ComputerBas

Tips, tricks and manuals

Je bent niet ingelogd.

#1 2019-11-10 23:34:46

Bas
Administrator
Geregistreerd: 2019-11-10
Posts: 83

VPN with SSTP and LETSENCRYPT for RRAS on Windows Server

How to install VPN with SSTP for RRAS on Windows Server?

Install IIS and RRAS

In Server Manager, Manager → Add Roles and Features, check Remote Access and Web Server (IIS).

In Features pane select Remote Server Administration Tools and all submodules and in Remote Access Role Services select DirectAccess, VPN and Routing.

Install WACS for LetsEncrypt

https://www.win-acme.com/
https://github.com/PKISharp/win-acme

Run rrasmgmt.msc

Right click server → Configure → Custom Configuration → VPN Access & Demand-dial connections

Start the service

Right click the server → Properties

IPv4 tab, select static address pool and choose an appropriate IP range for VPN clients (e.g. 192.168.25.40 , 192.168.25.80)

Default Web Site host in IIS has an HTTPS binding, and Server Name Identification box UNTICKED!
The host used for a SSTP VPN must NOT require SNI!

To get rid of any certificates for the VPN host do this:

In admin terminal:

$ $hostname = "vpn.company.com"
$ Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match $hostname} | Remove-Item

Create 4096 bit certificate:

In the WACS folder e.g.

C:\WACS\

There is a file called settings_default.json

Edit settings_default.json file for 4096 bit key size:

},
  "Security": {
    "RSAKeyBits": 4096,
    "ECCurve": "secp384r1",
    "PrivateKeyExportable": false,
    "EncryptConfig": true

And then create certificate:

C:\WACS\wacs.exe --ocsp-must-staple

Place the certificate in the Personal store explicitly and do all additional installation steps.

Doubleclick the .pfx --> import in Personal store

Finally, we can set our RRAS cert to the one we just created:

RRAS properties --> security --> SSTP certificate

LetsEncrypt certificates expire every 3 months, but WACS reschedules updates.

Startup RRAS by default on a machine boot:

Run Services.msc

Find the Remote Access Connection Manager service, right-click → Properties → Startup type: Automatic

Do not use default gateway on remote network:

Open the Network and Sharing Center, and click into Change adapter settings. Right-click the VPN connection you just created, and select "Properties". Switch to the Networking tab.

Select the Internet Protocol Version 4 (TCP/IPv4) list item, then click the Properties button. Click Advanced, and uncheck Use default gateway on remote network.


Troubleshooting:


VPN user must be allowed to dial-in:

Run mmc.exe

Add the Local Users and Groups snap-in from the File menu

Click into your user account, then right-click Properties

Dial-in tab, Allow access under Network Access Permission


Network Policy Server must allow VPN connections:

If you have NPS enabled, you will have to configure it to allow VPN connections.

Under the NPS snap-in from mmc.exe → Advanced Configuration → Network Policies → Grant access to both policies relating to VPN connections! They are on deny by default.


Host machine must be discoverable:

Open up the Network and Sharing Center

Click Advanced sharing settings

Expand the Private and Guest or Public groups, and turn on Network Discovery and File and printer sharing on both.


All good?

AWESOME!

Laatst bewerkt door Bas (2022-10-17 02:50:18)

Offline

Forum footer

Powered by FluxBB 1.5.11