Friday, January 28, 2011

How to set up a VPN Incoming connection with Windows to tunnel Internet traffic?

I want to set up a VPN on a remote server to route all my Internet traffic for privacy reasons. I can set up an incoming connection and connect to it successfully. The problem is, I can just see the remote computer and no other Web sites will open. I want the remote server to act like a NAT. How can I do that?

Note that I don't want to split Internet traffic. I actually want to send all the traffic to the remote server but need to make it relay the traffic.

For the record, my remote server is Windows Web Server 2008 which does not have routing and remote access service.

Clarification

I'm mostly interested in server configuration. I don't have any problems configuring the client. By the way, Windows Web Server 2008 seems to have the same VPN features built in client OSes (like Vista) and specifically, it doesn't include the RRAS console in MMC. I'm also open to suggestions regarding third party PPTP/L2TP daemons available, if they are free.

From serverfault Mehrdad

  • This will happen by default if the VPN is configured correctly.

    When you make a VPN connection from Windows CLIENT, there is an advanced option called Use Default Gateway on Remote Network which is checked by default.

    For example, in Windows XP:

    • Go to Network Connections
    • Right click on your VPN connectoid
    • Choose Properties
    • Go to the Networking Tab
    • Choose Internet Protocol (TCP/IP) from the list
    • Click PROPERTIES
    • Click Advanced
    • In the General tab, check Use Default Gateway on Remote Network

    It is possible that the default gateway is not configured correctly on your remote server.

    Mehrdad : Thanks Joel. I think you are right and the problem is on the server, as I had configured a VPN server correctly with Win2k3 Std Ed. RRAS console and it worked well. Also, I can see no IPv4 Default Gateway given to the client (in the connection status). The problem is, how can I configure the server to give the correct default gateway to the client? Seems like Win2k8 Web has just *XP/Vista (client-OS)* incoming connections only and no RRAS console. Any ideas?
    Joel Spolsky : I've never used Win2k8 web edition... there is probably a workaround that I just don't know, I'm afraid, but that version of the server is specifically designed JUST for serving web pages, so for all I know it might be lacking the routing features that would make this possible.
    sascha : @Joel, makes sense from a security perspective. Preventing a webserver from even acting as a router makes it a less useful target for attacks.
    Whisk : I've never tried it on anything above XP, but this reg hack used to turn on IP routing even on non-server OS http://support.microsoft.com/kb/315236 - might help, altho I think you'd still have to enable NAT somehow?
    Andrew H : Just one small note - the VPN server won't act like NAT, the VPN client will take an IP from your DHCP server and then go through your default gateway, which will NAT. So when the client connects to resources on your network, it will appear from this DHCP address, not the VPN server address. This is a good thing.
    From Joel Spolsky

  • Unfortunately you cannot install RRAS on Server 2008 Web Edition, its not an allowed role. So you would need to use a third party application, Open VPN is one of the most common and one I have used successfully on server 2003 before.

    Once you have that setup, Joel's advice for the client setup will make sure your web traffic goes through the VPN.

    Mehrdad : Does OpenVPN support PPTP or L2TP or it uses its own protocol? I need to connect using my iPhone too, so it shouldn't require a client.
    Sam Cogan : Open VPN use Ipsec, so does require its own client, which does not exist for the iPhone. Unfortunately the choices of VPN servers for windows are a little limited.
    pc1oad1etter : OpenVPN does not use IPSec, it uses SSL.
    From Sam Cogan

  • You were able to create a dial-up VPN connection between Vista and Windows Web Server 2008 without the Network Policy Server role? If so, I'm curious as to what the subnet/IP looked like to the client in that scenario once the tunnel was up.

    If you have a VPN up, then you've transferred your problem domain from one of VPN to one of routing. I'm pretty confident that you'll be able to bridge connections using the Web edition and that you can also use Internet Connection Sharing. If not, there are cheap and possibly free "internet sharing" programs available (NAT32).

    This assumes that your client machine somehow has an IP on the server's (internal?) network.

    Also, when you say Internet traffic, it's possible your definition may include only traffic that is proxy-able. In which case you can shift the domain again from routing to proxying, and use a free proxy server bound to the IP on the other end of the tunnel.

    Mehrdad : NAT32 is a great suggestion. I think I should look at it. The IP can be set manually but the problem is with the default gateway. I can't figure out how to set the default gateway on the connection (or get the server tell the client). I think if I can do that, along with NAT32, it'll work. +1
    Mike Haboustak : How are you getting a PPTP/VPN server without the RRAS of NPS? Knowing that might help us discover solutions for the gateway and ICS routing.
    Mehrdad : I'm using the incoming connection feature which has been available even in client OSes. There's no RRAS console.
    From Mike Haboustak

  • There may be a special place in purgatory for UNIX people who make suggestions along the following lines but I have used this for a purpose similar to yours (getting ip range-restricted US-only data securely from the US to Mexico City):

    Install OpenSSH on the server, here is how you can do that on Vista/2008: http://www.petri.co.il/setup-ssh-server-vista.htm (I noticed that this is an .il TLD, if that is a problem from Iran maybe try looking for the cache or I can repost it if you leave a comment. Also maybe an example of why we need secure borderless internet access.)

    Create a dynamic ssh connection using Putty. Here are instructions and an explanation.

    Point your browser, mail client, etc., to the local proxy. In effect, what you are doing is this: you open a dynamic ssh session on the remote host. You have a local proxy that this connection is bound to. You make all requests to this local proxy, the proxy then makes an encrypted request to the server, the server fetches and returns whatever you have requested from the outside world via a secure tunnel to the local proxy and thence to your application. You can confirm that it is working by opening a website that provides geolocation of ip addresses. I'm sure it can be automated too. (If this is an outright abominable thing to do on a Windows Server, let me know in the comments.)

    From bvmou

  • This is a rather old thread but I found myself searching for an answer to this same exact question as well. I did find a couple of things during my research. I'm posting here just to add to this information so in case anyone else is looking for answers, they can find it here.

    First, there's a free service available at www.itshidden.com that lets you connect to their vpn servers. Once connected, all your internet traffic is tunneled through that VPN interface. The initial setup and connection is easy enough; any modern Windows installation 2000/XP/Vista and higher has the VPN client software already built in. Only downside is that their servers are stationed in europe so your packets has quite some ways to travel. I needed something closer to home to reduce packet latency and ping and as such this wasn't the ideal solution. So I kept looking...

    On my continuing search I found the dd-wrt firmware. Creating a VPN server right on the router itself happens to be one of dd-wrt's nice features. The setup is pretty easy and straightforward: set the VPN server IP of the router, set the possible IP ranges for the clients and the VPN client login info. This is all done from the dd-wrt router config through the browser. VPN client setup follows the same procedures as outlined from www.itshidden.com, with a different VPN server IP of course.

    Finally, I have also attempted to make one of the computers a vpn server using the accept incoming connections method like the OP. The VPN clients and server can ping each other but the problem is I couldn't get the VPN server to properly route the internet traffic from the clients. I tried fiddling with the route table on both client and server ends. Short-story was I couldn't get it to work fully. Locate LAN services work fine(eg. FTP server on a LAN computer), but I never got the internet traffic to route through properly -- perhaps someone else might have better luck.

    So all in all if you have a router that supports dd-wrt, this is worth looking into. This is the solution I settled on. It was easy to get setup and working.

    From Greatwolf
Posted by Mu Cat at 5:12 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)