovered.
On Mac OS X 10.5 Leopard, the VPN server can assign the client also an address for the primary, and optionally also for secondary WINS server. The WINS service enables browsing in the Microsoft Windows network neighbourhood. Like in case of DNS, the original WINS configuration is recovered upon closing the VPN connection.
Note: The Kerio VPN Client does not allow opening of more than one concurrent VPN connections. However, it is possible to connect to any number of servers, one by one.