Announcement

Collapse
No announcement yet.

VPN Users Setup Questions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN Users Setup Questions

    Hello! As mentioned in the welcome thread, I'm trying to run Windows Server 2003 (Enterprise Edition) in a standalone-ish environment at home. It's a Dell PowerEdge 1650 (two 1.1Ghz processors, 3GB RAM), sitting behind your typical DSL gateway, and I want to configure it for a simple public website while providing a VPN for developers to access private services.

    I've done a lot of end-user and personal tech-support in the past, so I'm no stranger to registry tweaks and your average Windows config/troubleshooting, but new to server configuration and management. Hence, the home server. I'm ashamed to say I've picked up "Windows Server 2003 For Dummies" , but it's been very helpful explaining beyond my basic understanding of how Active Directory and other such gibber-jabber works. I also purchased "Learning Windows Server 2003" by O'Reilly once I need to get serious. Heap scorn on me if you like!

    So the reason I'm creating this thread is to be pointed in the right direction for what I want to achieve. A lot of what I'm learning/reading about is setting up Server 2003 for a big network, which is something I don't need/want to use yet. Mainly I just want:

    -AD account for admin with actual Remote Desktop access, etc
    -AD accounts for developers that have access to a private VPN - so I can have authenticated users access services like a SVN service or etc, without allowing them to actually log into the machine.
    -Apache running on both networks, so I can expose some website to be port-forwarded, while other Virtual Hosts only respond to the VPN'd users.
    -Other machines are sitting on my home gateway network; I don't want developers who are in the server VPN to have access to those! Just a subset of the server's stuff.

    Does any of that make sense? I obviously have a lot of reading/learning ahead of me, but I'm hoping you guys could give me some general tips. I've been hitting Google a bit, and this seems to be the place to be!

  • #2
    Re: VPN Users Setup Questions

    Originally posted by JohnMiller View Post
    sitting behind your typical DSL gateway, and I want to configure it for a simple public website while providing a VPN for developers to access private services.
    I'm assuming you have a home-grade DSL contract? That could quite possible limit incoming traffic. A lot of home grade internet connections restrict things like mail and web servers. Test that out first and/or talk to your ISP... or have you already?

    Originally posted by JohnMiller View Post
    -AD account for admin with actual Remote Desktop access, etc
    The domain admin account is an admin on all member computers so that allows remote desktop by default. You could simply log in as a user that is a member of the domain admins group... or is that too privileged for your tastes?

    Originally posted by JohnMiller View Post
    -AD accounts for developers that have access to a private VPN - so I can have authenticated users access services like a SVN service or etc, without allowing them to actually log into the machine.
    That's relatively simple. Just start RRAS on the server 2003 machine and set up a PPTP VPN. You'll have to frob around with polices and whatnot, but you can then make AD accounts and grant them remote access privileges. You can revoke the right to log on to computers locally to those accounts to prevent access to machines via RDP. However, the real restrictions might be your ISP and your router. The ISP could restrict VPN traffic (highly unlikely in my experience) and your router might not be capable of passing through the GRE portion of a PPTP VPN handshake (that is more likely). What type of home router do you have?

    Originally posted by JohnMiller View Post
    -Apache running on both networks, so I can expose some website to be port-forwarded, while other Virtual Hosts only respond to the VPN'd users.
    The term "both networks" is the first mention that I can see of more than one network. Are you thinking of implementing a DMZ of some kind? A lot of routers have a DMZ port or DMZ host option that can port forward all unsolicited and unforwarded traffic to one host in specific. That should work as long as you don't have more than one server you want to expose to the internet.

    Originally posted by JohnMiller View Post
    -Other machines are sitting on my home gateway network; I don't want developers who are in the server VPN to have access to those! Just a subset of the server's stuff.
    You could make the RRAS server not be a router so they could only access the server itself and nothing else on the network. You could also make a separate subnet using the server as a router and try to set up ACLs. Tell you what: I think you might want to draw this out one segment at a time. Worry about network design first and then worry about user accounts later. Do you have Visio? You could even use Gliffy's free accounts (even tough the free accounts don't let you make your graphs private).

    I hope this is a starting point for the discussion.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: VPN Users Setup Questions

      Thanks for the feedback! Let's see:

      -I've checked with my DSL ISP. They don't block any ports, and I pay a bit extra for an unlimited-bandwidth pool. Their tech support made it clear that unless I max the line 24/7 they don't have any issues.

      -The AD admin account would be for me only, so I'd actually want it to have all privileges on the machine. Here I was mainly trying to separate my admin account privileges from what I wanted the developer accounts to have.

      -Sorry, by "both networks" I meant:
      • The Internet, which has access to a public website
      • The server's single-machine VPN, which has access to private website, source control, etc

      -Looking at guides like these (one & two), it seems like I'd simply configure it to be a VPN, but not a NAT device. That would give VPN users access to only the server machine, but not anything else behind the router, right?


      I'll try to lay this out in a diagram.


      EDIT: Okay, here's a diagram. Sorry if it's not perfect, but hopefully it gets across what I'm trying to do:
      get a public-facing website, and a private dev community, without disrupting or compromising my home network of (relatively unsecured) computers.
      Last edited by JohnMiller; 23rd July 2009, 07:18.

      Comment


      • #4
        Re: VPN Users Setup Questions

        Originally posted by JohnMiller View Post
        -I've checked with my DSL ISP. They don't block any ports, and I pay a bit extra for an unlimited-bandwidth pool. Their tech support made it clear that unless I max the line 24/7 they don't have any issues.
        You're one of the lucky ones.

        Originally posted by JohnMiller View Post
        -The AD admin account would be for me only, so I'd actually want it to have all privileges on the machine. Here I was mainly trying to separate my admin account privileges from what I wanted the developer accounts to have.
        Gotcha. I'd just make a AD "Developers" Group and put the dev's accounts in there. Makes it easier to control permissions.

        Originally posted by JohnMiller View Post
        -Looking at guides like these (one & two), it seems like I'd simply configure it to be a VPN, but not a NAT device. That would give VPN users access to only the server machine, but not anything else behind the router, right?
        Yes, removing the ability to route from the VPN endpoint would effectively restrict people from accessing anything other than the IP address that the RRAS server is listening on. Just remember though, the developers could RDP into the server if they have those permissions and access the network that way.


        Originally posted by JohnMiller View Post
        I'll try to lay this out in a diagram.
        The only thing about the diagram that I'm unsure of is where you say that the VPN is using non standard ports. How do you propose to get the remote dev's VPN client to use those nonstandard ports to connect to? I suppose you could have them use a specific VPN client that allows for that, or maybe even a registry hack, but that's getting really messy.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: VPN Users Setup Questions

          Oooh, roger on the nonstandard port. When I was tinkering with an Ubuntu server w/o a router, the one thing the community drilled into my head was use a non-standard port for everything! If the Windows VPN client can't be easily configured to use a different port than default, then I'll just leave the default port & have to make the passwords quite secure.

          So all I have to do is:
          1. Select "VPN", not "VPN and NAT", when setting up the VPN,
          2. specifically remove the RDP privilege from the AD group,
          3. only port-forward the VPN and Apache, and
          4. leave any developer programs open in Windows Firewall

          And I'll be matching my network? I'll just have to be careful with the Apache virtualhosts then, but since I can assign the VPN users special IPs, it should be easy to create private sites. I suppose I should also learn how to set the Firewall to only allow connections on the VPN, I wouldn't want random friends I let in on the wireless having access.

          Is the VPN authentication pretty secure? Is the encryption (PPTP, right) it uses also secure?
          I'd be letting unencrypted SVN traffic and such run over it, unless people think that needs to be secured on top of whatever the VPN uses...
          Last edited by JohnMiller; 24th July 2009, 03:34.

          Comment


          • #6
            Re: VPN Users Setup Questions

            Originally posted by JohnMiller View Post
            When I was tinkering with an Ubuntu server w/o a router, the one thing the community drilled into my head was use a non-standard port for everything! If the Windows VPN client can't be easily configured to use a different port than default, then I'll just leave the default port & have to make the passwords quite secure.
            I'm sure you've heard this before and maybe you even saw this coming, but...

            ...security through obscurity is worse than no security at all since it gives you a false sense of security. Err... did that make sense? Some argue that non-standard ports at least remove the "low hanging fruit" for zombie attacks that scan well known ports and then lurch on to the next potential victim (Braaaains... brrrraaaaaiiinsssss....). But, really, better usernames and passwords are always the solution.

            I feel better now.


            Originally posted by JohnMiller View Post
            So all I have to do is:
            1. Select "VPN", not "VPN and NAT", when setting up the VPN,
            2. specifically remove the RDP privilege from the AD group,
            3. only port-forward the VPN and Apache, and
            4. leave any developer programs open in Windows Firewall
            That looks good, but to remove RDP privs you either must make the accounts users (only admins have default RDP privs) or explicitly deny the ability to logon locally if they must be admins... (or was that deny interactive logons? I can never keep those two straight.) Just making them users might be best.


            Originally posted by JohnMiller View Post
            I suppose I should also learn how to set the Firewall to only allow connections on the VPN, I wouldn't want random friends I let in on the wireless having access.
            I assume you mean the firewall on the Apache server? Restricting it to only accept IPs from the VPN's range?


            Originally posted by JohnMiller View Post
            Is the VPN authentication pretty secure? Is the encryption (PPTP, right) it uses also secure?
            I'd be letting unencrypted SVN traffic and such run over it, unless people think that needs to be secured on top of whatever the VPN uses...
            PPTP uses MPPE by default (RSA RC4) and you can crank it up to 128 bit. That should be decent enough unless you've got some major government entity after you.
            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: VPN Users Setup Questions

              Originally posted by Nonapeptide View Post
              ...security through obscurity is worse than no security at all
              Indeed. I'd just hate to be the little guy with a dinky website who gets cracked/botnetted. Forgive my paranoia, I blame the *nix folks (I suspect a couple of our friends over on ubuntuforums.org have a few wires loose anyway! ) To be clear, Windows automatically does the smart stuff like limiting the number of password attempts over short time periods and similar practices, right? Should I look into tweaking those settings?

              Originally posted by Nonapeptide View Post
              That looks good, but to remove RDP privs you either must make the accounts users.... Just making them users might be best.
              Sounds good. I'll just make them users then, since they don't need to actually log into the machine and do any administrative tasks.

              I plan to segment groups pretty finely too, like having "VPN access," "RDP access," "SVN Read," "SVN Write," etc groups that imply specific privlages. Since we have a variety of skillsets working on the project, I can make things simpler for non-coders, and prevent them from accidentally messing up certain resources. So I would create users such as "john.miller" and then add them to any groups they need to get permissions enabled. I'll also be making "john.miller.user" or something so I can test all this stuff from outside my own home on a laptop, and for when I want to connect from another computer & don't need to shout out my monster password.

              Originally posted by Nonapeptide View Post
              I assume you mean the firewall on the Apache server? Restricting it to only accept IPs from the VPN's range?
              I will be using the Apache respond functionality to split up the public/private websites, but I meant the Windows Firewall. The idea being whatever services I run can be accessed only on the VPN, not on any machines hooked into the DSL gateway (the random machines on the far right of my diagram). Back when I just used XP Pro and Hamachi, I was able to use Windows Firewall to only open certain ports on the Hamchi interface, denying access to the wireless and Ethernet connections. I suspect it'll be similar with the Windows VPN.

              What I would probably do is just have a super-restrictive Firewall on everything except 80 (http) and 1723 (VPN apparently), then disable the Firewall for the VPN interface only. Hopefully, I don't need two NICS to do that - it seems a lot of people use one NIC to connect to the internet and run VPNs and stuff over another NIC. I don't think that really applies here. I do have two NICS in the PowerEdge, but it's so dang loud I put it in a separate room from the router & don't want to get another 50-foot Ethernet cable if I don't have to.

              Originally posted by Nonapeptide View Post
              PPTP uses MPPE by default (RSA RC4) and you can crank it up to 128 bit. That should be decent enough unless you've got some major government entity after you.
              Eeeexcellent. Haven't you seen Enemy of the State, man?!?! Geez...
              Last edited by JohnMiller; 24th July 2009, 07:53.

              Comment


              • #8
                Re: VPN Users Setup Questions

                Originally posted by JohnMiller View Post
                To be clear, Windows automatically does the smart stuff like limiting the number of password attempts over short time periods and similar practices, right? Should I look into tweaking those settings?
                Yes, the default domain policy restricts login attempts before account lockout (3). You can apply complexity requirements as well as minimum and maximum password expirations.


                Originally posted by JohnMiller View Post
                I plan to segment groups pretty finely too, like having "VPN access," "RDP access," "SVN Read," "SVN Write," etc groups that imply specific privlages.
                Groups are the way to go. Microsoft espouses adding resources to domain local groups and then users to global groups and then giving users access to resources by attaching the domain local group to the global group. That might be overkill for your small environment though.


                Originally posted by JohnMiller View Post
                What I would probably do is just have a super-restrictive Firewall on everything except 80 (http) and 1723 (VPN apparently), then disable the Firewall for the VPN interface only. Hopefully, I don't need two NICS to do that - it seems a lot of people use one NIC to connect to the internet and run VPNs and stuff over another NIC. I don't think that really applies here. I do have two NICS in the PowerEdge, but it's so dang loud I put it in a separate room from the router & don't want to get another 50-foot Ethernet cable if I don't have to.
                Yes, you can run on one NIC. That's what I do at one of my remote offices from the combination file/print/database/VPN server.


                Originally posted by JohnMiller View Post
                Eeeexcellent. Haven't you seen Enemy of the State, man?!?! Geez...
                Why, no I haven't actually. Is this going to give me sleepless nights?
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: VPN Users Setup Questions

                  Originally posted by Nonapeptide View Post
                  Microsoft espouses adding resources to domain local groups and then users to global groups and then giving users access to resources by attaching the domain local group to the global group.
                  Err, what? I guess I'll learn about the difference between local/global groups as I get further in my reading. At the moment, I only have and plan for one server, so all local groups should be fine I guess. In the far-flung future, I might also reformat my shoddy old Dell desktop (currently a home print server) to server 2003 as well and do some interesting clustering/load-balancing experimentation, but that's a ways off. It only has 256MB RAM in it anyway, so it's barely worth having as a backup.

                  Originally posted by Nonapeptide View Post
                  Why, no I haven't actually. Is this going to give me sleepless nights?
                  Will Smith runs around for a bit with some crazy old guy while the government does government things. Any questions? :P


                  In other news, thanks for all your help! I hope to start setting this up this weekend & early next week, though of course we'll see what the rest of my life has to say about that.

                  Comment


                  • #10
                    Re: VPN Users Setup Questions

                    Originally posted by JohnMiller View Post
                    Err, what?
                    That's what I said when I first heard about that scheme. It makes sense after a while though. For you, I suppose you could get away with adding users to groups and then assigning them straight to the resource (printer, share, etc.)

                    Originally posted by JohnMiller View Post
                    I hope to start setting this up this weekend & early next week, though of course we'll see what the rest of my life has to say about that.
                    Yes, like the part that wears the ring you bought her.
                    Wesley David
                    LinkedIn | Careers 2.0
                    -------------------------------
                    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                    Vendor Neutral Certifications: CWNA
                    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                    Comment


                    • #11
                      Re: VPN Users Setup Questions

                      Well, you called it! I am just now getting to configuration.

                      Of course, I run immediately into a brick wall - adding the VPN service breaks routing. Period. From the server (192.168.0.220) I can't ping my gateway (192.168.0.1), or other local computers (192.168.0.5 etc), and other computers can't ping the server. In addition, I can't even access the internet - which I had previously configured for a static IP (the x.220) and with my ISP's DNS servers. The single ethernet interface (that I configured for the VPN, not VPN+NAT) shows connected though!

                      Removing the VPN role fixes all the above issues. Google doesn't (seem to) have any notice of this happening. Help?

                      EDIT: FIXED! Durr, I had just sleepwalked through the configuration and enabled "static filtering" which denied any access except VPN traffic through the selected NIC, which of course is the only NIC I have plugged into anything. Still working on it, will post updates.

                      EDIT 2: I got Active Directory and the VPN up! However, when I connect to it with the Add Connection wizard from another (local) computer, I connect to the VPN but cannot access the internet while I'm hooked up to the VPN. How can I make it so that users hook into my VPN but do not try (and fail) to use it for internet?
                      Last edited by JohnMiller; 2nd August 2009, 03:00.

                      Comment


                      • #12
                        Re: VPN Users Setup Questions

                        Sorry if this counts as a double post, but I wanted to expand upon my initial questions and thought this might make a good topic for further discussion, but probably not its own thread.

                        Additional Question: Is it possible, using the same technology I'm using right now, to have both "VPN" and "VPN+NAT" available, based on the connecting user's permissions or group?

                        It would be nice to just have a VPN for my developers, while not giving them relayed internet access or access to my other local machines. At the same time, I would like to have a easy VPN internet relay, and be able to hook into other computers at home for file access or tech support.

                        I'd much rather deal with the issues in my previous topic, so if this is super-duper-complicated don't bother with it till we get my primary issue fixed first

                        Thanks for your help so far!

                        Comment


                        • #13
                          Re: VPN Users Setup Questions

                          Originally posted by JohnMiller View Post
                          EDIT 2: I got Active Directory and the VPN up! However, when I connect to it with the Add Connection wizard from another (local) computer, I connect to the VPN but cannot access the internet while I'm hooked up to the VPN. How can I make it so that users hook into my VPN but do not try (and fail) to use it for internet?
                          You would want to go to the VPN conneciton icon, right-click and go to properties, double-click the IPv4 item, click the "advanced" button and then change the "Use default gateway on remote network" option. Instead of telling users how to change this setting, you can create an installable "connectoid" that would have all the options you could ever want to change using the CMAK. Check out my post in this thread for more info. Of course, this only works to install it on Windows machines. If you have other OSs to support, then maybe make a shell script or something that the OS in question supports?


                          Originally posted by JohnMiller View Post
                          Sorry if this counts as a double post
                          Double posts are only when you post the same question in more than one forum on this site. E.g. a question about LDAP queries posted in the AD forum and the Server 2003 forum.


                          Originally posted by JohnMiller View Post
                          Additional Question: Is it possible, using the same technology I'm using right now, to have both "VPN" and "VPN+NAT" available, based on the connecting user's permissions or group?

                          It would be nice to just have a VPN for my developers, while not giving them relayed internet access or access to my other local machines. At the same time, I would like to have a easy VPN internet relay, and be able to hook into other computers at home for file access or tech support.
                          If you change the default gateway option (AKA "split tunneling"), then remote users will use their own local default gateway and thus take care of the relayed internet connection concern. As for having two VPN connection possibiliites, one with LAN access and one with only server access, that might be possible with connection rules on the RRAS machine. However, I haven't had to do something like that so another member of the forum would be better suited to answer that.
                          Last edited by Nonapeptide; 3rd August 2009, 18:33.
                          Wesley David
                          LinkedIn | Careers 2.0
                          -------------------------------
                          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                          Vendor Neutral Certifications: CWNA
                          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                          Comment


                          • #14
                            Re: VPN Users Setup Questions

                            Sweet, I'll try that connection stuff in a few minutes. And the split gateway thing sounds complicated, so once I have my basic stuff set up I'll make a new post about it. It might even be easier to just set up a SOCKS relay or something later with a 3rd party product that I just ask the other developers to not use

                            Edit: the gateway correction works! I'll be using that connection wizard to create distributable VPN setup executables. Thanks!
                            I'll be going on vacation for a week, so work will stall for awhile.
                            Last edited by JohnMiller; 4th August 2009, 19:53.

                            Comment

                            Working...
                            X