Preface
In short: OpenVPN Access Server is 'almost free' and 'just OpenVPN' (Community Edition) is totally free However, they are configured in different ways. Open AS has indeed a web interface that simplifies (a lot) the tasks for setting it up. Open CE on the other hand, has to be configured by editing some configuration files OpenVPN Access Server. . The first time you configure the OpenVPN Server, you may need to Generate a certificate before you enable the VPN Server. Select the Service Type (communication protocol) for OpenVPN Server: UDP, TCP. Enter a VPN Service Port to which a VPN device connects, and the port number should be between 1024 and 65535. OpenVPN Access Server is a full featured SSL VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, and Linux, mobile OS (Android and iOS) environments.
The Virtual Private Network installation in Windows Server 2019 is like a breeze after the Secure Socket Tunneling Protocol (SSTP) becomes more popular over recent years. The SSTP protocol makes the VPN configuration much easier as the configuration of the firewall needs to open only SSL over Http port 443. The port 443 is used mostly for web servers, and it is common on the networking world organizations to open this port for accessing the https services.
Today I’m going to demonstrate the enablement of thisservice by installing and configuring the new and robust server from Microsoft,which is no other than Windows Server 2019. When we talk about security, wecannot disregard the concept certificate from certification authority which canbe either an internal CA server or third party one. We need to install aCertification Authority certificate on the Internet Information Services (IIS),and the web site installed when we implement Remote Access Services.
There are two parts we need to take into consideration, which setup a Secure VPN (SSTP) on Windows Server 2019 and the VPN client configuration on client operating systems such as Windows 10. On the outset, while we talk about Windows servers and Clients, we can also use this step by step guide to install VPN services on Windows Server 2016 and the Windows 8 and 8.1 client to connect to the Server. There are some minor changes we need to take care of while we do this configuration on earlier operating systems like Windows Server 2016 and Windows 8 and 8.1.
The following steps are involved in Setup a Secure VPN (SSTP) on Windows Server 2019. We see one by one and complete Routing and remote Access implementation for Virtual Private Network Service using Secure Socket Tunneling Protocol (SSTP). We are going to dive deeper into this ‘How to Setup a Secure VPN (SSTP) on Windows Server 2019’, so be with me until we complete the setup.
- Add Remote Access Server Role
- Configure Remote Access with VPN Access
- Limit number of VPN Ports
- Configure Remote Access Settings for VPN
- Configure Dian-in connection on the user object
- Create a VPN network Connection
- Connect to the VPN Server over internet
Add Remote Access Server Role
The first step in Setup a Secure VPN (SSTP) is Adding the Remote Access Server Role on the server. The remote access server role to be installed by going to the Server Manager Dashboard. Once the Server Manager windows would open, click on the Add Roles and Features, and the ‘Add Roles and Features’ wizard would start, and we can go through this wizard to complete the Remote Access role installation.
The wizard will start with instructions on using this toolto add the roles and features. If you don’t want to see this page, you canclick the checkbox next to ‘Skip this page by default,’ and you won’t beprompted with this page anymore.
In this wizard, we are going to use the role-basedinstallation to add this role, so select Role-based or Feature-basedInstallation to begin with and click Next to continue.
Make sure the local server in the server pool and select itand click Next.
In the Select Server Role page, select Remote Accesscheckbox, and click Next.
On the next page, leave the Features as it is and click Next.
If you need more details, you may go through the detailsabout remote access on this page, and once you are ready to move, click Next.
This step is very important, select the Direct Access andVPN (RAS) alone, and you would be prompted with related features on the pop-upand click Add Features, which will return to select the role services page.
We have selected the roles services and its feature, and weare good to move to continue, click Next.
The next page is an information page and it describes that addingthis role service also install the Web Server (IIS) role, Click Next tocontinue.
The Web Server(IIS) role will install this role services,leave the default selection, and click Next.
On the confirmation page, verify that the Roles mentioned above and Role Services are correct and click Install to start the Remote Access role installation. Sit back and relax for a few minutes to get the installation to complete.
You would notice the installation succeeded message and alsothere is a link to open the getting started wizard to start the configurationof the Remote Access Role, click the link.
Configure Remote Access with VPN Access on Setup Secure VPN (SSTP)
Clicking the link will start Configure Remote Access Wizard,on the wizard click Deploy VPN only tab as in the screen below.
The Routing and Remote Access management console will beopened and right-click on the server node and click ‘Configure and EnableRouting and Remote Access.’
The Routing and Remote Access Server Setup Wizard will startwith a Welcome Screen, Click Next to begin the Wizard.
Select the Radio button next to Custom Configuration andclick Next.
On the Custom Configuration page, select the checkbox nextto VPN Access and click Next.
The VPN Access configuration selected on the wizard, andthat is the end of the wizard and click Finish.
As we have configured Routing and Remote Access serviceswith VPN Access and the wizard will end by prompting to start service. Cabaret voltaire voice of america blogspot.
Once the Routing and Remote Access Service Started, you willsee a green arrow on the server node implying that the service started and running.
Limit number of VPN Ports
Based on our requirement, we are going to limit the numberof connections on the remote access service. To limit the number of ports, right-clickon Ports and select Properties.
We are going to limit the ports to 15 in this example.
Select Yes to the warning that shows that we are reducing the number of ports.
Once we set all ports to 15 and confirm the numbers andclick OK.
Configure Remote Access Settings for VPN To Secure VPN (SSTP)
There are certain settings we need to update to set the VPNto function securely and get the IP4 IPs to the client system.
Right-click the server node and click properties as in thescreen below.
On the Remote Access, Server Properties go to the IPV4 taband Select the Static Address pool radio button under IPv4 Assignment and clickadd to add IP address pool. Choose an IP address Pool and type start and end IPaddress of the pool. The IPV4 address pool is a static one, and if you arerunning the DHCP server on the server, you can leave the IP address to assignfrom the DHCP server. As we are not running a DHCP service, we are creating a staticaddress pool in this example.
On the Remote Access, Server Properties select‘Authentication Methods’ check ‘EAP’ and ‘MS-CHAP v2’ selected and click OK.
Before starting this installation, I have configured PublicDNS of the domain with a hostname record and assigned the server public IPaddress to it. Also, I have generated a certificate from third-party CA. At thebottom of the page, you can select the certificate that you have installed forthe hostname that you have selected.
Applying configuration changes will require a restart of theRemote access service for the configuration to take effect.
We have completed the Routing and Remote Accessconfiguration. To connect to the VPN Server from the VPN client, we need toallow the users who are all needed access. Go to Active Directory Users andComputers and select the User objects that you want to Allow Dial-in to VPN andgo to Dian-in on the properties of the user object and select the radio buttonnext to ‘Allow Access.’
Configure Dian-in connection on user object
Create VPN Network Connection to Secure VPN (SSTP)
So, we have completed all server configurations, now is the time to create a VPN connection on the Windows 10 client computer on Setup a secure VPN (SSTP).
Right-click network Icon on the taskbar and select ‘OpenNetwork & Connection Sharing.’ On settings, windows click ‘Network andSharing Center’ that will open the ‘Network and Sharing Center’ where we needto select ‘Set up a New Connection or Network’ as in the steps provided on thescreenshot below.
Select the steps as in the steps below.
- Open Network & Internet Sharing
- Network Sharing Center
- Set up a New Connection or network
There is a Wizard start, and in the connection options,select ‘Connect to a workplace’ and click Next.
On the How do you want to connect options, select ‘Use myInternet connection (VPN). Type internet address as I told you earlier I havecreated a hostname called ‘vpn.mrigotechno.club’ on my domain for this VPNconfiguration.
In the destination name type, a name implies the connectionpurpose. I left the default name in this example. Ubar 4 1 5 0.
Leave the selection of ‘Remember my credentials’ and clickcreate.
- Type the VPN server’s internet hostname or IPaddress.
- Give a name to the VPN Connection.
- Click Create to create a workplace connect.
Connect to the VPN Server over internet
![Openvpn Access Server Certificate Openvpn Access Server Certificate](https://blog.stefcho.eu/wp-content/uploads/2011/04/OpenVPN-Server-Certificate-Creation.png)
The VPN connection network adapter has been created and nowclick change adapter settings to change the VPN network adapter settings toconnect to the VPN server.
Right-click newly created adapter for VPN Connection andselect properties.
On the Security tab, select Secure Socket Tunneling Protocol(SSTP) and click OK.
Right-click the adapter one more time and click Connect /Disconnect
The VPN Connection will popup on the taskbar; now click onthe VPN Connection.
Type the domain credentials and click OK.
The VPN Connection completed, and you would see theConnected prompt on the VPN Connection.
The connection made can be verified on the Routing andRemote Access management console, as in the screen below.
Conclusion
In this article, we have gone through how to set up a secureVPN (SSTP) on Windows Server 2019. We have covered Installation of RemoteAccess Role, after the installation, we have configured Remote Access with VPNaccess, and we limit the number of SSTP ports so only maximum allowedconnections possible to connect. We configured Dial-In property of the ActiveDirectory domain users and we also covered the Windows 10 client computer toconnect the VPN server with the VPN connection adaptor.
I hope this article gives all the details to set up anenvironment to implement Virtual Private Network using Secure Socket TunnelingProtocol (SSTP). You may have some questions or feedback to share with me,please click the comments below and share your thoughts. I’m so happy to answeryour questions.
I did this a couple of years ago, with certificates that had a 1 year expiry date. Then my certs expired, and I’d forgotten what to do. So I figured it out again, and this time I’m writing it down.
There are two ways to setup client auth in OpenVPN, a shared secret and TLS certificates. TLS certificates are the preferred way if you can manage them, as they make it possible to revoke access to devices without having to change the shared secret for every other device.
To do this you need to setup a certificate authority and sign and issue your own certificates. Most OpenVPN guides tell you how to do this using OpenSSL and it’s associated long cryptic commands. I like my method better.
XCA is a cross platform graphical key and certificate management tool. And I find it far more convenient to use than OpenSSL since I can point and click my way through what I need to get done.
You can download XCA from their official project page at: https://sourceforge.net/projects/xca/
Install it, and start it.
Before you get started, you should change the default hashing algorithm from SHA1 to SHA256. This is set under File -> Options.
Setting up Certificate Templates
TLS certificates have various parameters that dictate what they can be used for (i.e. digital signature, web client auth, web server auth, etc.). OpenVPN requires that the certificates have certain key usage paramters set for either client or server usage. Plus there are some things we might not want to have to fill in all the time too.
Switch to the Templates tab.
And click new template. Greta 2019 torrent.
This will pop up a window asking what preset template value to start with. Choose nothing.
On the first tab we can setup subject related parameters. OpenVPN only cares about the
commonName
parameter, but that has to be set specifically and differently for each client certificate.Set the Internal Name value to what you want to call the template. You’ll need to setup 2 templates, one or the server certificate and one for the client certificates. OpenVPN Server, and OpenVPN Client are good names, but anything will do.
The next tab is the extensions tab. It’s useful here to set a time range if you want the certificates to be valid for more than a year by default. If you check
no well-defined expiration
the certificates will remain valid effectively indefinitely.There’s a balance between security and usability in terms of setting an expatriation length. For my home network, I don’t want to keep having to issue certificates every year, and reinstalling them. But I don’t want them to last indefinitely either. Pick a number that makes sense to you, and for your application.
On the Key usage tab, you’ll want to check the following options for the server template:
And for the client template:
Once you’ve got the key usage setup, click OK to save the template.
Setting up the CA
OpenVPN uses a certificate authority to insure that all the keys are signed by a central source, and so the server can verify that the clients haven’t had their certificates revoked. So we need to set one up.
Switch to the
Certificates
tab and click the New Certificate
button.Since this is the CA, it has to be a self signed certificate, so you’ll want to leave the signing set to
Create a self signed certificate with the serial
. I’m not aware of any advantages to changing the serial number, so you can leave at it one.The signature algorithm should be SHA256, like we set the default when we started.
Since this is a CA the template should be
[default] CA
, and click Apply All
under that drop down.Moving on to the Subject tab.
Like the template file, the
Internal Name
filed is what XCA will display in the UI. I’m calling this certificate OpenVPN CA so I know what it is. The only other field that’s relevant, AFAIK, is the commonName
field, set this to something that will be unique within your CA, like OpenVPN_CA or similar.We also need to generate a key to sign the certificatel. You’ll want to have unique keys for every certificate you create. You probably shouldn’t reuse old keys, but it’s okay if you mess up the certificate creation and need to regenerate the certificate.
Click Generate a new Key and you’ll get the following dialog.
XCA will automatically populate the name of the key with the value that was set in the internal name for the certificate. Things 2 5 3 – elegant personal task management.
In my experience RSA keys are the most straight forward and just work, and work pretty much everywhere. Keysize should be at least 2048. OpenVPN will support 4096 bit keys for the best possible security.
Presently, the benefits for >2048 bit keys is small, and there is overhead for processing them. For someone concerned about state-level attacks against their networks, bigger keys would be desirable.
Finally set the time range or valid end date on the extensions tab to how long you want your CA’s cert to be valid.
Click OK to create the certificate and you’ll be returned to the main window.
For the client and server certificates, start by right clicking on the CA entry, and clicking new from the context menu. This will set that certificate as the CA that will sign the new certificate by default.
For the OpenVPN server, you’ll repeat the same process as you did for the CA, only you want to change the
Template for the new certificate
drop down to the template you created previously for the OpenVPN server.Also double check that the CA is signing the certificate and that the signature algorithm is SHA256 as set by default.
The rest of the process is the same as the CA certificate. Fill in the
Internal Name
and commonName
(this can be the hostname of the OpenVPN server) fields for your server certificate, set the end date, double check that the same Key Usage fields are set as shown in the template setup. And click when everything is done.Client certificates are created in an identical fashion, only using the OpenVPN Client template (or whatever you called yours) instead of the OpenVPN server template.
When you’ve created your server and client certificates you should have something that looks similar to the following image (with different internal and common names and probably more certificates).
Building the CRL
A CRL, or certificate revocation list, is a file that tells the OpenVPN server which client certificates are no longer valid. This is what’s used to disable clients that have been lost or need to be blocked from being able to access the server. And ultimately is the whole point of setting up a certificate based auth instead of just using a shared key.
To do this right-click on the CA certificate and from the CA entry in the context menu, click Generate CRL.
All of the settings can be left at the defaults here. Just click OK.
There will now be a CRL on the Revocation Lists tab, and a CRL Expiration date on the CA line in the Certificates tab.
Exporting Certificates
To use the certificates you need to export them, in a format that you can upload to your server and devices.
The OpenVPN server needs:
- The CA’s certificate
- The CA’s revocation list (CRL)
- The Server’s certificate
- The Server’s key file
Each OpenVPN client will need:
- The Client’s certificate
- The client’s certificate’s key file
For OpenVPN clients, the certificates and keyfiles should be exported as a single PCKS #12 file with a password to insure the security of the certificate between XCA and when you install it on your device.
To export a certificate or revocation list, click on the cert you want to export and click Export on the right column.
For the CA cert, Server cert, you want to use the PEM (*.crt) export format.
For the Client cert, if you’re going to iOS devices, you want to set the Export Format to PKCS #12 (*.p12). This will also require you to set a password on the exported file when you export it and it will include the key file for the client cert.
Upload the respective files to their respective devices, and being the configuration process of OpenVPN itself.
Diffie-Hellman Params (DHParam)
One final thing to export from XCA is a
dhparam
file for your server. To generate this go under the Extra
menu and select Generate DH parameter
. You’ll be prompted to set the parameter bits, set this to 2048 or higher.Many sources recommend setting your
hdparam
file to match the size of your private keys.Upload this to your server along with the certificates from the last step.
Openvpn Access Server Free
On the server, you’ll need to move the ca.crt, server.crt, server.pem, ca.pem (CRL), and dhparam files into your OpenVPN config folder (typically /etc/openvpn) and change the permissions so that they can be read by your OpenVPN user.
I’ve provided below an example annotated server config file. If you copy this for your server, make sure you change the certs to reflect the names of your certificate files.
FWIW, I’ve had persistant problems getting the tls-cipher directive to work properly with the iOS OpenVPN client. It may be necessary to remove or comment that out.
To test OpenVPN, start it from the command line using
openvpn server.conf
. This will display the output to the terminal instead of logging it.Assuming you installed OpenVPN from a package, once you’ve tested everything you can use the regular service/systemctl/rc.d scripts to start the service.
OpenVPN’s iOS client requires a two stages for the config.
First you must export from XCA your client’s certificates in PKCS #12 format. You’ll also need a copy of the CA certificate for the server so that the client can verify that the server is properly signed.
Openvpn Remote Access Server
Depending on what methods you have at your disposal getting the client certificate to the iOS device is kind of a hassle. You can mail it to your self, or if you have a web server on your local network that you can upload it to you can install it through Safari. Remember, that while the PKCS12 format is encrypted, it’s still a good idea now to go posting it all over the place if you can avoid it.
Uploading the OpenVPN configuration file is a little easier, that can be done through iTunes. Not it must have the extension ovpn for OpenVPN to detect it.
Below I’ve included a sample configuration for the client config. Like the server, you’ll need to change this to reflect your specific settings.
That should about cover the basics. At least I should say that should be enough for me to remember what I need to do next time I have to do this in n-years.