WTF I AM DOING WRONG (VPN edition) ?

Emad R

Hey,

I think this topic should be an auto-generated weekly topic, cause I foresee that I will have many WTF moments.

As an I.T generalist, I know a bit of everything, and VPN is the area where i wish I would know more, so without any further delay, here is the scenario.

I wish to create simple VPN connection/server using Windows technology for Windows laptops outside of the work office, and mostly everybody runs Windows 7.

Also note in that office, its Class C subnet with 30 users, so were working on the standard
192.168.1.x
Private IPs
The DHCP is provided by the main ISP router/modem (And I prefer to keep it that way)

My server is vm running 2008R2, and I added routing and remote access role only, and configured NPS policy for VPN profile connections.

And for the life of me I am unable to connect to the VPN successfully unless I specific manually to specific the IP address.

Which is stupid way of solving it, cause I have to configure the DHCP on the main router and limit it to stop giving addresses from 192.168.1.2 till 192.168.1.199 which is easy step, but its stupid cause even if that way it works 100% cause lets say for example my home is configured with
192.168.0.x subnet, that means I can connect to the work NAS at office which have the IP of 192.168.1.200
works GREAT, but what if a site that has subnet of 192.168.1.x already utilized it works and I can successful connect to the VPN but IP issues arise, for example if 192.168.1.200 is already utilized in my home I wont be able to connect the office NAS.

The only way to get it working currently it so change the subnet of the work office for something weird like 192.168.55.x this way I can grantee that VPN users will get an IP of 192.168.55.201 and it will work cause its very uncommon that any household ISP vendor private IP gives the users anything other than:
192.168.1.x or 192.168.0.x or 192.168.8.x where I live

And is the above VERY uneducated POOR MAN VPN have name ? and did you ever see people use it in VPN which is allocate subnets manually and change the subnet of the work reasonable solution ?

Hence the question why DHCP is not working , I KNOW I AM DOING SOMETHING TERRIBLY WRONG BUT WHAT IS IT, can you guess and win the price of slapping me with it ?!?

I tried ticking DHCP IPV4 Assignment but afterwards the VPN does not work and cant connect with an error 720

I tried adding another virtual adapter and plaything with that and then bridging it - didnt work

I tried playing with DHCP relay agent setting - added IP of router - Added new interface of LAN didnt work

I tried adding DHCP role in the server - didnt know what I was doing thus didnt work

More screenshots to help you out:

Thanks for reading this and helping me in advance.

scottalanmiller

Why is DHCP coming from the "main router" instead of from your Windows server?

Emad R

@scottalanmiller

We dont have an Active Directory, and whats the benefit of DHCP from windows server (I reckon its situations like these...)

Could it work with the main router, I guess cause it easier to have the DHCP on the main router, and I dont want configure clients to point to the new DHCP and I reckon DHCP on the main router is simple service that wont slow it down.

scottalanmiller

@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

@scottalanmiller

We dont have an Active Directory, and whats the benefit of DHCP from windows server (I reckon its situations like these...)

Why do you have a Windows server at all? (Not saying that there isn't a great reason, but without AD it would be surprising to find one.) DHCP from the router is not generally considered ideal, it's not a big deal, but in situations like these where you are trying to go "all in" on Windows, but not letting Windows handle this one portion.

If you don't have AD, though... why would you ever use Windows as a VPN aggregator? This is backwards... if you were going to split these roles you'd have the VPN on the router and DHCP on the Windows machine.

scottalanmiller

@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

Could it work with the main router, I guess cause it easier to have the DHCP on the main router, and I dont want configure clients to point to the new DHCP and I reckon DHCP on the main router is simple service that wont slow it down.

That's not how DHCP works. There is no configuration or pointing when DHCP. That's the whole point of it.

Emad R

@scottalanmiller said in WTF I AM DOING WRONG (VPN edition) ?:

If you don't have AD, though... why would you ever use Windows as a VPN aggregator? This is backwards... if you were going to split these roles you'd have the VPN on the router and DHCP on the Windows machine.

To be honest, setting up VPN in windows server is easy and Like i said i dont know much about VPN, I tried OpenVPN but I didnt like the interface, for the client and the server.

I need to have solution that provides a very easy client VPN setup, and Windows VPN build in client is relatively straight forward.

scottalanmiller

@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

I need to have solution that provides a very easy client VPN setup, and Windows VPN build in client is relatively straight forward.

It's also not working and does not provide a good experience once connected because it is in the middle of your network and many versions of it are famously insecure.

OpenVPN is definitely one of the "less simple" VPNs out there. Did you try to just use the VPN on your router? What router are you using, anyway?

scottalanmiller

Also, your VPN software is more than half a decade out of date. That's not something I'd want going on with a key security system.

Emad R

@scottalanmiller
OK, based in your experience, do you know other VPN setup/software/server that plays well
with Windows VPN client ?

Or better way to put it, what is the easiest VPN client that you have used ? or simple to setup and secure.

scottalanmiller

@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

@scottalanmiller
OK, based in your experience, do you know other VPN setup/software/server that plays well
with Windows VPN client ?

Any IPSec should, but why do you want to use the Windows VPN client?

scottalanmiller

@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

Or better way to put it, what is the easiest VPN client that you have used ? or simple to setup and secure.

All depends on the full use case. VPN is not one size fits all. Overall the easiest has been ZeroTier.

scottalanmiller

We need to back up, though, and figure out your needs.

• What is the purpose of the VPN? We generally don't recommend new VPNs today. Sometimes they are needed, but on average, they are not. This is a legacy network design. In a small network, you may easily have other options.
• What are the resources on your network?
• What interactions do VPN users need to have with non-VPN users?
• What is the network design?

Emad R

@scottalanmiller

Sorry for the delay, and thanks for pursuing this with me.

The purpose is to be for end users, whom are very I.T unskilled to connect to company resources, like NAS + and perhaps RDP to there workstation if needed.

Resources I reckon is only NAS + Router/Modem + 3 AP + Server with VMs on it that host useful webapps

No interaction needed between users it just one to one access for end users to there resources.

Network Design will I implement it so its FANTASTIC, I mean its HUGE, they are So WINNING right now :), but in summary everybody connects using 3 AP that is configured to be on the same network no VLans or anything, everybody is on the same subnet.

I am also reading on ZeroTier, but since we have server, I was thinking of using it, instead of relying on the hosted solution.

scottalanmiller

@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

I am also reading on ZeroTier, but since we have server, I was thinking of using it, instead of relying on the hosted solution.

That's "sunk cost" thinking. Certainly consider that you own a server, but don't let that weigh too much because there are several things to consider:

• Windows is terrible at VPNs
• Your Windows is woefully outdated and you should be very wary of using it.
• Windows is not free so while you "already own it" today, you don't "already own it" tomorrow.
• You "already own" VPN on the router, OpenVPN and ZeroTier, too. So that aspect is equal to your current Windows server. You also "already own" Linux and BSD solutions for this. So even though you already own a very old Windows server, you don't own it "as much" as several other solutions.

scottalanmiller

@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

Resources I reckon is only NAS + Router/Modem + 3 AP + Server with VMs on it that host useful webapps

So the NAS is the sole network resource? The entire business runs off of a single NAS? What kind of NAS is it? Many NAS have built in VPN options, but generally this is not as good as using your router for this.

NAS don't really work well over VPN. Have you considered moving to a more modern file storage model using something like NextCloud? This will be somewhat disruptive for internal users, but the earlier you eliminate technical debt, the sooner you benefit from it and the less debt you have to overcome.

scottalanmiller

@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:

It sounds like if you moved to NextCloud (I don't know that you can, just giving an example here) and provided an RDP access solution like Guacamole, you don't have any need for a VPN at all.

scottalanmiller

Of course NextCloud and a NAS are not the same and you can't always just switch one for the other, I don't mean to imply that, but a lot of NAS are put in when NextCloud would make more sense. Understanding the use case is important. But if you want to access a NAS over VPN, it probably isn't the right use case for a NAS.

Emad R

@scottalanmiller

Hey .. okay dont kill me but this dicussion got me thinking and I think I have solved it.

But it got me thinking why I am using Windows in the first place, and I searched and found 2 tools:

FreeLan
And SoftEther

I didnt like FreeLan cause the configuration was with notepad/text editor

But SoftEther Worked, very simple and great to setup (v4.20) and after connecting to the VPN using it, If I have duplicate IP address on both network, it will default to the VPN IP, for example if am connecting to VPN site, and I am connecting from work place that have the same subnet of the VPN like both 192.168.1.x it will and then I want to connect to 192.168.1.1 it will show me the VPN site... however when I did this with Windows it showed the local site.

Anyway I really loved how there software download and guides are very easy to read and understand, everything is pretty much guided. I was surprised that the server software detected that I am running VM and told me to enable Promiscuous network mode.

So will most probably use this and their client is easy and I reckon the VPN will be more secure

https://en.wikipedia.org/wiki/SoftEther_VPN.

Thanks for all the help and bashing it helped me to move away from Windows solution.

scottalanmiller

You are seeing why the "Linksys" range is suggested to never be used. 192.168.0.0, 192.168.1.0 and 192.168.2.0 are recommended as "dead" ranges used only by non-technical home users. Never use them in a business because they will always cause VPN issues.

scottalanmiller

ZeroTier would have solved that issue, but might have been an issue with your NAS.