How to set up VPN Access with W2K Server
by Daniel Marsh dmarsh@speakeasy.org
This article details how to set up a simple W2K based VPN to allow for secure remote access to your home network and the internet while using Public Access Points.
Background
One of the biggest problems faced by mobile wireless users these days is not in finding free wireless internet access points, but in securing one's traffic once one has found that perfect source of bandwidth and caffeine. Wireless traffic is incredibly easy to sniff. Unless users of Public APs take steps to secure their traffic, they likely expose their web browsing habbits, email logins/passwords and a whole host of highly private information to anyone within range.
In short, it no longer takes this guy to access your private data...
...these days even this guy could do it!
There are a number of different approaches to securing your traffic while using Public APs including SSL enabled webmail and tunneling to a remote proxy via SSH. Both of these approaches have some big drawbacks, however. Web interfaces to email are often inefficient and do nothing to secure your other traffic. SSH tunnels provide robust security, but are difficult to set up and require some reconfiguration of application. Once a VPN server is properly configured, securing your connection is as simple as double clicking on an icon to establish the connection. No application reconfiguration is necessary!
Setting up W2K as a VPN Server
Windows 2000 Server includes everything you need to set up a VPN server right out of the box. There are a few conditions needed to make everything work. Although it is possible to assign private ip addresses to incomming VPN clients via DHCP and then use NAT to provide internet connectivity, I am going to stick to using a few static internet addressable IPs. You will need 1 ip for the VPN server and as many as 3 more ip's to allocate to incomming connections. For some reason, Microsoft doesn't allow you to specify a particular ip to be assigned to incomming VPN connection. Instead you have to specify a range of addresses and the smallest that is considered a range is THREE CONTIGUOUS addresses. Assuming you can get your hands of a bunch of contiguous internet addressable ip's, here is how to proceed.
Click start -> Settings -> Network and Dial-up Connections
- Double click on "Make New Connection"
- Click the Next button when presented with this dialog.
- Select the "Accept incoming connections" radial button and click Next.
- Click the Next button when presented with this dialog.
- Select "Allow virtual private connections" radial button and click next.
- Select any users you want to allow access to the VPN and click Next. For most this will just be the admin account.
- Select Internet Protocol (TCP/IP) and click the properties button.
- Make sure the "Allow callers to access my local area network" is checked and select the "Specify TCP/IP Addresses" option. Fill in the From: and To: blanks with the bottom and top addresses from your contiguous, publicly addressable IP range. If you want to mess around with doing DHCP instead, you are on your own. Click on Ok to continue.
- You should now be back at this dialog with all the appropriate protocols selected. Click Next to continue.
- Click Finish to complete the server set up.
Setting up clients
All modern versions of windows provide VPN/PPTP access, but setup varies somewhat. Here is how to set up your client machines to connect to your VPN server.
Click start -> Settings -> Network and Dial-up Connections
- Double click on "Make New Connection." Notice that there is now an incomming connections icon.
- Select the "Connect to a private network through the Internet" option and hit Next.
- Type in the ip address of your VPN server and hit Next.
- Choose whether to create this connection just for yourself or for all users of your computer.
- DON'T select the "Enable Internet Connection Sharing" option as you could unwittingly give people access to your private network.
- Check the "Add a shortcut to my desktop" option and click the finish button. You should now have an icon on your desktop to establish your VPN connection.
- Once you click the finish button, the logon dialogue will come up. Fill in your username and password and then hit connect. If you did everything correctly, you should be able to establish a connection.
By default, the session is negotiated using MS Chap V2. This should be secure enough for most purposes, but if you want added security, you can configure authentication via a number of other methods, including a variety of shared secret/hash schemes, smart cards and EAP. I hope this guide was useful to you. Please email any suggestions on revisions or expanded content to dmarsh@speakeasy.org
