VPN headache - PPTP replacment

[freedomit]

So client has a Draytek router, they have been using IPSEC for a site-site VPN tunnel and passing PPTP connections through to a Windows RAS server for users/ipads.

I'm in the process of discontinuing PPTP, partly for security and also iOS10 & MacOS no longer support PPTP. I have rolled out SSTP via GPO to all Windows Clients and was going to pass L2TP connections to the RAS Server BUT...i stupidly didn't think that IPSEC and L2TP share ports as L2TP uses IPSEC for encryption so im stuck.

Im trying to think of a solution to this, i cant find an SSTP client for iOS, i cant use PPTP on Apple devices, L2TP wont work without IPSEC being also passed. I know one solution is to setup users on the Draytek instead of passing to RAS but with 50+ users with high staff turnover it would be another thing to maintain and another password to remember.

Any good ideas?

 

[phaZed]

Could you do this with hardware such as a Raspberry Pi 3 and openVPN?

Here's a few videos from Hak5 to wade through:
https://www.youtube.com/results?search_query=hak+5+vpn+sstp

 

[TurricanII]

You can easily set up Radius between the draytek and a windows server to allow the Draytek to terminate user vpns using Windows domain credentials. It can still hamdle site tp site vpns too I beliece. VPN access can be granted by adding the user to a group in Active Directory and setting this up in NPS on windows.

This might help as part of a solution!

I use ssh on osx as the client is built in. but you need to have an SSH server somewhere. generate a 2048 bit key and put on the osx machine. only permit ssh tunneling access to specified ports (e.g. tcp 3389 to their Windows desktop or tcp 80/443 internal web apps) using that key and disable terminal access.

 

[fencepost]

If it's not possible to have all VPN termination happen at the router, I'm going to throw a completely different possibility at you, somewhat in the "throw hardware at it" camp.

Assuming you currently have a single static IP, how much would it cost per month to jump to a 5-IP block? Can the router handle having a range of IPs on its WAN port? Then just have the different VPN types connect to different real-world addresses and forward appropriately. Maybe not pretty, but

 

[freedomit]

You can easily set up Radius between the draytek and a windows server to allow the Draytek to terminate user vpns using Windows domain credentials. It can still hamdle site tp site vpns too I beliece. VPN access can be granted by adding the user to a group in Active Directory and setting this up in NPS on windows.

Thankyou thats a great option i didnt think of. I found these guides which explain how to do it...

https://www.draytek.com/en/faq/faq-...08-r2-server-to-authenticate-ssl-vpn-clients/

https://www.draytek.com/en/faq/faq-...henticate-host-to-lan-vpn-with-radius-server/

I can use the native VPN client on Android/iOS/MacOS and also use Windows accounting for authentication, I will feedback with how it works.

 

[TurricanII]

One other tip: If the Windows Server is down then you can't VPN in using Windows credentials. Create yourself a vpn user/pass on the Draytek itself for administrative vpn access

You may also need to check the Draytek firewall setup. If it is set to deny by default then you may have to add firewall rules from lan/vpn to lan/vpn to allow access. If it is set to allow all traffic by default then should be no problem but you might ideally change that so you can tightly permit access to only required ports from vpn clients

 

[freedomit]

So ive been looking to implement this but it seems i need to allow PAP (plain text) authentication on the network policy as thats all RADIUS supports? To me that seems unsafe especially as the Network policy is also used for the SSTP VPN, or am i worrying to much?

 

[fencepost]

Is that plain text auth to the Windows server for RADIUS? It wouldn't be real-world, because once this change happens nothing real-world will be able to reach that Windows server.

 

[freedomit]

Is that plain text auth to the Windows server for RADIUS? It wouldn't be real-world, because once this change happens nothing real-world will be able to reach that Windows server.

Yes it is but I'm still authenticating Windows Clients with SSTP which is my worry. I guess the plain text packet transfer happens on the LAN but couldn't someone packet sniff the password?

 

[TurricanII]

Looks like the shared secret may be used for PAP encryption between Vigor and Windows

https://technet.microsoft.com/en-us/library/cc771660(v=ws.10).aspx

Sniff it if you want to know for sure!