Cannot Establish a Remote Access VPN Connection Cause: The name of the client computer is the same as the name of another computer on the network. Solution: Verify that the names of all computers on the network and computers connecting to the network are using unique computer names. Cause: The Routing and Remote Access service is not started on the VPN server. Solution: Verify the state of the Routing and Remote Access service on the VPN server. See Windows Server 2003 Help and Support Center for more information about how to monitor the Routing and Remote Access service, and how to start and stop the Routing and Remote Access service. Click Start to access the Windows Server 2003 Help and Support Center. Cause: Remote access is not turned on on the VPN server. Solution: Turn on remote access on the VPN server. See the Windows Server 2003 Help and Support Center for more information about how to turn on the remote access server. Click Start to access the Windows Server 2003 Help and Support Center. Cause: PPTP or L2TP ports are not turned on for inbound remote access requests. Solution: Turn on PPTP or L2TP ports, or both, for inbound remote access requests. See the Windows Server 2003 Help and Support Center for more information about how to configure ports for remote access. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The LAN protocols used by the VPN clients are not turned on for remote access on the VPN server. Solution: Turn on the LAN protocols used by the VPN clients for remote access on the VPN server. See the Windows Server 2003 Help and Support Center for more information about how to view properties of the remote access server. Click Start to access the Windows Server 2003 Help and Support Center. Cause: All of the PPTP or L2TP ports on the VPN server are already being used by currently connected remote access clients or demand-dial routers. Solution: Verify that all of the PPTP or L2TP ports on the VPN server are already being used. To do so, click Ports in Routing and Remote Access. If the number of PPTP or L2TP ports permitted is not high enough, change the number of PPTP or L2TP ports to permit more concurrent connections. See the Windows Server 2003 Help and Support Center for more information about how to add PPTP or L2TP ports. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN server does not support the tunneling protocol of the VPN client. By default, Windows Server 2003 remote access VPN clients use the Automatic server type option, which means that they try to establish an L2TP over IPSec-based VPN connection first, and then they try to establish a PPTP-based VPN connection. If VPN clients use either the Point-to-Point Tunneling Protocol (PPTP) or Layer-2 Tunneling Protocol (L2TP) server type option, verify that the selected tunneling protocol is supported by the VPN server. By default, a computer running Windows Server 2003 Server and the Routing and Remote Access service is a PPTP and L2TP server with five L2TP ports and five PPTP ports. To create a PPTP-only server, set the number of L2TP ports to zero. To create an L2TP-only server, set the number of PPTP ports to zero. Solution: Verify that the appropriate number of PPTP or L2TP ports is configured. See the Windows Server 2003 Help and Support Center for more information about how to add PPTP or L2TP ports. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common authentication method. Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common authentication method. See the Windows Server 2003 Help and Support Center for more information about how to configure authentication. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common encryption method. Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common encryption method. See the Windows Server 2003 Help and Support Center for more information about how to configure encryption. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN connection does not have the appropriate permissions through dial-in properties of the user account and remote access policies. Solution: Verify that the VPN connection has the appropriate permissions through dial-in properties of the user account and remote access policies. For the connection to be established, the settings of the connection attempt must: Match all of the conditions of at least one remote access policy. Be granted remote access permission through the user account (set to Allow access) or through the user account (set to Control access through Remote Access Policy) and the remote access permission of the matching remote access policy (set to Grant remote access permission). Match all the settings of the profile. Match all the settings of the dial-in properties of the user account. See the Windows Server 2003 Help and Support Center for an introduction to remote access policies, and for more information about how to accept a connection attempt. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The settings of the remote access policy profile are in conflict with properties of the VPN server. The properties of the remote access policy profile and the properties of the VPN server both contain settings for: Multilink. Bandwidth allocation protocol (BAP). Authentication protocols. If the settings of the profile of the matching remote access policy are in conflict with the settings of the VPN server, the connection attempt is rejected. For example, if the matching remote access policy profile specifies that the Extensible Authentication Protocol – Transport Level Security (EAP-TLS) authentication protocol must be used and EAP is not enabled on the VPN server, the connection attempt is rejected. Solution: Verify that the settings of the remote access policy profile are not in conflict with properties of the VPN server. See the Windows Server 2003 Help and Support Center for more information about additional information about multilink, BAP and authentication protocols. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The answering router cannot validate the credentials of the calling router (user name, password, and domain name). Solution: Verify that the credentials of the VPN client (user name, password, and domain name) are correct and can be validated by the VPN server. Cause: There are not enough addresses in the static IP address pool. Solution: If the VPN server is configured with a static IP address pool, verify that there are enough addresses in the pool. If all of the addresses in the static pool have been allocated to connected VPN clients, the VPN server cannot allocate an IP address, and the connection attempt is rejected. If all of the addresses in the static pool have been allocated, modify the pool. See the Windows Server 2003 Help and Support Center for more information about TCP/IP and remote access, and how to create a static IP address pool. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN client is configured to request its own IPX node number and the VPN server is not configured to permit IPX clients to request their own IPX node number. Solution: Configure the VPN server to permit IPX clients to request their own IPX node number. See the Windows Server 2003 Help and Support Center for more information about IPX and remote access. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN server is configured with a range of IPX network numbers that are being used elsewhere on your IPX network. Solution: Configure the VPN server with a range of IPX network numbers that is unique to your IPX network. See the Windows Server 2003 Help and Support Center for more information about IPX and remote access. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The authentication provider of the VPN server is improperly configured. Solution: Verify the configuration of the authentication provider. You can configure the VPN server to use either Windows Server 2003 or Remote Authentication Dial-In User Service (RADIUS) to authenticate the credentials of the VPN client. See the Windows Server 2003 Help and Support Center for more information about authentication and accounting providers, and how to use RADIUS authentication. ClickStart to access the Windows Server 2003 Help and Support Center. Cause: The VPN server cannot access Active Directory. Solution: For a VPN server that is a member server in a mixed-mode or native-mode Windows Server 2003 domain that is configured for Windows Server 2003 authentication, verify that: The RAS and IAS Servers security [...]
To set up a connection to a VPN, follow these steps. To set up a client for virtual private network access, follow these steps on the client workstation: NOTE: You must be logged on as a member of the Administrators group to follow these steps. NOTE: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps. On the client computer, confirm that the connection to the Internet is correctly configured. Click Start, click Control Panel, and then click Network Connections. Click Create a new connection under Network Tasks, and then click Next. Click Connect to the network at my workplace to create the dial-up connection. Click Next to continue. Click Virtual Private Network connection, and then click Next. Type a descriptive name for this connection in the Company name dialog box, and then click Next. Click Do not dial the initial connection if the computer is permanently connected to the Internet. If the computer connects to the Internet through an Internet Service Provider (ISP), click Automatically dial this initial connection, and then click the name of the connection to the ISP. Click Next. Type the IP address or the host name of the VPN server computer (for example, VPNServer.SampleDomain.com). Click Anyone’s use if you want to permit any user who logs on to the workstation to have access to this dial-up connection. Click My use only if you want this connection to be available only to the currently logged-on user. Click Next. Click Finish to save the connection. Click Start, click Control Panel, and then click Network Connections. Double-click the new connection. Click Properties to continue to configure options for the connection. To continue to configure options for the connection, follow these steps: If you are connecting to a domain, click the Options tab, and then click to select the Include Windows logon domain check box to specify whether to request Windows Server 2003 logon domain information before trying to connect. If you want the connection to be redialed if the line is dropped, click the Optionstab, and then click to select the Redial if line is dropped check box. To use the connection, follow these steps: Click Start, point to Connect to, and then click the new connection. If you do not currently have a connection to the Internet, Windows offers to connect to the Internet. When the connection to the Internet is made, the VPN server prompts you for your user name and password. Type your user name and password, and then click Connect. Your network resources must be available to you in the same way they are when you connect directly to the network.NOTE: To disconnect from the VPN, right-click the connection icon, and then click Disconnect.
This step-by-step article describes how to install virtual private networking (VPN) and how to create a new VPN connection in servers that are running Windows Server 2003. With a virtual private network, you can connect network components through another network, such as the Internet. You can make your Windows Server 2003-based computer a remote-access server so that other users can connect to it by using VPN, and then they can log on to the network and access shared resources. VPNs do this by “tunneling” through the Internet or through another public network in a manner that provides the same security and features as a private network. Data is sent across the public network by using its routing infrastructure, but to the user, it appears as if the data is sent over a dedicated private link. Overview of VPN A virtual private network is a means of connecting to a private network (such as your office network) by way of a public network (such as the Internet). A VPN combines the virtues of a dial-up connection to a dial-up server with the ease and flexibility of an Internet connection. By using an Internet connection, you can travel worldwide and still, in most places, connect to your office with a local call to the nearest Internet-access phone number. If you have a high-speed Internet connection (such as cable or DSL) at your computer and at your office, you can communicate with your office at full Internet speed, which is much faster than any dial-up connection that uses an analog modem. This technology allows an enterprise to connect to its branch offices or to other companies over a public network while maintaining secure communications. The VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. Virtual private networks use authenticated links to make sure that only authorized users can connect to your network. To make sure data is secure as it travels over the public network, a VPN connection uses Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) to encrypt data. Components of a VPN A VPN in servers running Windows Server 2003 is made up of a VPN server, a VPN client, a VPN connection (that portion of the connection in which the data is encrypted), and the tunnel (that portion of the connection in which the data is encapsulated). The tunneling is completed through one of the tunneling protocols included with servers running Windows Server 2003, both of which are installed with Routing and Remote Access. The Routing and Remote Access service is installed automatically during the installation of Windows Server 2003. By default, however, the Routing and Remote Access service is turned off. The two tunneling protocols included with Windows are: Point-to-Point Tunneling Protocol (PPTP): Provides data encryption using Microsoft Point-to-Point Encryption. Layer Two Tunneling Protocol (L2TP): Provides data encryption, authentication, and integrity using IPSec. Your connection to the Internet must use a dedicated line such as T1, Fractional T1, or Frame Relay. The WAN adapter must be configured with the IP address and subnet mask assigned for your domain or supplied by an Internet service provider (ISP). The WAN adapter must also be configured as the default gateway of the ISP router. NOTE: To turn on VPN, you must be logged on using an account that has administrative rights. How to install and Turn on a VPN Server To install and turn on a VPN server, follow these steps: Click Start, point to Administrative Tools, and then click Routing and Remote Access. Click the server icon that matches the local server name in the left pane of the console. If the icon has a red circle in the lower-left corner, the Routing and Remote Access service has not been turned on. If the icon has a green arrow pointing up in the lower-left corner, the Routing and Remote Access service has been turned on. If the Routing and Remote Access service was previously turn on, you may want to reconfigure the server. To reconfigure the server: Right-click the server object, and then click Disable Routing and Remote Access. Click Yes to continue when you are prompted with an informational message. Right-click the server icon, and then click Configure and Enable Routing and Remote Access to start the Routing and Remote Access Server Setup Wizard. Click Next to continue. Click Remote access (dial-up or VPN) to turn on remote computers to dial in or connect to this network through the Internet. Click Next to continue. Click to select VPN or Dial-up depending on the role that you intend to assign to this server. In the VPN Connection window, click the network interface which is connected to the Internet, and then click Next. In the IP Address Assignment window, click Automatically if a DHCP server will be used to assign addresses to remote clients, or click From a specified range of addresses if remote clients must only be given an address from a pre-defined pool. In most cases, the DHCP option is simpler to administer. However, if DHCP is not available, you must specify a range of static addresses. Click Next to continue. If you clicked From a specified range of addresses, the Address Range Assignment dialog box opens. Click New. Type the first IP address in the range of addresses that you want to use in the Start IP address box. Type the last IP address in the range in the End IP address box. Windows calculates the number of addresses automatically. Click OK to return to the Address Range Assignment window. ClickNext to continue. Accept the default setting of No, use Routing and Remote Access to authenticate connection requests, and then click Next to continue. Click Finish to turn on the Routing and Remote Access service and to configure the server as a Remote Access server. How to Configure the VPN Server To continue to configure the VPN server as required, follow these steps. How to Configure the Remote Access Server as a Router For the remote access server to forward traffic properly inside your network, you must configure it as a router with either static routes or routing protocols, so that all of the locations in the intranet are reachable from the remote access server. To configure the server as a router: Click Start, point to Administrative Tools, and then click Routing and Remote Access. Right-click the server name, and then click Properties. Click the General tab, and then click to select Router under Enable this computer as a. Click LAN and demand-dial routing, and then click OK to close the Properties dialog box. How to Modify the Number of Simultaneous Connections The number of dial-up modem connections is dependent on the number of modems that are installed on the server. For example, if you have only one modem installed on the server, you can have only one modem connection at a time. The number of dial-up VPN connections is dependent on the number of simultaneous users whom you want to permit. By default, when you run the procedure described in this article, you permit 128 connections. To change the number of simultaneous connections, follow these steps: Click Start, point to Administrative Tools, and then click Routing and Remote Access. Double-click the server object, right-click Ports, and then click Properties. In the Ports Properties dialog box, click WAN Miniport (PPTP), and then clickConfigure. In the Maximum ports box, type the number of VPN connections that you want to permit. Click OK, click OK again, and then close Routing and Remote Access. How to Manage Addresses and Name Servers The VPN server must have IP addresses available to assign them to the VPN server’s virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process. The IP address assigned to the VPN client is assigned to the virtual interface of the VPN client. For Windows Server 2003-based VPN servers, the IP addresses assigned to VPN clients are obtained through DHCP by default. You can also configure a static IP address pool. The VPN server must also be configured with name resolution servers, typically DNS and WINS server addresses, to assign to the VPN client during IPCP negotiation. How to Manage Access Configure the dial-in properties on user accounts and remote access policies to manage access for dial-up networking and VPN connections. NOTE: By default, users are denied access to dial-up networking. Access by User Account To grant dial-in access to a user account if you are managing remote access on a user basis, follow these steps: Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click the user account, and then click Properties. Click the Dial-in tab. Click Allow access to grant the user permission to dial in. Click OK. Access by Group Membership If you manage remote access on a group basis, follow these steps: Create a group with members who are permitted to create VPN connections. Click Start, point to Administrative Tools, and then click Routing and Remote Access. In the console tree, expand Routing and Remote Access, expand the server name, and then click Remote Access Policies. Right-click anywhere in the right pane, point to New, and then click Remote Access Policy. Click Next, type the policy name, and then click Next. Click VPN for Virtual Private Access access method, [...]
We have made a small and dirty bash script which installs and configures OpenVPN on CentOS 5 32bit. The VPN server’s primary (and only) use is for safe browsing i.e. tunneling all your traffic through your VPS. The script also generates your client configuration file along with the necessary keys for authentication. Requirements 1. CentOS 5 32bit minimal OS template 2. TUN/TAP device enabled on your VPS 3. iptables NAT support You will have to open a ticket to request a TUN/TAP device to be enabled on your VPS. If you’re not a customer of ours and your host’s support staff doesn’t know how to do this, you may tell them to execute the following commands on the hardware node where your VPS is hosted. vzctl stop YOUR_VEID vzctl set YOUR_VEID –devices c:10:200:rw –save vzctl set YOUR_VEID –capability net_admin:on –save vzctl start YOUR_VEID vzctl exec YOUR_VEID “mkdir -p /dev/net; mknod /dev/net/tun c 10 200; chmod 600 /dev/net/tun” # iptables support vzctl stop YOUR_VEID vzctl set YOUR_VEID –iptables ipt_REJECT –iptables ipt_tos –iptables ipt_TOS –iptables ipt_LOG –iptables ip_conntrack –iptables ipt_limit –iptables ipt_multiport –iptables iptable_filter –iptables iptable_mangle –iptables ipt_TCPMSS –iptables ipt_tcpmss –iptables ipt_ttl –iptables ipt_length –iptables ipt_state –iptables iptable_nat –iptables ip_nat_ftp –save vzctl start YOUR_VEID Make sure they will replace ‘YOUR_VEID’ with your VPS’s VEID and you will be ready to roll Login to your VPS as root and execute the following commands wget http://vpsnoc.com/scripts/install-openvpn.sh chmod +x install-openvpn.sh ./install-openvpn.sh You will be prompted to enter values for your server and client certificate, feel free to accept (hit enter) the default values. Its not recommended to setup a password for your server certificate as you will have to type in the password each time you wish to start/restart the openvpn daemon. You can however set a password for your client’s certificate since it offers extra level of protection in case your certificate and key files are compromised. You will be prompted for that password each time you connect on your VPS’s VPN. After the script finished installing openvpn (should be very quick) the client keys and the openvpn clientconfiguration file will be archived in /root/keys.tgz You may use a sftp/scp client such as winscp or filezilla to download the archive on your computer. If you already haven’t installed openvpn for windows you may do so now. You may use winrar or 7zip to extract the content of keys.tgz in C:\Program Files\OpenVPN\config\VPN (create a folder named VPN there) After you have extracted the files from keys.tgz in the above folder, you may start openvpn-gui from the start menu, right click the tray icon, go to VPN and click connect. After the icon turns green all your traffic will be forwarded through your VPS, no extra configuration on your browser/IM client/email client is required. If you’re facing issues make sure that your computer clock is synchronized, if so make sure that your VPS’s clock is correct as well. If it’s not you will have to ask your host to sync it. For any other issues and feedback please e-mail us at support@vpsnoc.com You may use and modify this script however you see fit, provided that you do not edit the original copyright. #!/bin/bash # Quick and dirty OpenVPN install script # Tested on Centos 5.x 32bit, openvz minimal CentOS OS templates # Please submit feedback and questions at support@vpsnoc.com # John Malkowski vpsnoc.com 01/04/2010 ip=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-venet0:0 | awk -F= ‘{print $2}’` wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm rpm -iv rpmforge-release-0.3.6-1.el5.rf.i386.rpm rm -rf rpmforge-release-0.3.6-1.el5.rf.i386.rpm yum -y install openvpn openssl openssl-devel cd /etc/openvpn/ cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/ cd /etc/openvpn/easy-rsa/2.0/ chmod +rwx * . ../vars ./clean-all source ./vars echo -e “\n\n\n\n\n\n\n” | ./build-ca clear echo “####################################” echo “Feel free to accept default values” echo “Wouldn’t recommend setting a password here” echo “Then you’d have to type in the password each time openVPN starts/restarts” echo “####################################” ./build-key-server server ./build-dh cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/ clear echo “####################################” echo “Feel free to accept default values” echo “This is your client key, you may set a password here but it’s not required” echo “####################################” ./build-key client1 cd keys/ client=” client remote $ip 1194 dev tun comp-lzo ca ca.crt cert client1.crt key client1.key route-delay 2 route-method exe redirect-gateway def1 dhcp-option DNS 10.8.0.1 verb 3″ echo “$client” > $HOSTNAME.ovpn tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key $HOSTNAME.ovpn mv keys.tgz /root opvpn=’ dev tun server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ca ca.crt cert server.crt key server.key dh dh1024.pem push “route 10.8.0.0 255.255.255.0″ push “redirect-gateway” comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key group nobody daemon’ echo “$opvpn” > /etc/openvpn/openvpn.conf echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables sed -i ‘s/eth0/venet0/g’ /etc/sysconfig/iptables # dirty vz fix for iptables-save echo “net.ipv4.ip_forward=1″ >> /etc/sysctl.conf /etc/init.d/openvpn start clear echo “OpenVPN has been installed Download /root/keys.tgz using winscp or other sftp/scp client such as filezilla Create a directory named vpn at C:\Program Files\OpenVPN\config\ and untar the content of keys.tgz there Start openvpn-gui, right click the tray icon go to vpn and click connect.
Typical setup * There is one site (probably the main or corporate office) that has direct connection to all other sites; called “Hub” * All other sites (usually remote offices or branches) only has a single connection to the Hub; called “Spoke” * Hub-to-Spoke communication use the direct connection * Spoke-to-Spoke communication must go through the Hub as “intermediate hop” * Connection to external network (i.e. the Internet) only exists at the Hub * Communication between Spoke and external network must go through the Hub Tips: * Since from Spoke perspective, traffic must go through Hub to reach other sites or external network; a single static route as default gateway pointing to Hub should be sufficient to cover all communication type * From Hub perspective, traffic must go through each dedicated connection to reach specific Spoke or external network; a single static route as default gateway pointing to the external network (i.e. the ISP) and several static routes to reach Spokes should be sufficient to cover all communication type * No need to run dynamic routing * To have more resilient connection, bonded circuits (i.e. bonded T1/E1 circuits) between Hub and Spokes can be considered. Other consideration is to have redundant circuits between Hub and Spokes that are served by multiple ISP * Hub network device should be the most powerful one compared to the Spoke network device since Hub must support traffic from all Spokes and the external network where the Spoke only support traffic within itself * Should there future need to have backup connection beyond bonded circuit
