Koozali.org formerly Contribs.org

SME9.2 and attempting a remote Windows 10 VPN connection

SME9.2 and attempting a remote Windows 10 VPN connection
« on: August 02, 2018, 11:44:54 PM »
I have a 9.2 SME server set up on a 4 port router, the SME is set within a DMZ zone facing the internet.

I want to access a Win10pro workstation in the network group  which effectively would be going around the SME server but don't seem to be able to. I am thinking the SME server being in the DMZ zone is taking all activity so even though router is set to allow IPsecL2tp  and direct it to the appropriate workstation, it maybe is not happening as SME doesn't look to support IPsecL2tp?

Any limited mention of a VPN seems to indicate it would be slow going through the SME as ptpp and also that ptpp is not so secure, so I am wondering if I should be putting the server behind the router using virtual server settings (no dmz zone) and only letting

secure mail        465 and 993
Https://            443
Http://             80    port connections through to server

Not need for ftp at this time.

and having router direct ipsecl2tp  transmissions to appropriate workstation on network?

Thanks, for any suggestions.

Ken Graham

Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #1 on: August 03, 2018, 12:16:06 AM »
My first attempt would be to setup port forwarding inside server-manager

I also found this:
https://serverfault.com/questions/451381/which-ports-for-ipsec-lt2p

If that does not work, report back and more experienced users might be to offer more help.
SME user and community member since 2005.
Want to install Wordpress in iBay of SME Server?
See my step-by-step How-To here:
http://wiki.contribs.org/Wordpress_Multisite

Offline ReetP

  • *
  • 1,459
Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #2 on: August 03, 2018, 12:46:01 AM »
Or speak to me about ipsec/l2tpd....  :-)

First, what mode is your SME server in? Does you LAN traffic pass through it en route to the Internet?

If you server is in server/gateway.....

Might be a bit out of date but gives you an idea...
https://wiki.contribs.org/Smeserver-libreswan-xl2tpd

Note your best bet may be a OpenVPN routed connection to your server to access stations behind it. The only catch is sorting out certificates.

Libreswan and libreswan/xl2tpd do work and have the benefit of only requiring passwords (and xl2tpd lets you authenticate against a server user too) but I have had no feedback on them so they work for me but YMMV.....

As far as ports go:

# For Ipsec
iptables -A INPUT -i $EXT_NIC -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p 50 -j ACCEPT
# iptables -A INPUT -i $EXT_NIC -p 51 -j ACCEPT //Don't bother with AH

# For L2TPD
iptables -A INPUT -i $EXT_NIC -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT

However, we need to understand your network setup a little better to really be able to help you.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #3 on: August 03, 2018, 04:18:55 AM »
Or speak to me about ipsec/l2tpd....  :-)

First, what mode is your SME server in? Does you LAN traffic pass through it en route to the Internet?

If you server is in server/gateway.....

Might be a bit out of date but gives you an idea...
https://wiki.contribs.org/Smeserver-libreswan-xl2tpd

Note your best bet may be a OpenVPN routed connection to your server to access stations behind it. The only catch is sorting out certificates.

Libreswan and libreswan/xl2tpd do work and have the benefit of only requiring passwords (and xl2tpd lets you authenticate against a server user too) but I have had no feedback on them so they work for me but YMMV.....

As far as ports go:

# For Ipsec
iptables -A INPUT -i $EXT_NIC -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i $EXT_NIC -p 50 -j ACCEPT
# iptables -A INPUT -i $EXT_NIC -p 51 -j ACCEPT //Don't bother with AH

# For L2TPD
iptables -A INPUT -i $EXT_NIC -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT

However, we need to understand your network setup a little better to really be able to help you.


Server is in Server only mode, but router set to have it in DMZ zone, right or wrong I am using router as Gateway. In this way if for any reason the server is offline or just slow due to internal nightly backup I have direct access to internet as in case I need to find out why things are down.  That is why I was wondering if in DMZ zone its intercepting the incoming VPN as if ahead of the router, preventing the router from doing what its programmed to do, which is to forward to the designated workstation.

Offline ReetP

  • *
  • 1,459
Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #4 on: August 03, 2018, 10:21:27 AM »
It's how you have your router setup.

If you are dumping everything to SME in a DMZ then the VPN cfalls will end up there too. You can do VPN direct to SME in this instance if you set it up, but it doesn't know how to route to the LAN so you can't access workstations.

You also have no firewalling... the router passes all traffic (except workstation connections already made) to SME. Which when in server only mode has no firewall running....

Suggestion. Use port forwarding on your router to only pass specific ports to SME.

Typically:

80, 443, 25, 465, ssh

You then know anyrhing unnecessary is blocked.

Then use your router as your VPN server to access your LAN. Assuming it does VPN. What sort of router is it?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #5 on: August 04, 2018, 02:16:56 AM »
It's how you have your router setup.

If you are dumping everything to SME in a DMZ then the VPN cfalls will end up there too. You can do VPN direct to SME in this instance if you set it up, but it doesn't know how to route to the LAN so you can't access workstations.

You also have no firewalling... the router passes all traffic (except workstation connections already made) to SME. Which when in server only mode has no firewall running....

Suggestion. Use port forwarding on your router to only pass specific ports to SME.

Typically:

80, 443, 25, 465, ssh

You then know anyrhing unnecessary is blocked.

Then use your router as your VPN server to access your LAN. Assuming it does VPN. What sort of router is it?

Okay, I took your advice. I corrected to port forwarding instead of DMZ.  I believe 993 was also needed as part of IMAP based on  settings in Thunderbird when set up?

The use of VPN did not seem to work for me saying unable to create but I was able to use the following .


 https://www.windowscentral.com/how-use-remove-desktop-app-connect-pc-windows-10-0

which required port 3389  and was able to use the Remote Desktop, the router is limited to forwarding to only 1 workstation as is 1 port but it is all I need at the moment. 

Dare I ask how this differs from the VPN?

Thanks,

Ken

Offline ReetP

  • *
  • 1,459
Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #6 on: August 04, 2018, 07:47:34 AM »
Ok. Cool. Yeah I forgot 993 sorry.

I knew there was another !

Quote
Dare I ask how this differs from the VPN?

Yup. One is suicidal and the other reasonably sensible.....

I would not recommend exposing Remote Desktop to the world.

Unless you want your systems compromised.

Better to create a secure vpn to your router and then tunnel through it. You can then potentially access ANY machine on your network.

You could potentially open vpn ports to one workstation, vpn to it, then rdp over that. But it's probably messier.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #7 on: August 04, 2018, 08:21:18 PM »
Ok. Cool. Yeah I forgot 993 sorry.

I knew there was another !

Yup. One is suicidal and the other reasonably sensible.....

I would not recommend exposing Remote Desktop to the world.

Unless you want your systems compromised.

Better to create a secure vpn to your router and then tunnel through it. You can then potentially access ANY machine on your network.

You could potentially open vpn ports to one workstation, vpn to it, then rdp over that. But it's probably messier.

Well a bit more reading on my part indicates that vpn on Windows 10 professional is only a client, not a server so does not let me hook to a Windows 10 Professional workstation.  There appears to be a work around I think its adding a point to point protocol
https://www.howtogeek.com/135996/how-to-create-a-vpn-server-on-your-windows-computer-without-installing-any-software/

 but I assume thats why you went with what you did?  However I am just wanting to be able to remote in like one would with Teamviewer. Are you using your method from a portable or are you restricted to permanent location for what would be the client.

I'm not to sure why suicidal, I assume "remote login with network authentication" is encrypted which would restrict it to password strength like ssh?

Thoughts?

Thanks,
Ken


Offline ReetP

  • *
  • 1,459
Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #8 on: August 04, 2018, 10:40:46 PM »
Well a bit more reading on my part indicates that vpn on Windows 10 professional is only a client, not a server so does not let me hook to a Windows 10 Professional workstation.  There appears to be a work around I think its adding a point to point protocol
https://www.howtogeek.com/135996/how-to-create-a-vpn-server-on-your-windows-computer-without-installing-any-software/

Yup - it's a desktop not a server, so unlikely to be able to run as a VPN server by default

PPTP is as old as the hills, and totally cracked years ago. Yes SME has it, but I could never, ever recommend it. Don't touch with a barge pole. Anyone giving you that advice needs taking round the back of the shed and shooting. OpenVPN/Ipsec are far superior.

Quote
but I assume thats why you went with what you did?  However I am just wanting to be able to remote in like one would with Teamviewer. Are you using your method from a portable or are you restricted to permanent location for what would be the client.

From experience. Note I have no Windows AT ALL, but that is besides the point. You want to be able to connect to a desktop behind a router.

Answer.
1. Use SME in server/gateway and add VPN server software.
2. Use a VPN to the router.

You can set up individual certificates and connect from anywhere with any device, assuming you aren't in a hotel that port blocks VPNs or you have a device that can't do VPN....

Quote
I'm not to sure why suicidal, I assume "remote login with network authentication" is encrypted which would restrict it to password strength like ssh?

Because it is a really sought after port to by hackers. If they get access then they have control of your workstation, and your network. If the port is exposed they'll hammer it day and night with dictionary attacks (and you'll then be asking how to stop them). You have no other protection.

Besides, if Windows has a bug to which allows them access, they'll know well before you.

Quote
Thoughts?

Assuming you aren't going to put SME in server/gateway, use your router as a VPN server if it is possible, or bin it and get a decent one that can (you still haven't mentioned what you have got)

Use proper certificates and not passwords. Way more secure.

Don't make life easy for the bad boys.

Note - I have a number of small networks linked permanently by ipsec using certificates. If I am on the local networks, I can remote desktop to anywhere on the linked local networks. They have static IPs at the VPN endpoints, so you can't just get in from anywhere , just the allowed IPs.

I also have a couple of places that I use OpenVPN so I can access from varying clients, again using certificates.

None of it is rocket science (though certs are a bit of pain when you start, and I'm still no guru on them !) but it is pretty secure.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline TerryF

  • *
  • 917
Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #9 on: August 05, 2018, 06:40:05 AM »
Suggest you have a look at the Windows server version of Softether VPN https://www.softether.org/


I use linux version on both SME9 server/gateway and server only have no exp with windows version, above is just a suggestion :-)

« Last Edit: August 05, 2018, 06:46:36 AM by TerryF »
--
qui scribit bis legit

Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #10 on: August 07, 2018, 04:00:52 PM »
Suggest you have a look at the Windows server version of Softether VPN https://www.softether.org/

I use linux version on both SME9 server/gateway and server only have no exp with windows version, above is just a suggestion :-)

The www.Softether.org page looks interesting for the tunnelling, though I am confused about the Remote in aspect that it claims to be able to use https:// port 443, if doing that I assume you would loose ability to have secure web pages their?
 
1. are you able to run it as a service on your SME router or have you set it up on a workstation behind your SME router?

2. What do you use to remotely control a workstation once in, would I then just use Windows Remote desktop as if I am local because I have established a tunnel?

I was looking at this as an interim solution as I know I have a remote desktop as implemented.

https://www.howtogeek.com/175087/how-to-enable-and-secure-remote-desktop-on-windows/ It includes

1. to create an additional group  equivalent using extra long passwords. Years ago I had read where a complex password of 6 characters could be broke in seconds, 7 in hours, and 8 in decades.
2. How to ensure encryption level is kept high
3. How to set up a non standard port

It has me thinking maybe a person should set up a standard port of 3389 to no where so the bots could spend infinity on a false door. Maybe too bad router manufacturers don't have all ports enabled to null? Then you open the few ports you desire?

Thanks for your thoughts.
Ken

Offline ReetP

  • *
  • 1,459
Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #11 on: August 07, 2018, 05:59:16 PM »
FWIW - this a is the start of an xy problem.  http://xyproblem.info/

You are asking here because you trust the people here. But the people here aren't giving you the answer you want to hear, so you are hunting around looking for other ways to accomplish what you want.

You first need to really go and read about, and understand, what you are trying to do.

Understand why we tell you to use VPNs. Don't just ignore it. It is best advice for your own security.

If you really want to follow geek guides, then please go ahead, but don't say we haven't warned you (the first was over PPTP). Bon suerte....

If you looked on the wiki you would have also found:

https://wiki.contribs.org/SoftEther_VPN


Quote
2. What do you use to remotely control a workstation once in, would I then just use Windows Remote desktop as if I am local because I have established a tunnel?

You really must go and try and understand this whole remote control and remote access thing a bit more. If you don't, don't do it because you are just as likely to let the bad people in too. In simple terms avoid exposing your Windows box to the internet at all costs.

Quote
It has me thinking maybe a person should set up a standard port of 3389 to no where so the bots could spend infinity on a false door. Maybe too bad router manufacturers don't have all ports enabled to null? Then you open the few ports you desire?

There are plenty of reasons why not. Do you actually know what ports routers have opened/closed, what other states they may have, and why?

Do you really think a port scanner won't find your super special secret squirrel port ??? Do you know how many ports there are, and how long it takes to scan them? Nmap should get you started.

Google & the forums are your friends. Please take some time to read some sensible resources and understand some of the technologies. If you don't, you won't understand when you are doing something silly, and how dangerous it may be.

Note you still haven't mentioned the make & model of your router. That would be the simplest point to create a VPN to your network, but we can't tell you if you don't tell us.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #12 on: August 07, 2018, 09:30:14 PM »
FWIW - this a is the start of an xy problem.  http://xyproblem.info/

Note you still haven't mentioned the make & model of your router. That would be the simplest point to create a VPN to your network, but we can't tell you if you don't tell us.

My Fiber  InternetServiceProvider Telus supplied router brings up the word Actiontec when logged in 3200.  It features ipsec/l2tpd as a passthrough service, its not a server, I am not sure what you are recommending in routers aside from SME as a Gateway and Server?

As previously mentioned I had preferred to use a separate router so if I am having an issue with the server, I can still contact out for information.

I will continue reading, but assuming you are carrying a laptop travelling and want to remote in, aside from the tunneling software what are you suggesting for the remote desktop ran inside the VPN?

Thanks,

Ken


Offline ReetP

  • *
  • 1,459
Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #13 on: August 07, 2018, 10:17:04 PM »
Separate 'connecting to my network' from 'remote desktop to workstation'

If you make a decent secure VPN  connection to your network, the desktop access is relatively trivial whether that is RDP, SSH or whatever.

What you really don't want is your desktop exposed diretly to the big wide world if at all possible.

So you make access to your network difficult for the bad boys by using a secure VPN.

If you don't want to use SME in S/G then fine. I understand.

So router. If it doesn't handle VPNs itself then I'd personally look at one that can.

As I don't need to remote desktop outside of my networks I don't have that issue, though if I wanted too, my router can handle ipsec or openvpn connections directly......

Not sure if you can do pass thru to SME in server only and then have access to your local network. It 'may' be possible.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline TerryF

  • *
  • 917
Re: SME9.2 and attempting a remote Windows 10 VPN connection
« Reply #14 on: August 08, 2018, 02:45:54 AM »
I use softether on a number of SME9 setups in both server/gateway mode and server only mode, there are differences in each of my setups.

This in effect allows local admin of server but also access to lan as a local workstation, lots of ways to then connect to any resource that is on the lan, workstations etc, RDP being but one, a risky one at that, VNC being another..all connecting locally rather than opening up access to all and sundry

I use windows 10 home as my workstation, you can use the softether vpn client or the Microsoft inbuilt vpn setup, both work, means you don't need to install the client if that is your want.

I was suggesting that you use softether for windows to access your systems rather than the sme9 installation, will still allow access to the server locally if needed admin wise, well documented on softether site..

There is a ton of info on the softether site re how tos and such, if you want to go the sme9 route there is a bit of a learning curve as its not a simple point and shoot, see Koozali wiki entry.


--
qui scribit bis legit