How to connect remote users via VPN correctly?

S

squidw2020-04-15 17:14:35

VPN

squidw, 2020-04-15 17:14:35

More or less I know how to make a garden from VPN using Mikrotik + l2tp / pptp, to a lesser extent openVPN.
VPN is installed on colleagues' home PCs to access enterprise resources. In 99% of the home PCs of colleagues, Windows of varying degrees, from XP to 10. The resources to which they connect individually for each are different: RDP, network balls, web resources. I'm not sure about some points that I'm setting up:
-
In particular, I understand what "remote desktop gateway" means in theory, but I don't understand it in practice. That is, as far as I understand, if a more or less advanced user, then he can set the remote desktop gateway setting on his computer and drive traffic through the office gateway (Mikrotik). It shouldn't be. How to cut this?
-
Second moment. When connecting to a VPN on the side of Mikrotik, I allow specific users to the specific resources they need, narrow rules through a firewall. On the side of the remote user, in order to access resources, you have to add the route either in the Windows routing table (route add), if l2tp / pptp. Or, if it is OpenVPN, there is an OpenVPN client in the *.ovpn route add config. Not sure if it should be like this. Thinking in my head that when connecting to a VPN, a VPN user should automatically get access to the necessary resources of the enterprise, without manually adding routes on the client side. In theory, Mikrotik should lower the routing rules on the VPN client, and I have a feeling that I am doing a crutch.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

N

nApoBo3, 2020-04-15
@nApoBo3

Routes on the vpn client are a headache for mikrotik admins. He doesn’t know how to do it normally, because he doesn’t have a full-fledged dhcp setup in vpn. On some forums they write that they were able to set up forwarding external dhcp to vpn users, but there are crutches (and I'm not sure if they are working).
Routes on the client side ( win ) can be set in a number of ways.
In win 10 there is a special parameter in the vpn connection for this purpose, set through the power shell (you can create a connection immediately with this script parameter).
In win 7, you can either configure (but this is by hand, the user will not be able to do this) a trigger for connecting to vpn, which will do add route.
There is also cmak, which is a package from microsoft for creating preconfigured connections as an installer. He also knows how, but the thing is very buggy at the output, plus you need administrator rights, every time you connect.
And another more or less normal way is classful routing, for example, with a vpn tunnel with addressing in a network like 10.xxx, windows itself will register a route to this connection on the 10.0.0.0/8 subnet.
The last option is the most convenient if you have a 10.xxx network,
or openvpn, with a ready-made config for the client.
But personally I don't like openvpn. This is an additional software and pings on it are often much worse.
For win clients, sstp is best, the more versatile l2tp/ipSec.

V

Viktor, 2020-04-16
@awsswa59

Likes, dislikes openvpn.
Pluses of openvpn:
Connection after a dump is restored independently.
You can pass routes to clients.
Minuses of everything else:
The connection after the dump does not recover on its own.
Unable to pass routes to clients.

V

Vladimir, 2020-04-23
@Yumashka

Thought 1: OpenVPN is ok. I myself am sitting on a remote computer at 1920x1080x16bit, I don’t feel any discomfort, sometimes I get impudent up to 32 bits. All OK.
Thought 2:
I have only more than 50 people sitting remotely via OpenVPN + RDP, 20-30 are connected at the same time. At resolutions from 1366x768 to FullHD (they include a full screen, so it all depends on what laptop or monitor they have). Discomfort only for those who sit through the frankly disgusting Internet and only on some applications (Adobe Reader, for example, when they send scanned PDFs).
We set up everything ourselves according to the instructions given + the config file. Even various ordinary office workers, ordinary secretaries and humanities teachers. The main instruction is to write and send to people all the necessary files. The config file is sent to the mail in an encrypted archive. The password for the archive is sent to the SMS phone.
Thought 2b:
If people didn't have a bunch of junk on their D: drives, I'd put everyone on a terminal server. Moreover, it is with the required number of licenses. All roaming profiles and home folders on the server are mapped to X: . But the people do not learn, even on the example of one unfortunate woman whose cryptographer took 10 gigs of rubbish into oblivion on D: for 10 years of work. Yes, I have centrally controlled KES, but it was zero-day and sawdust in the user's head, despite regular instruction.
Thought 3:
Since users are sitting from home computers, where they are gods and kings (as opposed to offices, where everything is cut), it is theoretically possible to attack the entire network from any remote computer. Therefore, the VPN + RDP scheme is not too slick. In general, I sleep restlessly.
Thought 3b:
To tighten the nuts, the next step for each vpn-user on the openvpn-server is a file in the staticclients folder (there is a file for each, as control of who can connect and who can't), where the specified address is written. And the firewall rules state that access from a certain vpn address is allowed only to a certain IP within the network (on the user's computer).
And additionally, we enable SRP on all remote computers.
Thought 3c:
(while we are thinking and weighing) The next step is to distribute to all remote workers a package for installation on a home computer KES + agent. At least some control on their computers.