Setting up a VPN server from Windows 2012 R2 utilizing SSTP for certificate based connection
GOAL: To create a VPN server from Windows 2012 R2 using domain authentication and a SSL certificate for added security to the users.
- A working Windows domain with Active Directory.
- Local DHCP
- A public IP Nat’d to the private IP of the VPN server
- A public DNS name of the VPN server (OPTIONAL)
- Port forwarding in the firewall for the SSTP port. See Step 11 in setting up the VPN server.
Setting up the VPN Server
- Install Windows 2012 R2.
- In Roles and Features, add Remote Access as a server role.
- In the Remote Access – Role Services, choose DirectAccess and VPN (RAS)
- Use all the default parameters and proceed with the installation of the role.
- Once the role is installed, the “Configure Remote Access” wizard will show up. Choose “Deploy VPN Only”.
- The previous step will open the MMC for Routing and Remote Access.
- Right click on the server name and choose “Configure and Enable Routing and Remote Access”.
- On the configuration wizard, choose “Custom Configuration”.
- In Customer Configuration, choose VPN Access.
- Click Finish and on the small window, click on Start Service.
- If you have a firewall, you will need to open the following ports:
1723 (TCP) – PPTP
47 (GRE) – PPTP Pass Through
1701 (TCP) – L2TP over IPSec (TCP)
500 (UDP) – L2TP over IPSec (UDP)
443 – SSTP
But for the sake of this project, since we will just be dealing with SSTP, it’s pretty safe to just open port 443.
- In order to allow a user to be able to use the VPN, Under the user properties in Active Directory, in the Dial In tab, enable “Allow Access” in the Network Access Permission” section.
- For this particular project a local DHCP has been taken into assumption that you don’t need to configure an IP pool to be used by the VPN clients. Right click in the properties of your VPN server and got to the IPv4 tab. Make sure that “Enable IPv4 Forwarding” is checked and “Dynamic Host Configuration Protocol (DHCP) is selected.
Setting up SSTP
- Create a CSR from IIS. In IIS manager, Connections panel click on the server.
- On the middle pane, choose Server Certificates.
- In the Actions panel, choose Create Certificate Request….
- Populate the fields pertaining to the Certificate.
- For the Crypto Service Provider, choose MS RSA SChannel Crypto Provider.
- The bit length should be 2048.
- Save the CSR.
- With the CSR on hand, order a certificate from any SSL certificate provider (Godaddy, etc. Since this is just a low level certificate, I suggest to get it at http://cheapssslsecurity.com. But if you’re unsure of what to get, go with Godaddy. A Godaddy customer rep may lead you on the right type of SSL cert you should get).
- Once you have the SSL certificate ready, Import it in your VPN server. Open the MMC for Certificate Store and import the SSL certificate.
- Go back to VPN server, VPPN server properties. In the Security tab, in the SSL Certificate Binding, make sure that the newly imported SSL certificate is bound for the VPN.
At this point, the setup of the VPN server setup is already done. However, to expand the filtering of the computers/users that will be able to use the VPN, we will configure NPS in the following steps although this is purely optional.
- Open the Routing and Remote Access MMC, under the VPN server, right click on “Remote Access Logging and Policies” click on Launch NPS.
- The Network Policy Server MMC will open. Right click on Network Policies and click on New.
- Enter a name of the Policy and select Remote Access Server (VPN Dial Up) in the type of network access server.
- Assuming that there is a security group already created in A/D for the VPN users, the next step involves using that security group. In the condition window, click on Windows Groups and add that security group.
- For the access type, choose Access Granted.
- On the Authentication Encryption, click the Add button and add EAP-MSCHAP v2. You may also check MS-CHAP v2 but make sure that all the boxes below it are unchecked. I recommend leaving all the less secure authentication method left unchecked.
- Skip all the other filters and complete the NPS setup.
Setting up the Client
- In the desktop client (Windows 7, Windows 8 or Windows 10). Go to control panel and open Network and Sharing and create a new network connection.
- Choose Connect to a workplace.
- Choose “Use my Internet Connection (VPN).
- Enter the (Public) IP of the VPN Server or its DNS name. Also enter the description name. Do not connect it yet.
- Enter the username, password and domain (domain is OPTIONAL). For convenience, check “Remember this password”. (NOTE: The user needs to be a member of the security group defined in the NPS server). Click Create.
- On the Network Connections window, right click on the newly created connection and choose properties.
- In the connection properties window, go to the Security tab. Make sure that “Secure Socket Tunneling (SSTP) is chosen in the type of VPN. On Data Encryption, choose Require Encryption. In the Authentication type, choose Microsoft Secured Password (EAP-MSCHAP v2).
- Hit Connect – you should be able to connect now using SSTP.