1. Home Vpn
  2. Vpn Server Configurator 2.6.1
  • Install and Configure a VPN
  • Connect to a VPN

A VPN, or Virtual Private Network, creates an encrypted tunnel between your computer and a remote server. This has two major advantages. First, you mask your real location because you will have the IP address of the VPN server. Second, all the traffic between your computer and the server is encrypted. So, if you connect to a public WiFi, your data remains safe even if it intercepted by someone. Similarly, your Internet Service provider cannot read your data.

There are three ways to get a VPN service.

Configuration files for VPN servers located in the USA are provided by the private individuals on a voluntary basis. Stability, performance, and work of such server lies within the competency of aforementioned individuals.

  • You can get a free VPN. This is obviously the worst option because there is nothing free and most likely such VPN providers sell your data to the third parties. Free VPN is also usually very slow.
  • You can sign up for a VPN service for a monthly fee. This is the most popular option. It is more reliable than a free VPN but you have to trust your VPN provider.
  • You can get a personal VPN on your own server. This is the most secure option because you have maximum control over your traffic.
  • Apr 04, 2018 Select the option to use your Internet connection to connect to the VPN. Enter the domain or IP address of your VPN Server (the public IP address of the DD-WRT router configured above) and give a title to the VPN connection. Enter the credentials for your VPN login which was configured in the DD-WRT router settings.
  • To install and turn on a VPN server, follow these steps: Click Start, point to Administrative Tools, and then click Routing and Remote Access. Click the server icon that matches the local server name in the left pane of the console. If the icon has a red circle in the lower-left corner, the Routing and Remote Access service hasn't been turned on.

This post is about the third option.

Requirements

To get your own personal VPN, you need two computers:

  • A client computer, most likely it is your home computer or a laptop. You use it to connect to a VPN.

  • A private server, this where you install a VPN and use it as a VPN provider. This can be your own physical server or a virtual server.

There are several programs you can use to configure personal VPN. I will use OpenVPN. It is open-source, it is available in all Linux distro and I believe it is one of the most popular VPN programs.

Install and Configure VPN

Server computer

You need to install OpenVPN and cURL programs:

cURL is needed to download the VPN installation script openvpn-install.sh.This script makes the installation very easy and error save.You can, of course, install everything manually, and there are good instructions on how to do that on Debian Wiki or Arch Linux Wiki. But I believe most of my readers prefer the simplest ways. This VPN installation script is a result of the work of 36 contributors, you can check what it does, and I personally trust it.

So, you need to download the script and make it executable:

Then run this script as a superuser to install and configure OpenVPN on your server:

You need to follow the assistant and answer a few questions. You can keep everything by default, just press Enter for every question. Only give a name to your VPN configuration and I also recommend to encrypt the configuration with a password:

When everything is done. You should see a file that ends with .ovpn. This is a configuration file you will need to configure the client computer.

Client computer

On a client computer, also install OpenVPN and OpenVPN extension for your network manager:

I install networkmanager-openvpn for Plasma 5 on Arch Linux. Search for these two packages in your distro. Their names may differ slightly. If you use Ubuntu GNOME, for example, you need to install networkmanager-openvpn-gnome:

Next, download the VPN configuration file from your server:

The file will be downloaded to your local Downloads folder.

You can also use FileZilla if you prefer graphical programs. I explained how to use FileZilla and scp command in my previous post.

Connect to a VPN

First, I will show you the command line way to connect to a VPN. This way is more reliable and you make sure that your VPN works. Next, configure your graphical network manager.

Command line

Home Vpn

So, copy the downloaded *.ovpn configuration file to the client folder of your OpenVPN:

Test the connection:

You may need to enter the password if you set one and then you will see something like this:

If you do not see any error, your VPN works fine. To test it, open your internet browser and visit any website. You can also check your public IP address and it should be your server address.

Graphical connection in Network Manager

Although I like the command line, it is much nice to be able to connect to the VPN with just with one click from your system tray:

So, to add your VPN configuration to the Network Manager, open the Network Manager settings. Click on Add new connection, and import the configuration file you have downloaded from the server:

Above screenshots are from Plasma 5 Network Manager. It is almost the same in GNOME and other desktops. Just find an option to import the connection.

After that, you should see a new connection in your connection list. Try to enable it. If you see that your Network Manager icon changed, this means your VPN works. You can go to your web browser and test it.

Troubleshooting

When you start your OpenVPN connection from the command line, you will see errors right on the screen if somethings does not work. Try to understand what it says. If you do not how to fix it, google that error message.

However, when you configure the graphical interface of the Network Manager, you do not see detailed error information if it happens. You need to check the errors in your logs with this command:

For example, I did not succeed to connect to my VPN in Plasma 5 the first time. I imported the configuration and I saw that the system tried to connect, but failed after some time:

Checking the log files revealed that TLS certificate was missing:

My Network Manager imported all certificated except the TLS one. From my experience, importing the connection configuration works flawlessly in the GNOME Network Manager. But other network managers may not recognize all settings during the importing. Probably, this is because the script is optimized for GNOME. So, you may need to correct some importing errors manually.

Open the configuration file *.ovpn with a text editor and make sure you have the corresponding settings in your Network Manager.

If some certificates are missing in your Network Manager, copy it from the configuration file and save as a *.crt file on your computer.Usually, all the Network Manager certificates are stored in ~/.local/share/networkmanagement/certificates/.

You can see the screenshots of my configuration after I corrected all errors:

You may also need to change the permissions of all the certificates.

This is how I was able to troubleshoot my Plasma 5 VPN connection. Obviously, I cannot guess all the possible problems that can arise during your installation and configuration of a personal VPN service.

Add more VPN users

When you run the scrip openvpn-install.sh the first time, it creates a connection for one uses. However, if you run it again it, will offer you an option to add more users:

Select option 1. Add a new user and follow the instructions. The instructions are the same as above. Just provide a different Client name and you will see newuser.ovpn configuration file. Use it to connect a new user to this VPN server.

As you can see from the screenshot, running openvpn-install.sh again also gives you options to revoke a user, and remove OpenVPN from the server.

So, if you have ever thought about setting up a personal VPN, now you know how to do that. A personal VPN server is not only more secure in terms of privacy but it can also be cheaper. For example, if you connect your whole family to one VPN server, this option will be cheaper than subscribing your whole family to several VPN accounts by subscription.

This is the third post in my series on setting up a basic Always On VPN deployment. In this post I will be covering the configuration of the VPN server and the NPS server. I will also talk about the network and firewall configuration. Links to each individual post in this series can be found below.

Always On VPN – Basic Deployment Guide
Always On VPN – Certificates and Active Directory
Always On VPN – User Tunnel
Always On VPN – Device Tunnel
Always On VPN – Troubleshooting

The VPN Server

In this deployment, the role of the VPN server will be filled by Windows Server 2019 running the Routing and Remote Access Server role. This post will provide instructions for both domain-joined and non-domain-joined VPN servers. For the best security, the recommendation is to not join the VPN server to the internal AD domain.

Network Placement

The server will be located in a perimeter network. If a perimeter network or DMZ is not available, the server could be placed on a separate VLAN where access to the rest of the corporate network is controlled by ACLs. The server could also be placed directly on the corporate network, but this is the least secure option.

Network Configuration

The server will have 2 network adapters, 1 internet facing adapter and 1 intranet facing adapter.

Vpn
  • External Adapter
    • Assigned a static IP Address and Gateway IP
    • Only the IPv4 and IPv6 protocols should be enabled
  • Internal Adapter
    • Assigned a static IP Address
  • Additional Notes
    • The IP addresses assigned to the adapters must be from different subnets
    • The gateway IP should only be configured on the external adapter
      • Access to internal resources should be configured using static routes
  • If the VPN server is domain-joined, the DNS servers should be specified on the internal adapter
    • While this guide assumes a dual-interface configuration, it is possible to configure the VPN server with a single network interface. For more information about network interface configuration on the VPN server, refer to this post.

Firewall Configuration

  • Traffic allowed from the internet facing firewall to the external network adapter of the VPN server
    • If using IKEv2
      • UDP 500 (IKE)
      • UDP 4500 (IPSec NAT Traversal)
    • If using SSTP
      • TCP 443 (SSL)
  • Traffic allowed to and from the internal network adapter of the VPN server to the internal network
    • UDP 1812 (RADIUS Authentication)
    • UDP 1813 (RADIUS Accounting)
      • RADIUS traffic can also use UDP 1645 and UDP 1646, however, these are legacy ports and should not be needed when using modern clients and servers

If the VPN server is domain-joined, the server will need to be able to communicate with a domain controller. If there is not a read-only domain controller in the perimeter network, then these ports will need to be opened to domain controller on the internal network. Note that this is a potential security risk.

  • TCP and UDP53 (DNS)
  • TCP and UDP 88 (Kerberos)
  • TCP 135 (RPC Endpoint Mapper)
  • TCP and UDP 389 (LDAP)
  • TCP 445 (SMB)
  • TCP 636 (LDAPS)
  • TCP 3268 (LDAP GC)
  • TCP 3269 (LDAPS GC)

Feature Installation and Configuration

These steps will walk through the installation and configuration of the Routing and Remote Access Server role. These steps should be preformed on the VPN server.

  • Open an administrative PowerShell window and run this command to install the Routing and Remote Access Server role
  • Open the Server Manager and click Open the Getting Started Wizard
    • A refresh of the server manager may be required for the notification to appear
VPN Server Configurator
  • In the Configure Remote Access window that opens, select Deploy VPN only
  • The Routing and Remote Access console should now be open
  • Right click on the VPN server and select Configure and Enable Routing and Remote Access
  • The Routing and Remote Access Server Setup Wizard should open
    • At the Welcome page, click Next
    • Select Custom configuration and click Next
    • Select VPN access and click Next
    • Click Finish to complete the setup wizard
    • When prompted to start the Routing and Remote Access service, click Start service
      • If no prompt to start the service appears, right click on the VPN server, select All Tasks, and click Start
  • Right click on the VPN server and select Properties
    • Security tab
      • Change the Authentication provider to RADIUS Authentication and click Configure
        • In the window that opens, click Add
        • Enter the FQDN of the NPS server
        • Enter a shared secret
          • This should be a long random string of characters. Save this password somewhere safe. It will be needed again during the NPS server configuration
        • Optionally change the time-out or port settings and click OK twice
      • Optionally change the Accounting provider
    • IPv4 tab
      • Choose to use DHCP or a static address pool for allocating IP addresses
        • If using DHCP, ensure an IP Helper and firewall rules have been created to allow clients to find and communicate with the DHCP server.
        • If using a static address pool, ensure the IP addresses have been excluded from being used by the DHCP server
      • Set the adapter to the internal network interface
  • Click OK to close the Properties window
  • In the Routing and Remote Access console, right click on Ports and select Properties
  • Select WAN Miniport (IKEv2) and click Configure
    • Ensure Remote access connections (inbound only) is checked
    • Ensure Demand-dial routing connections (inbound and outbound) is checked
    • Optionally modify the maximum ports setting and click OK
  • Configure the other unused RAS/Routing ports (L2TP, PPTP, SSTP)
    • Uncheck both checkboxes

This concludes the main setup of the Routing and Remote Access role. However, there are additional steps that can be done to improve security as well as add support for device tunnels.

Improve IKEv2 Security

The default security settings for an IKEv2 connection in the Routing and Remote Access configuration are not as good as they could be. The settings used for the IKEv2 connections can be set to a more secure level on the server. If these settings are set on the server, the same settings will need to be configured on the client side before the tunnel will connect.

  • Connect to the VPN server and open an administrative PowerShell window
  • Run this command to update the IPsec security parameters for IKEv2
  • Restart the Remote Access Management service to allow the changes to take effect

This PowerShell command is sourced from this post.

Enable IKEv2 Fragmentation

It’s possible that the IKEv2 traffic can be split apart if the IP packets are too large. Windows 10 will support IKEv2 fragmentation by default, however this support needs to be manually enabled in Windows Server. Note that this feature only works in Windows Server 1803 and newer. To enable support for IKEv2 fragmentation, run this PowerShell command:

To read more about IKEv2 fragmentation, refer to this post.

Enable Support for Device Tunnels

The default configuration of the Routing and Remote Access server role does not allow machine certificate authentication. If device tunnels will be used, this needs to be enabled.

  • Connect to the VPN server and open an administrative PowerShell window
  • Run this script to enable machine certificate authentication
    • Modify the first line of the script with the common name of the root CA before running the script

This PowerShell script is sourced from this page.

The NPS Server

In this deployment, the role of the NPS server will be filled by Windows Server 2019 running the Network Policy Server role. This server should be domain-joined.

Network Placement and Configuration

The server will be located behind the internal firewall on the internal network. The server should have a single network adapter with a static IP address or a DHCP reservation.

Firewall Configuration

The following ports should be allowed through the internal firewall and the Windows firewall between the VPN server and the NPS server.

  • UDP 1812 (RADIUS Authentication)
  • UDP 1813 (RADIUS Accounting)
    • RADIUS traffic can also use UDP 1645 and UDP 1646, however, these are legacy ports and should not be needed when using modern clients and servers

Vpn Server Configurator 2.6.1

Windows Server 2019 has a bug where the Windows Firewall rules for the NPS role will appear as active but not actually be working. If communication on these ports does not seem to be making it through the Windows Firewall, open an administrative command prompt and run this command.

For more information about this bug and the solution, see this post.

Feature Installation and Configuration

These steps will walk through the installation and configuration of the Network Policy Server role. These steps should be preformed on the NPS server.

  • Open an administrative PowerShell window and run this command to install the Network Policy Server role
  • Open the Network Policy Server console
  • Right click on the NPS server and select Register server in Active Directory
    • Click OK at the confirmation dialog and again at the success dialog
  • In the Network Policy Server console, expand RADIUS Clients and Servers
  • Right click on RADIUS Clients and select New
  • Ensure Enable this RADIUS client is checked
  • In the Friendly name box, enter the name of the VPN server
  • In the Address (IP or DNS) box, enter the IP address of the internal network interface on the VPN server
  • Shared Secret
    • Ensure the Manual box is checked
    • Enter the Shared Secret that was created during the VPN server setup
  • Click OK to close the window
  • Select the RADIUS server, ensure RADIUS server for Dial-Up or VPN Connections is selected, and click Configure VPN or Dial-Up
  • In the window that appears, select Virtual Private Network (VPN) Connections and click Next
  • Select the VPN server and click Next
  • On the Authentication Methods page
    • Uncheck Microsoft Encrypted Authentication version 2 (MS-CHAPv2)
    • Check Extensible Authentication Protocol
    • Set the Type to Microsoft: Protected EAP (PEAP)
    • Click Configure
      • Select Secured password (EAP-MSCHAP v2) and click Remove
      • Click Add, select Smart Card or other certificate, and click OK
      • Click Next
  • At the User Groups page
    • Click Add and select the AOVPN Users AD group
    • Click Next
  • At the IP Filters page, click Next
  • At the Encryption Settings page, click Next
  • At the Realm Name page, click Next
  • Click Finish to complete the wizard

This completes the VPN and NPS server configuration portion of the deployment. The next post in the series is Always On VPN – User Tunnel.

Coments are closed

Recent News

  • Thunderbird
  • MacZip
  • Video2brain
  • FileMorph

Scroll to top