P
Perplexer1
Guest
I just configured VPN + NAT in RRAS on my Windows Server 2008R2 so I can access my LAN computers from a remote location when I'm out of home with my laptop / iPad. As I understand there are several protocols for connecting to VPN which you can select on the client computer when setting up a VPN connection. For example in Windows 10 on my laptop I have these options listed under "VPN type":
- Automatic
- Point to Point Tunnelling Protocol (PPTP)
- L2TP/IPsec with certificate
- L2TP/IPsec with pre-shared key
- Secure Socket Tunnelling Protocol (SSTP)
- IKEv2
I selected "L2TP/IPsec with pre-shared key" for my use so I went to the Security tab in my RRAS configuration and set a Preshared key". I then went to "Windows Firewall with Advanced Security" / Inbound Rules and updated the existing "Routing and Remote Access (L2TP-In)" rule (for the public interface) by adding specific remote addresses under the "Scope" tab. This means I will only be able to connect to my VPN from these specific IP ranges.
This firewall rule update worked for the L2TP VPN type connections but if I change the VPN type in my client from L2TP to PPTP, then I can still connect to the VPN even if I add a similar restricted IP range to the firewall's "Routing and Remote Access (PPTP-In)" rule. Even if I totally disable the rule in the firewall, the clients using PPTP can still connect to my VPN.
So my question is, how do I firewall the PPTP VPN connection types ? Why firewalling as I have tried it doesn't work for PPTP like it does for L2TP.
Continue reading...
- Automatic
- Point to Point Tunnelling Protocol (PPTP)
- L2TP/IPsec with certificate
- L2TP/IPsec with pre-shared key
- Secure Socket Tunnelling Protocol (SSTP)
- IKEv2
I selected "L2TP/IPsec with pre-shared key" for my use so I went to the Security tab in my RRAS configuration and set a Preshared key". I then went to "Windows Firewall with Advanced Security" / Inbound Rules and updated the existing "Routing and Remote Access (L2TP-In)" rule (for the public interface) by adding specific remote addresses under the "Scope" tab. This means I will only be able to connect to my VPN from these specific IP ranges.
This firewall rule update worked for the L2TP VPN type connections but if I change the VPN type in my client from L2TP to PPTP, then I can still connect to the VPN even if I add a similar restricted IP range to the firewall's "Routing and Remote Access (PPTP-In)" rule. Even if I totally disable the rule in the firewall, the clients using PPTP can still connect to my VPN.
So my question is, how do I firewall the PPTP VPN connection types ? Why firewalling as I have tried it doesn't work for PPTP like it does for L2TP.
Continue reading...