Solved

VPN Server Solution

Posted on 2011-09-20
17
595 Views
Last Modified: 2012-05-12
Hi,

Im looking into a VPN solution which can facilitate the following.

I have a client office with a file server and db server (windows based) with a few client xp machines.

Recently, we have opened a small remote office which has its own internet connection with one user. This user would like to connect to the office and access the network resources.

Initial though was a simple Windows VPN Server setup using one of the server in the office but this required me putting the server into the DMZ (the main office only has a simple BT Business Hub) and configuring security certificates etc.

Is there any open source software out there which could be installed onto one of the servers/pc in the office which can accept inbound connections from the remote client without the need for certificates/tricky configs etc?

I looked at OpenVPN but the config file got me beat - bit to complex.

Any ideas?

Thanks
D
0
Comment
Question by:daiwhyte
  • 12
  • 5
17 Comments
 
LVL 7

Accepted Solution

by:
OctInv earned 500 total points
ID: 36566047
I'm not quite sure why you would need to put a Windows VPN server in a DMZ?

I've not needed to do that before with a Windows server before, and also not had to set up any certificates.  Configure the server for VPN access only (no routing) using its default RRAS service installed by default on a windows server, open the firewall on the appropriate port you are using for the authentication protocol (PPTP or L2TP), and ensure the user creating the VPN knows the username and password to be used to log in to the server creating the VPN connection.
No extra software/hardware needed.

Hope this is the answer you were looking for.
0
 

Author Comment

by:daiwhyte
ID: 36566122
The server in question only has one network card installed, the VPN process error's stating I need two network cards. Any way round this?

0
 
LVL 7

Expert Comment

by:OctInv
ID: 36566145
Yes,  the error is appearing possibly because you are enabling routing as well as enabling inbound VPN connections.  If the server was to provide a routing service, then 2 network cards are needed.  This is not neccessary for enabling only inbound VPN connections.
When setting up the VPN server, choose 'custom configuration' and only tick 'VPN'.

I would talk you through exactly how to do this - but you have not specified the version of Windows server you have.

Hope this helps.
0
 

Author Comment

by:daiwhyte
ID: 36566158
I have Windows 2003 Server.

What ports would I need to forward from the firewall to the local host?
0
 
LVL 7

Expert Comment

by:OctInv
ID: 36566199
Go to configure RRAS by right clicking on the server name from within the MMC sanp-in.
Click Next and choose 'custom configuration', click next and tick only 'VPN'.  Click next and click finish.

Choosing the port depends on which method of authentication you are choosing for the VPN connections.
For example, if you were to chose 'PPTP', then you would need to open up port TCP 1723 and enable the 'GRE' protocol to be passed through the firewall.  This is protocol type of 47, rather than being on 'port 47', so don't get the two confused.  But most modern day business routers (like the one you have) will do this for you automatically if you just tell it that you want to pass through PPTP VPN connections to the IP address of your server.
L2TP is different - you need to open all of UDP ports, 500, 4500 and 1701.

Good luck
0
 

Author Comment

by:daiwhyte
ID: 36566507
Ok, some things not quote right but positvie things have happened.

Ive setup the server as VPN and I have connected to this server from a local machine so I guess the username/password are good. Ive configured the firewall to allow TCP Port 1723 through to the vpn server, I selected the option within the BT router for PPTP Server when configuring the custom rule.

However, Im not able to connect from a remote machine (Win 7 Home Prem). This machine also has another dialler configured to another network and this works (PPTP).

Not sure if the problem is with the firewall or the server not configure to PPTP - your first paragraph on your last post was confusing but I dont think its relevant since I was able to connect a local client to the VPN server.
0
 
LVL 7

Expert Comment

by:OctInv
ID: 36566606
Sorry if i confused you, but it was relevant.  The first paragraph of my last post was just instructions on how to set up the VPN on a Windows Server 2003 build, but given it seems as though you set it up correctly though (after a successful internal test), all is good.
There could be a number of reasons for why it hasn’t worked from an external source though, so some more information would be helpful to troubleshoot this.  What error message are you getting when the user tries to connect?
0
 

Author Comment

by:daiwhyte
ID: 36566624
Checking my firewall logs, I can see the traffic is passing, see below.

src=xxx.xxx.xx.x dst=192.168.1.85 ipprot=6 sport=35503 dport=1723 Session Matches User Pinhole, Packet Passed
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:daiwhyte
ID: 36566666
Im getting Error 807
0
 

Author Comment

by:daiwhyte
ID: 36566761
Ok, Ive moved the vpn server onto another server because I read it the 807 error can be related to slow server response.

By doing so, I now see my credentials getting passed successfully but then I get Error 720 error.
0
 

Author Comment

by:daiwhyte
ID: 36566802
On the downside, Im not able to connect locally to the new server
0
 

Author Comment

by:daiwhyte
ID: 36566872
Forgot to mention, the new process fails on the final step "Registering machine on the network"
0
 

Author Comment

by:daiwhyte
ID: 36566933
Update

Disable IP6 and set the local VPN server to dish out IP rather than my dhcp and hey presto, it works!!!!
0
 

Author Comment

by:daiwhyte
ID: 36566993
Is it possible to lock down the VPN to only allow connections from nominated IP addresses?
0
 
LVL 7

Expert Comment

by:OctInv
ID: 36567065
Was just out having some lunch!
Happy it works for you.

Yes, that is possible, and I would recommend doing that from the firewall rather than from the advanced config of the RRAS, as any person trying to connect that you don't want to should be dropped before they enter the network, not as they hit the server.  Modify the firewall rule so that it drops connections from IP addresses other than the ones you specify.
Take in mind that the person connecting may not have a static public IP address.

Glad to have helped you.
0
 

Author Comment

by:daiwhyte
ID: 36567095
Thank you OctInv
0
 

Author Closing Comment

by:daiwhyte
ID: 36567101
Thank you
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now