Windows Server 2012 - VPN Security?

Discussion in 'Networking & Security' started by DragonQ, Jan 11, 2013.

  1. DragonQ

    DragonQ Limp Gawd

    Messages:
    351
    Joined:
    Mar 3, 2007
    Hi everyone,

    I've been using a VPN to connect to my home network from elsewhere for a few months. It's set up as follows:

    • PPTP
    • Maximum Strength Encryption
    • EAP-MSCHAP-v2 Authentication
    Now I find out that MSCHAPv2 authentication has been broken and is no longer considered secure (even by Microsoft), so I want to change the protocol I'm using to make it secure.

    However, I've spent 3 hours now researching this and I cannot for the life of me figure out how to use a better protocol on my Windows Server 2012 home server. I've tried setting up PEAP authentication (still PPTP) a la Microsoft's recommendation document, but it requires a certificate. I've created a self-signed certificate but it seems I can't issue certificates (via this method) without being a member of a domain, so I'm stuck. I can't even get started with L2TP since I can't find the option for it.

    My question is this: Is there a way to set up a secure VPN server using Windows Server 2012 without a domain? If so, how do I do this?

    Thanks.
     
  2. DragonQ

    DragonQ Limp Gawd

    Messages:
    351
    Joined:
    Mar 3, 2007
    Alright, well after a lot of hair pulling I've managed to get L2TP working with a PSK, so no certificates involved:
    • L2TP with 256-bit PSK
    • Maximum Strength Encryption
    • EAP-MSCHAP-v2 Authentication
    I did this by enabling Network Policy Server, and creating a new rule that accepts incoming connections only if they are VPNs and use L2TP. Obviously user authentication happens after this. I also had to add a registry key to my Windows 8 client to allow an L2TP VPN connection to a VPN server behind NAT.

    Now, I'm still using MSCHAP-v2 authentication, but apparently it's still safe to use over L2TP (at least according to Microsoft). Since I can't find a single guide that actually tells me how to issue self-signed certificates to machines in a non-domain environment for use with L2TP, I can't go any further without help. :)