WTF I AM DOING WRONG (VPN edition) ?
-
We dont have an Active Directory, and whats the benefit of DHCP from windows server (I reckon its situations like these...)
Could it work with the main router, I guess cause it easier to have the DHCP on the main router, and I dont want configure clients to point to the new DHCP and I reckon DHCP on the main router is simple service that wont slow it down.
-
@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:
We dont have an Active Directory, and whats the benefit of DHCP from windows server (I reckon its situations like these...)
Why do you have a Windows server at all? (Not saying that there isn't a great reason, but without AD it would be surprising to find one.) DHCP from the router is not generally considered ideal, it's not a big deal, but in situations like these where you are trying to go "all in" on Windows, but not letting Windows handle this one portion.
If you don't have AD, though... why would you ever use Windows as a VPN aggregator? This is backwards... if you were going to split these roles you'd have the VPN on the router and DHCP on the Windows machine.
-
@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:
Could it work with the main router, I guess cause it easier to have the DHCP on the main router, and I dont want configure clients to point to the new DHCP and I reckon DHCP on the main router is simple service that wont slow it down.
That's not how DHCP works. There is no configuration or pointing when DHCP. That's the whole point of it.
-
@scottalanmiller said in WTF I AM DOING WRONG (VPN edition) ?:
If you don't have AD, though... why would you ever use Windows as a VPN aggregator? This is backwards... if you were going to split these roles you'd have the VPN on the router and DHCP on the Windows machine.
To be honest, setting up VPN in windows server is easy and Like i said i dont know much about VPN, I tried OpenVPN but I didnt like the interface, for the client and the server.
I need to have solution that provides a very easy client VPN setup, and Windows VPN build in client is relatively straight forward.
-
@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:
I need to have solution that provides a very easy client VPN setup, and Windows VPN build in client is relatively straight forward.
It's also not working and does not provide a good experience once connected because it is in the middle of your network and many versions of it are famously insecure.
OpenVPN is definitely one of the "less simple" VPNs out there. Did you try to just use the VPN on your router? What router are you using, anyway?
-
Also, your VPN software is more than half a decade out of date. That's not something I'd want going on with a key security system.
-
@scottalanmiller
OK, based in your experience, do you know other VPN setup/software/server that plays well
with Windows VPN client ?Or better way to put it, what is the easiest VPN client that you have used ? or simple to setup and secure.
-
@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:
@scottalanmiller
OK, based in your experience, do you know other VPN setup/software/server that plays well
with Windows VPN client ?Any IPSec should, but why do you want to use the Windows VPN client?
-
@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:
Or better way to put it, what is the easiest VPN client that you have used ? or simple to setup and secure.
All depends on the full use case. VPN is not one size fits all. Overall the easiest has been ZeroTier.
-
We need to back up, though, and figure out your needs.
- What is the purpose of the VPN? We generally don't recommend new VPNs today. Sometimes they are needed, but on average, they are not. This is a legacy network design. In a small network, you may easily have other options.
- What are the resources on your network?
- What interactions do VPN users need to have with non-VPN users?
- What is the network design?
-
Sorry for the delay, and thanks for pursuing this with me.
The purpose is to be for end users, whom are very I.T unskilled to connect to company resources, like NAS + and perhaps RDP to there workstation if needed.
Resources I reckon is only NAS + Router/Modem + 3 AP + Server with VMs on it that host useful webapps
No interaction needed between users it just one to one access for end users to there resources.
Network Design will I implement it so its FANTASTIC, I mean its HUGE, they are So WINNING right now :), but in summary everybody connects using 3 AP that is configured to be on the same network no VLans or anything, everybody is on the same subnet.
I am also reading on ZeroTier, but since we have server, I was thinking of using it, instead of relying on the hosted solution.
-
@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:
I am also reading on ZeroTier, but since we have server, I was thinking of using it, instead of relying on the hosted solution.
That's "sunk cost" thinking. Certainly consider that you own a server, but don't let that weigh too much because there are several things to consider:
- Windows is terrible at VPNs
- Your Windows is woefully outdated and you should be very wary of using it.
- Windows is not free so while you "already own it" today, you don't "already own it" tomorrow.
- You "already own" VPN on the router, OpenVPN and ZeroTier, too. So that aspect is equal to your current Windows server. You also "already own" Linux and BSD solutions for this. So even though you already own a very old Windows server, you don't own it "as much" as several other solutions.
-
@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:
Resources I reckon is only NAS + Router/Modem + 3 AP + Server with VMs on it that host useful webapps
So the NAS is the sole network resource? The entire business runs off of a single NAS? What kind of NAS is it? Many NAS have built in VPN options, but generally this is not as good as using your router for this.
NAS don't really work well over VPN. Have you considered moving to a more modern file storage model using something like NextCloud? This will be somewhat disruptive for internal users, but the earlier you eliminate technical debt, the sooner you benefit from it and the less debt you have to overcome.
-
@msff-amman-Itofficer said in WTF I AM DOING WRONG (VPN edition) ?:
It sounds like if you moved to NextCloud (I don't know that you can, just giving an example here) and provided an RDP access solution like Guacamole, you don't have any need for a VPN at all.
-
Of course NextCloud and a NAS are not the same and you can't always just switch one for the other, I don't mean to imply that, but a lot of NAS are put in when NextCloud would make more sense. Understanding the use case is important. But if you want to access a NAS over VPN, it probably isn't the right use case for a NAS.
-
Hey .. okay dont kill me but this dicussion got me thinking and I think I have solved it.
But it got me thinking why I am using Windows in the first place, and I searched and found 2 tools:
FreeLan
And SoftEtherI didnt like FreeLan cause the configuration was with notepad/text editor
But SoftEther Worked, very simple and great to setup (v4.20) and after connecting to the VPN using it, If I have duplicate IP address on both network, it will default to the VPN IP, for example if am connecting to VPN site, and I am connecting from work place that have the same subnet of the VPN like both 192.168.1.x it will and then I want to connect to 192.168.1.1 it will show me the VPN site... however when I did this with Windows it showed the local site.
Anyway I really loved how there software download and guides are very easy to read and understand, everything is pretty much guided. I was surprised that the server software detected that I am running VM and told me to enable Promiscuous network mode.
So will most probably use this and their client is easy and I reckon the VPN will be more secure
https://en.wikipedia.org/wiki/SoftEther_VPN.
Thanks for all the help and bashing it helped me to move away from Windows solution.
-
You are seeing why the "Linksys" range is suggested to never be used. 192.168.0.0, 192.168.1.0 and 192.168.2.0 are recommended as "dead" ranges used only by non-technical home users. Never use them in a business because they will always cause VPN issues.
-
ZeroTier would have solved that issue, but might have been an issue with your NAS.
-
I agree with Scott here - You shouldn't use your Windows server at all for the VPN solution.
What does your Windows server do for you? If you're not using it for Active Directory, and it sounds like you're not using it for file storage either (You have a NAS), then what? An application server? Are you hosting your websites from it? Seem expensive for no reason, unless an application you purchased required the use of IIS - then I'd ask, can you get rid of that and move to a solution that is uses a free OS.
As for VPN - If you really need traditional VPN, Find out if your current router/firewall can do it. If not, replace it with a EdgeRouter. They are very inexpensive and do this job great, and work with the native VPN client inside Windows PCs.