How to Create a VPN: A Comprehensive Guide for Secure Connectivity
Before we delve into how to create a VPN, let’s cover some background information and briefly discuss VPN uses and why it is important.
A Virtual Private Network (VPN) is a technology that creates a secure, encrypted connection over a less secure network, such as the internet. The VPN uses “tunnels” to encrypt data at the sending end and decrypt it at the receiving end, thereby ensuring privacy and security. This technology allows for the safe transmission of sensitive information, making it an essential tool for both businesses and individual users. VPNs can be used in several different contexts, each with its unique benefits and applications:
1. Remote Access:
Remote access VPNs enable users to connect to a private network from a remote location. This is particularly useful for employees working from home or while traveling, allowing them to access company resources securely as if they were directly connected to the network in the office.
2. Site-to-Site:
Site-to-site VPNs, also known as router-to-router VPNs, are used to connect the networks of two or more separate locations together over the internet in a secure manner. This type is often used by businesses with multiple offices, ensuring that resources can be shared securely across all locations.
3. Secure Browsing:
Individuals use VPN services to browse the internet securely and privately. By connecting to a VPN server, users can hide their IP address and encrypt their internet traffic, protecting themselves from eavesdroppers, hackers, and ISPs interested in monitoring their browsing activities.
4. Accessing Geo-restricted Content:
VPNs are widely used to bypass geo-restrictions and censorship. By connecting to a server in another country, users can access content that is restricted in their own country, such as streaming services, news websites, and more.
5. Secure Data Transmission:
For businesses that handle sensitive data, VPNs are crucial for ensuring secure data transmission between employees and the company’s network. This is particularly important for industries that must comply with strict privacy regulations, like healthcare and finance.
6. Bypassing Censorship:
In countries with strict internet censorship, VPNs enable users to bypass government restrictions and access the global internet freely. This use is critical for ensuring freedom of information and speech in repressive regimes. There are some interesting articles on this topic, see:
https://www.technologyreview.com/2023/09/13/1079381/google-jigsaw-outline-vpn-internet-censorship/
https://en.wikipedia.org/wiki/Internet_censorship_and_surveillance_by_country
Creating a VPN Using OpenVPN on Windows Server
Manual Implementation
Creating a VPN between two locations using Windows Server involves configuring Routing and Remote Access Service (RRAS) to set up a site-to-site VPN. This guide will demonstrate how to establish a secure connection between two networks using Windows Server 2019. The process involves setting up one server as the VPN server and the other as the VPN client.
Introduction
In this tutorial, we will establish a site-to-site VPN connection using Windows Server 2019’s Routing and Remote Access Service (RRAS). This setup enables secure communication between two separate networks over the internet.
Requirements
- Two servers running Windows Server 2019 with at least two network interface cards (NICs) each: one connected to the internet and one to the internal network.
- Administrative access to both servers.
- Public IP addresses for the internet-facing NICs of both servers.
Step 1: Install the Remote Access Role
On the VPN Server:
- Open Server Manager and select Add roles and features.
- In the Before You Begin section, click Next.
- Select Role-based or feature-based installation and click Next.
- Choose the current server from the server pool and click Next.
- From the roles list, select Remote Access and then click Next through the wizard until you reach the Role Services section.
- Check DirectAccess and VPN (RAS) and click Next, then click Install.
On the VPN Client (Remote Server):
Repeat the same steps to install the Remote Access role, focusing on the VPN client configuration later in the guide.
Step 2: Configure RRAS on the VPN Server
- After installation, open Server Manager, go to Tools, and select Routing and Remote Access.
- Right-click the server name and choose Configure and Enable Routing and Remote Access.
- In the wizard, select Custom configuration, then choose VPN access and LAN routing. Click Next and then Finish.
- Start the service by right-clicking the server name and selecting Start.
Step 3: Configure IP Address Assignment
- In the Routing and Remote Access management console, right-click on Server Name, then go to Properties.
- Navigate to the IPv4 tab, select Static address pool, and add a range of IPs that the VPN clients will use.
Step 4: Set Up the VPN Tunnel
On the VPN Server:
- In Routing and Remote Access, right-click Ports, go to Properties, and ensure that WAN Miniport (SSTP) and WAN Miniport (IKEv2) have enough ports enabled for connections.
- Create a firewall rule to allow incoming VPN connections.
On the VPN Client (Remote Server):
- Set up a new VPN connection in Network and Sharing Center to connect to the public IP address of the VPN server using IKEv2 as the VPN type.
- Configure the pre-shared key and other authentication details as required.
Step 5: Configure Routing
On both the VPN server and client, configure static routes to ensure traffic for the remote network is routed through the VPN tunnel. This can be done through the Routing and Remote Access console or using PowerShell commands.
Step 6: Testing the Connection
- Initiate the VPN connection from the VPN client server.
- Once connected, test connectivity by pinging devices across the VPN tunnel.
You’ve now set up a site-to-site VPN connection between two locations using Windows Server 2019. This secure connection allows for safe communication and resource sharing over the internet.
Troubleshooting
- Ensure the firewall rules are correctly configured to allow VPN traffic.
- Verify that the correct static routes are in place on both the server and client.
- If connectivity issues persist, review the event logs on both servers for clues to the problem.
This guide provides a foundational setup. Depending on your network’s specific requirements and security policies, you might need to adjust the configurations or implement additional security measures.
PowerShell Implementation
Implementing a site-to-site VPN setup on Windows Server using PowerShell streamlines the process and provides a scriptable and repeatable method. This alternative method covers setting up a VPN server and client using Windows Server 2019.
Introduction
This tutorial will guide you through setting up a site-to-site VPN connection using PowerShell commands on Windows Server 2019. PowerShell allows for automation and scripting of the configuration steps, making it an efficient alternative to manual setup.
Requirements
- Two servers running Windows Server 2019.
- Administrative access to both servers.
- Public IP addresses for both servers.
Step 1: Install the Remote Access Role via PowerShell
On both the VPN Server and VPN Client:
Run PowerShell as Administrator and execute the following command to install the Remote Access role along with the VPN and Routing features:
Install-WindowsFeature RemoteAccess, DirectAccess-VPN, Routing -IncludeManagementTools
Step 2: Install and Configure RRAS on the VPN Server
Install RRAS:
Install-RemoteAccess -VpnType Vpn
Configure RRAS to accept VPN connections:
Set-RemoteAccess -EnableInboundVpn $true -EnableOutboundVpn $true -EnableNat $true
Step 3: Configure IP Address Pool for VPN Clients
Use the following command to set a range of IP addresses that will be assigned to connected VPN clients. Adjust the range according to your network requirements.
Add-VpnIPAddressRange -StartIPAddress "10.10.10.1" -EndIPAddress "10.10.10.100" -PassThru
Step 4: Configure Pre-Shared Key and Authentication Method
Set up a pre-shared key for IKEv2 VPN:
Set-VpnServerIPsecConfiguration -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup None -SALifeTimeSeconds 28800 -IdleDisconnectSeconds 900 -PreSharedKey "YourPreSharedKey"
Replace "YourPreSharedKey"
with your actual pre-shared key.
Enable IKEv2 as the VPN protocol and set the pre-shared key for client connections:
Set-VpnServerConfiguration -EnableIkev2 $true
Step 5: Add Users and Configure Network Policies (Optional)
If you need to set up VPN access for specific users:
Create or enable a user for VPN access:
New-LocalUser -Name "VPNUser" -Password (ConvertTo-SecureString -AsPlainText "Password123" -Force)
Set up a network policy for VPN connections (assuming RADIUS is not used):
This step might require additional configuration based on your specific requirements, such as setting up Network Policy Server (NPS) for advanced scenarios.
Step 6: Configure the VPN Client
On the VPN client server, configure the VPN connection to the VPN server using its public IP address and the pre-shared key:
Create a VPN connection:
Add-VpnConnection -Name "SiteToSiteVPN" -ServerAddress "ServerPublicIP" -TunnelType Ikev2 -EncryptionLevel Required -AuthenticationMethod MachineCertificates -L2tpPsk "YourPreSharedKey" -Force
Start the VPN connection:
rasdial "SiteToSiteVPN" "VPNUser" "Password123"
Replace "ServerPublicIP"
, "YourPreSharedKey"
, "VPNUser"
, and "Password123"
with your actual server IP, pre-shared key, user name, and password.
Conclusion
Using PowerShell to set up a site-to-site VPN on Windows Server 2019 simplifies and automates the configuration process, providing a scalable and repeatable method for deploying VPN connections. This setup ensures secure communication between two sites over the internet.
Troubleshooting
- Ensure the Windows Firewall and any other firewalls in your network allow VPN and IKEv2 traffic.
- Verify the configuration settings, especially IP ranges and pre-shared keys, are consistent across both servers.
- Use the
Get-WindowsFeature
command to check that all necessary roles and features are installed correctly. - Check the Event Viewer for specific error messages related to VPN connections.
This PowerShell-based setup provides a foundation for a site-to-site VPN. Depending on your network and security requirements, further customization and configuration may be necessary.
Creating a VPN Using OpenVPN on Linux Server
Creating a VPN (Virtual Private Network) between two locations involves setting up a secure tunnel through which data can be transmitted securely over the internet.
For this tutorial, I’ll demonstrate how to set up a site-to-site VPN using OpenVPN, a popular open-source software application. This guide will cover the installation and configuration process for both locations, assuming you have a Linux server (Ubuntu 20.04) at each site.
In this tutorial, we will walk through the steps to establish a site-to-site VPN connection between two locations using OpenVPN. This secure connection will enable private communication between the two networks, ideal for sharing resources and data securely over the internet.
Requirements
- Two servers running Ubuntu 20.04, one at each location.
- Root access to both servers.
- Public IP addresses for both servers.
- Basic understanding of Linux command line and networking.
Step 1: Install OpenVPN and Easy-RSA
OpenVPN uses encryption to provide a secure connection, while Easy-RSA is a utility to manage certificates for authentication. Install these on both servers.
sudo apt update
sudo apt install openvpn easy-rsa -y
Step 2: Configure the Easy-RSA Certificate Authority
On the server that you choose to be the VPN server, perform the following steps to set up the certificate authority (CA).
Make a directory for Easy-RSA and navigate into it:
make-cadir ~/easy-rsa
cd ~/easy-rsa
Initialize the Easy-RSA directory and build the CA:
./easyrsa init-pki
./easyrsa build-ca nopass
This command creates a CA certificate. When prompted, enter a name for your CA or press Enter to accept the default.
Step 3: Generate Server and Client Certificates
Still on the VPN server:
Generate a server certificate and key:
./easyrsa gen-req server nopass
./easyrsa sign-req server server
Copy the server certificate and key to OpenVPN’s directory:
sudo cp pki/private/server.key /etc/openvpn/server/
sudo cp pki/issued/server.crt /etc/openvpn/server/
Repeat a similar process on the client (the other location’s server), but replace “server” with “client” in the commands.
Step 4: Generate DH Parameters and a TLS-Auth Key
On the VPN server, generate Diffie-Hellman parameters and a TLS-auth key for additional security.
./easyrsa gen-dh
openvpn --genkey --secret ta.key
Copy the dh.pem
and ta.key
files to the OpenVPN directory.
Step 5: Configure OpenVPN
Create an OpenVPN configuration file on both the server and client. The configuration will differ slightly between the two.
Server Configuration:
Create /etc/openvpn/server/server.conf
with the following content, adjusting the IP ranges to fit your network:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Client Configuration:
Create /etc/openvpn/client/client.conf
with the server’s public IP and the corresponding paths to the client’s certificate and key.
Step 6: Start and Enable OpenVPN Service
Finally, start and enable the OpenVPN service on both servers.
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
For the client, replace openvpn@server
with openvpn@client
.
Conclusion
You have successfully set up a site-to-site VPN between two locations using OpenVPN. This configuration allows for secure communication over the internet, making it ideal for sharing resources and data between two networks securely.
Troubleshooting
If you encounter any issues, check the OpenVPN log files located in /var/log/openvpn
. Adjustments might be needed depending on your specific network setup and firewall rules.
This tutorial provides a basic setup. For production environments, consider implementing additional security measures and regularly updating your software to protect against vulnerabilities.
Feel free to adapt and expand upon this tutorial to fit the specific needs of your network and organizational requirements.
How to Use VPN & When a VPN Client is and is not Necessary
After setting up a site-to-site VPN, whether it’s through a manual configuration or using PowerShell on Windows Server, or via OpenVPN on Linux, the way end-users connect to and use the VPN can vary based on the setup and the operating system of the user’s device. The primary distinction to remember is that a site-to-site VPN automatically secures traffic between two locations without the need for individual users to do anything special to initiate the VPN connection. However, understanding how users can leverage this VPN and what options are available for client connections is useful.
For Site-to-Site VPN:
Automatic Connection:
- In a site-to-site VPN scenario, the VPN connection is established between two routers or servers at different sites. This means that any device connected to the local network at either site can communicate with devices at the other site as if they were on the same local network, without the need for any specific VPN software on the user’s device.
- Users do not need to manually connect to the VPN because the connection is always on and managed by the network infrastructure. This is ideal for connecting entire networks, allowing for resource sharing, such as file servers, printers, or intranet websites, across different locations.
For Remote Access VPN (User-to-Site):
If individuals need to connect to the network from a remote location (not covered by the site-to-site VPN), you might have a separate setup for remote access VPN. Here’s how users can connect in that case:
Windows Built-in VPN Client:
- Windows has a built-in VPN client that users can configure to connect to the VPN server. After setting up the VPN server (using RRAS, for example), provide the users with the server’s public IP address or domain name, and any required authentication details (username, password, and possibly a pre-shared key).
- Users can then add a new VPN connection via the “Network & Internet” settings in Windows, input the provided details, and connect to the VPN whenever they need access to the network resources.
OpenVPN Client:
- If you’ve set up an OpenVPN server, users will need to install the OpenVPN client software on their devices. Provide them with the configuration file (.ovpn) and any necessary certificates or keys.
- Users install the OpenVPN client, import the .ovpn configuration file, and connect using their authentication details. This approach works on various operating systems, including Windows, macOS, Linux, iOS, and Android.
Direct Access:
- For organizations using Windows Server, DirectAccess offers another way to automatically connect user devices to the network without VPN user intervention. This requires specific configuration and infrastructure but provides a seamless experience for the user.
Conclusion:
For a site-to-site VPN, end-users within the network do not need to take any action to use the VPN; their traffic to the other site is automatically encrypted and routed through the VPN tunnel. For remote access VPN connections, users would typically use a VPN client software specific to the VPN technology in place (Windows built-in client for RRAS, OpenVPN client for OpenVPN setups), configure it once with the provided details, and then connect to the VPN as needed to access network resources.
1 thought on “Comprehensive Guide to Setting Up VPN environments: Windows Server and Linux Techniques”