VPN Server Solution

Hi,

Im looking into a VPN solution which can facilitate the following.

I have a client office with a file server and db server (windows based) with a few client xp machines.

Recently, we have opened a small remote office which has its own internet connection with one user. This user would like to connect to the office and access the network resources.

Initial though was a simple Windows VPN Server setup using one of the server in the office but this required me putting the server into the DMZ (the main office only has a simple BT Business Hub) and configuring security certificates etc.

Is there any open source software out there which could be installed onto one of the servers/pc in the office which can accept inbound connections from the remote client without the need for certificates/tricky configs etc?

I looked at OpenVPN but the config file got me beat - bit to complex.

Any ideas?

Thanks
D
daiwhyteAsked:
Who is Participating?
 
OctInvConnect With a Mentor Commented:
I'm not quite sure why you would need to put a Windows VPN server in a DMZ?

I've not needed to do that before with a Windows server before, and also not had to set up any certificates.  Configure the server for VPN access only (no routing) using its default RRAS service installed by default on a windows server, open the firewall on the appropriate port you are using for the authentication protocol (PPTP or L2TP), and ensure the user creating the VPN knows the username and password to be used to log in to the server creating the VPN connection.
No extra software/hardware needed.

Hope this is the answer you were looking for.
0
 
daiwhyteAuthor Commented:
The server in question only has one network card installed, the VPN process error's stating I need two network cards. Any way round this?

0
 
OctInvCommented:
Yes,  the error is appearing possibly because you are enabling routing as well as enabling inbound VPN connections.  If the server was to provide a routing service, then 2 network cards are needed.  This is not neccessary for enabling only inbound VPN connections.
When setting up the VPN server, choose 'custom configuration' and only tick 'VPN'.

I would talk you through exactly how to do this - but you have not specified the version of Windows server you have.

Hope this helps.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
daiwhyteAuthor Commented:
I have Windows 2003 Server.

What ports would I need to forward from the firewall to the local host?
0
 
OctInvCommented:
Go to configure RRAS by right clicking on the server name from within the MMC sanp-in.
Click Next and choose 'custom configuration', click next and tick only 'VPN'.  Click next and click finish.

Choosing the port depends on which method of authentication you are choosing for the VPN connections.
For example, if you were to chose 'PPTP', then you would need to open up port TCP 1723 and enable the 'GRE' protocol to be passed through the firewall.  This is protocol type of 47, rather than being on 'port 47', so don't get the two confused.  But most modern day business routers (like the one you have) will do this for you automatically if you just tell it that you want to pass through PPTP VPN connections to the IP address of your server.
L2TP is different - you need to open all of UDP ports, 500, 4500 and 1701.

Good luck
0
 
daiwhyteAuthor Commented:
Ok, some things not quote right but positvie things have happened.

Ive setup the server as VPN and I have connected to this server from a local machine so I guess the username/password are good. Ive configured the firewall to allow TCP Port 1723 through to the vpn server, I selected the option within the BT router for PPTP Server when configuring the custom rule.

However, Im not able to connect from a remote machine (Win 7 Home Prem). This machine also has another dialler configured to another network and this works (PPTP).

Not sure if the problem is with the firewall or the server not configure to PPTP - your first paragraph on your last post was confusing but I dont think its relevant since I was able to connect a local client to the VPN server.
0
 
OctInvCommented:
Sorry if i confused you, but it was relevant.  The first paragraph of my last post was just instructions on how to set up the VPN on a Windows Server 2003 build, but given it seems as though you set it up correctly though (after a successful internal test), all is good.
There could be a number of reasons for why it hasn’t worked from an external source though, so some more information would be helpful to troubleshoot this.  What error message are you getting when the user tries to connect?
0
 
daiwhyteAuthor Commented:
Checking my firewall logs, I can see the traffic is passing, see below.

src=xxx.xxx.xx.x dst=192.168.1.85 ipprot=6 sport=35503 dport=1723 Session Matches User Pinhole, Packet Passed
0
 
daiwhyteAuthor Commented:
Im getting Error 807
0
 
daiwhyteAuthor Commented:
Ok, Ive moved the vpn server onto another server because I read it the 807 error can be related to slow server response.

By doing so, I now see my credentials getting passed successfully but then I get Error 720 error.
0
 
daiwhyteAuthor Commented:
On the downside, Im not able to connect locally to the new server
0
 
daiwhyteAuthor Commented:
Forgot to mention, the new process fails on the final step "Registering machine on the network"
0
 
daiwhyteAuthor Commented:
Update

Disable IP6 and set the local VPN server to dish out IP rather than my dhcp and hey presto, it works!!!!
0
 
daiwhyteAuthor Commented:
Is it possible to lock down the VPN to only allow connections from nominated IP addresses?
0
 
OctInvCommented:
Was just out having some lunch!
Happy it works for you.

Yes, that is possible, and I would recommend doing that from the firewall rather than from the advanced config of the RRAS, as any person trying to connect that you don't want to should be dropped before they enter the network, not as they hit the server.  Modify the firewall rule so that it drops connections from IP addresses other than the ones you specify.
Take in mind that the person connecting may not have a static public IP address.

Glad to have helped you.
0
 
daiwhyteAuthor Commented:
Thank you OctInv
0
 
daiwhyteAuthor Commented:
Thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.