Answer the question
In order to leave comments, you need to log in
How to set up VPN access to a server with Win Server 2012 on the local network?
Hello dear reader!
Background:
There is an enterprise network for ~ 20 computers and two servers. At the entrance is a TP-LINK TL-R480T + router, then a D-Link DES-1210-28P / C1A switch, on which, in fact, the network is organized. This network is configured with VPN access, the VPN server is a regular Linux PC. The boss and the accountant use the configured VPN access, the functionality is the same for them. The VPN server was configured "someone once", no one knows how it works, and I would not want to touch it yet.
The network has a server on windows server 2012, on which a 1C programmer works remotely. It so happened that this server turned out to be unnecessary, so nothing else happens on it. Based on this, to ensure minimal security, on the switch, this server was separated from the rest of the network using a VLAN, and then by forwarding port 3389 to the server on the router, we configured RDP to this server for the programmer.
Problem:
We would like to make remote programmer access to our server more secure than just password-protected Windows users. For these purposes, we want to organize another VPN tunnel. As is clear from the essence of my question, we are not professionals at all, so we need the most easy-to-configure solution. Also, the solution should involve minimal settings on the client side: everything should be configured with the built-in Windows tools.
Minimum objective:
To make programmer's remote access to our server more secure than password-only protection of the user in Windows.
Maximum task:
Stop using a Linux PC as a VPN server and replace it or our TP-LINK TL-R480T+ router with another device on which to organize two VPN tunnels with different rights: one for the authorities with full access to the entire network, and the second for 1C programmer with access to only one computer (in this case, the server on which he works). At the same time, we could refuse to separate this server from our network using VLANs and get easy access to it within the network.
Our options:
1. Raise a VPN server on the server itself with Win Server 2012, to which the programmer connects, only to access himself. From articles on the Internet on this issue, we understood that it is possible to raise a VPN server on Win Server 2012, but it is not clear whether it can be raised to access itself. We assume that this can be implemented by specifying only the IP address of the server itself in the pool of issued addresses to clients.
Questions:
- Can I raise a VPN server on Win Server 2012 to access myself?
- Is it possible to set up different pools of issued addresses to clients for different users with this implementation option? That is, is it possible to provide access only to the server itself for the user "Programmer" and access to the entire network for the users "Head" and "Accountant"
- What ports on the router need to be forwarded to implement this method? The connection to the server is supposed to be via RDP.
2. Put a router on the network between the switch and the server for the programmer. We could forward the ports on the router to the router, and raise the VPN on the router itself. In this way, we would provide VPN access to the destination server, apparently with double port forwarding. At the same time, we would not touch the settings of the server itself, and if necessary, we could simply remove the router from this scheme.
Questions:
- In this case, we only understood how to set up a VPN on a router, but it is not clear how to implement our scheme, which ports to forward.
- As far as we understand, in this way you can only set up a VPN tunnel to the server for a 1C programmer, that is, only solve the minimum task?
3. Replace the Linux PC we use as a VPN server with some specialized device on which we could organize two VPN tunnels with different rights: access to only one computer for the programmer and access to the entire network for the boss and accountant .
Questions:
- Probably, we are looking for it incorrectly, but we did not find specialized devices for these purposes. Perhaps you know such a device?
- Of course, it is completely incomprehensible how to set up this device.
4. Replace our TP-LINK TL-R480T+ router with another router that can receive two WANs (we have two Internet providers) and can raise two VPN servers or a VPN server with different access rights. Since we need an easy-to-configure device, we looked after TP-LINK TL-ER6020 , but it’s completely unclear if he can set up a VPN server with different access rights.
Questions:
- Please advise an easy-to-configure router that can receive two WANs and can raise two VPN servers or a VPN server with different access rights.
- Tell me how to set it up. Perhaps there is an interface emulator for it, like the TP-LINK TL-ER6020 described above ?
Perhaps there is another, simpler or correct solution to our problem?
We would be grateful for any hint or tip :)
In any case, thanks for reading this long essay!
Answer the question
In order to leave comments, you need to log in
hire a TPlink sysadmin
, you can replace it with Mikrotik, if you manage to set it up,
but in general - make 1 vpn server, and then delimit routes to anyone where you can ... it's not the task of the vpn server to differentiate access
the task of the vpn server is to allow you "inside" the local network,
then you can drive the programmer and a server in 1 vlan, in a separate one, for example...
You can insert pfsense instead of your tlink, it can do a lot of things and two providers and several vpn and a firewall are there and they can do vlans, that's enough. According to vlans, it can also be configured according to the "router on a stick" scheme, pfsense can also divide vlans in an asymmetric way or acl. And leave the machine with Linux and raise the guacamole server on it by forwarding the rdp connection to pfsense (it will be just a page in the browser with a login and password that will pass to the 1C server) and leave the vpn on the same pfsense for the authorities.
Throw Wireguard to the programmer and don't touch anything else. In general, what's the point of having a completely isolated server? Let him program at home...
One of the simple options can be:
- Installing an OpenVPN server on a machine with WS2012, and connecting a user to it, you will need to forward the port for the OpenVPN server, similar to 3389, but later, after configuring OpenVPN, port 3389 can be closed.
Hire professionals.
By any advice from here - you can't guarantee that it's set up the way it says in your specs.
There are two simplest options:
1. Raise any VPN on the server "windows server 2012, on which the 1C programmer works remotely", forward the port on which the VPN server listens to TPLink.
2. Limit RDP port forwarding inside only for the ip address / subnet of the 1C programmer provider.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question