Windows Server 2012 - VPN Security?

[DragonQ]

Hi everyone,

I've been using a VPN to connect to my home network from elsewhere for a few months. It's set up as follows:

• PPTP
• Maximum Strength Encryption
• EAP-MSCHAP-v2 Authentication

Now I find out that MSCHAPv2 authentication has been broken and is no longer considered secure (even by Microsoft), so I want to change the protocol I'm using to make it secure.

However, I've spent 3 hours now researching this and I cannot for the life of me figure out how to use a better protocol on my Windows Server 2012 home server. I've tried setting up PEAP authentication (still PPTP) a la Microsoft's recommendation document, but it requires a certificate. I've created a self-signed certificate but it seems I can't issue certificates (via this method) without being a member of a domain, so I'm stuck. I can't even get started with L2TP since I can't find the option for it.

My question is this: Is there a way to set up a secure VPN server using Windows Server 2012 without a domain? If so, how do I do this?

Thanks.

 

[DragonQ]

Alright, well after a lot of hair pulling I've managed to get L2TP working with a PSK, so no certificates involved:

• L2TP with 256-bit PSK
• Maximum Strength Encryption
• EAP-MSCHAP-v2 Authentication

I did this by enabling Network Policy Server, and creating a new rule that accepts incoming connections only if they are VPNs and use L2TP. Obviously user authentication happens after this. I also had to add a registry key to my Windows 8 client to allow an L2TP VPN connection to a VPN server behind NAT.

Now, I'm still using MSCHAP-v2 authentication, but apparently it's still safe to use over L2TP (at least according to Microsoft). Since I can't find a single guide that actually tells me how to issue self-signed certificates to machines in a non-domain environment for use with L2TP, I can't go any further without help.