The Internet is Infected! The Ultimate Cyber Security Guide for Small Business and Home Computing!

If you find the information on this blog valuable you will find my upcoming three volume cyber security books infinitely more so! Visit my website at http://thatcybersecurityguy.com. My 8 years of research and 900 written pages are about much more than just cyber security as my writing presents valuable small business and general home computer knowledge. Visit me on Twitter @ThatCyberSecGuy. See the ACLU video "Invasion of the Data Snatchers" at YouTube to understand why you need my books and PDF files on the infected Internet.


Sunday, February 5, 2017

How to Setup your Windows 10 Pro VPN Client to use at Hotspots and behind firewalls Everywhere


Things are very exciting now that we have 2/3 of the SOHO VPN pie complete. Our router and Windows 10 server configurations are complete. We now have to configure our client as an outgoing VPN connection. Be sure to read all of this blog entry because things get a little tricky. We will need our ISP provided IP address which can be obtained by logging into our router or by opening up Microsoft Edge and typing (What is my IP?). We are going to need this later to configure this VPN client.

Now things get really cool as we are going to configure a local VPN client to test everything out. This eliminates the router as a possible connection point of failure before we even venture out on to the WAN and use infected hotspots. Bring up the Network and Sharing Center by typing in the Type or talk box. Select Set up a new connection or network > on the Choose a connection option screen choose Connect to a workplace, Set up a dial-up or VPN connection to your workplace , Next > On the How do you want to connect? Screen select Use my Internet connection (VPN), Connect using a virtual private network (VPN) connection through the Internet. > on the Type the Internet address to connect to screen we can enter the IPv4 or IPv6 local IP address (I prefer IPv6), leave everything else at the default value > click on the Create button lower right.

Now let us test everything out to see if it is working locally. Bring up the Network and Sharing center and click on the Change adapter settings link on the left > double click on VPN Connection, WAN Miniport (IKEv2) on the VPN screen double click on VPN Connection which was the default name we accepted. NOTE: We could have gotten here by just typing VPN in the Type or talk box. Click on the Connect button > this will bring up the Sign in screen where you will enter the username and password you configured on the server > you will see Verifying your sign-in info and now you are done OR NOT! This is the tricky part I described earlier.



Suddenly we see, The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel the security parameters required for IPsec negotiation might not be configured properly. Whoa, what happened? Everything according to what you have read says this should have worked! It is a great thing we tested our VPN connection behind our firewall on the LAN. When you look at the event log on the server side you might see something like, Event ID 20171: Failed to apply IP Security on port VPN3-0 because of error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. No calls will be accepted to this port.



Correction step 1 is reboot your VPN server and try again. If that does not work disable the Windows 10 firewall and reboot again. When you do and try to connect your client again you may see, Can’t connect to VPN Connection, A connection to remote computer could not be established. You might need to change the network settings for this connection. WOW! Well we have made progress but now we have a different error. Looking at the server event logs again we get Event IDs: 7023, The Connected Devices Platform Service service terminated with the following error: Unspecified error; or RoutingDomainID- {00000000-0000-0000-0000-000000000000}: CoId={3F6A5694-A54B-4F8D-A7F3-204DC42D8442}: The user ASUSCROSSHAIRV\kirk connected to port VPN4-1 has been disconnected because no network protocols were successfully negotiated.

You can beat your head into a wall searching for this error but from my experience with Windows 7, this was a 720 error code and we have to configure the VPN server to assign IP addresses to incoming VPN connections rather than allowing them to be assigned by our DHCP router. Make sure your IP range is one not being used by devices in your LAN.


On the VPN server right click on the Network icon on the desktop arrow down to select Properties, which will open up the Network and Sharing Center (or use Type and talk) > on the left menu click on Change adapter settings > right click on Incoming connections > click on the Networking tab at the top > double click on Internet protocol version 4 (TCP/IPv4) > tick Specify IP address and type the IPv4 range values that will not be assigned to devices on your local network and later your cable modem IP address from your ISP, OK.

Now that we have everything working click on your client VPN network adapter and use the advanced settings to set up all your info to happen with a simple point and click of the mouse. Open up Change Adapter Settings > double click on VPN Connection > click on the Advanced Setting button in the middle to add your connection information

We are done right? Well not really, because we disabled Windows 10 Pro firewall and rebooted out VPN server. It is now broken and wide open to crackers. You can test all this out by enabling your firewall again, rebooting your VPN server as you will see The remote connection was not made because the attempted VPN tunnels failed... error message again. Therefore, we have to figure out how to allow our client VPN through our Windows 10 Pro firewall.

More to come...

How To Setup your Windows 10 VPN Server behind your Router Hardware Firewall

Reading the previous blog entry about port forwarding we have opened up a security hole that is now routing traffic to our Windows 10 Pro server behind our firewall. Crackers know this is port 1723 and will scan for it being open on your router. If you watch your router logs you will be surprised at how many attempts are being made to break into your network. I know you are a little fish but crackers consider (little fish) ripe targets! This begs the question of whether using a PAID service might not be a better solution for your small business. Opening up holes in a Windows 10 Pro server that is super important to your business might not be a good idea. Right now everything is OK because your VPN server is not listening but we are about to change that.

In our first post I highly encouraged you to watch Eli the Computer Guy’s video on what a VPN is and how it works. You may discover that doing your own VPN is not going to work for a verity of reasons which he describes very well. (See:  https://www.youtube.com/watch?v=q4P4BjjXghQ) For example, your ISP upload speed is very important if you are going to set up, use and manage your own VPN. Before we punch a hole in out SOHO local network and computer server make sure your set up and ISP speed are good enough for a Windows 10 Pro VPN. 

Another thing to consider is server uptime and power costs. When you, an employee, a family member are traveling you have to have everything powered up and working. Not to mention your ISP can change your modem IP at any time rendering all your hard work moot unless you pay for a dynamic DNS service. A paid dynamic DNS service will map a domain name to your modem and update the IP as your ISP does making sure you can always connect to your network. Of course, if you have a computer savvy person you can contact they can tell you the new DHCP ISP IP address by simply typing, “What is my IP address?” in the Type or talk to search box and give it to you over the phone, or have them log in to your router and view it there. (See: http://dyn.com)

Therefore, once you have evaluated your needs and have determined that you want to configure and manage your very own Windows 10 Pro VPN, read on. For example, in my case I only need a VPN occasionally while traveling or visiting a customer. I mostly use it with hotspots to keep my laptop safe or to bypass a firewall or proxy so I can do things on my home network that are not allowed where I am at. Paying for a monthly VPN service does not make sense for my business and personal needs. If you are a visual person watch this How To VPN YouTube video which is excellent. (See: https://www.youtube.com/watch?v=6ZCiXx6KYtA)

On your VPN server, if you have not already done so, you will need to set up a standard user with very limited privileges. In my book I detail how to do this on all your Windows 10 computers because you should use a standard user ID when venturing out onto the infected Internet. You can skip the following and go down to the Change Adapter Settings but you should learn how to create a standard user the non-VPN way.

Click in the lower left Type or talk to search box type user > click on User Accounts Control Panel > select Manage another account > click on Add a new user in the PC settings > under Other people click on the + sign to Add someone else to this PC . Another method you can employ is type Settings > click on Accounts > click on Family & other people > click on the + sign to Add someone else to this PC.

From here there is a multitude of ways you can add a user with the default being Microsoft’s most invasive invasion of someone’s privacy. To bypass all that and just add a local user which is all you need:

  • At the bottom of the page, select I don’t have this person’s sign-in information, and at the bottom of the next page, select Add a user without a Microsoft account.
  • On the Create an account for this PC screen, enter a user name, password, and password hint, and then select Next. You're done!

You are now ready to setup your VPN server to use this account to connect to and tunnel into your local network. As I said you could just start here where as you can see from the screen shot you can click on the Add someone… button at the bottom and accomplish everything we detailed above but then you wouldn’t have learned how to add a Window 10 user the standard way. You can also do this using Computer Management which is where you should check on what types of users exist on your PC. In the Type or Talk box type Computer Management and open up the app > click on Local Users and Groups > under Name on the right double click on Users > right click on any user and select Properties and view their power. (See: http://www.howto-connect.com/windows-10-create-local-user-account-group-view) 

Open up the Network and Sharing Center by typing in the Type or talk box type Network and Sharing  > select Network and Sharing Center, or go to your desktop > right click on the desktop Network icon > arrow down to select Properties at the bottom of the menu.
 

On the left menu click on Change Adapter Settings > (NOTE: by default the File menu is not available, click on the Organize drop down on the top left > arrow down to select Layout > check Menu bar), click on the File menu and arrow down to select New Incoming Connection… > the Allow connections to this computer dialog will appear. 




  • Under User accounts on this computer: select the user(s) that you want to have access to your Windows VPN server, Next. (Warning:  Make sure the accounts you select are NOT administrative accounts). 
  • In the next dialog leave Through the Internet checked, Next > the next dialog will ask you to check the type of networking for which you want to allow incoming connections for > leave Internet Protocol Version 4 (TCP/IPv4) selected and I think you should check Internet Protocol Version 6 (TCP/IPv6). I don’t see anything wrong with enabling IPv6 for incoming connections to your VPN server. If anything, we should uncheck IPv4 but let’s keep things simple and go with the default. Checking IPv6 may require a change in your router to enable that.

Windows also selects File and Printer Sharing for Microsoft Networks and QoS Packet Scheduler by default. The File and Printer Sharing allows VPN connections to access shared files and printers on your network, and QoS prioritizes network traffic, which will improve streaming video or playing music through a VPN connection. As we discussed in detail in my book, QoS provides an intelligent allocation of bandwidth between applications so if you do not plan to use your VPN connection to stream or play music, disable this; the same holds true for File and Printer Sharing. Any service you enable that is not needed is a security hole that can be exploited.
  • Click on the Allow Access button at the bottom and now your VPN server will allow incoming connections > the next screen will ask you to make note of your Computer name: and suggests that you will need this to connect, Close. You may have to refresh the screen by right clicking on the white space in the window and selecting Refresh for the connection to show up. 
  • Windows 10 Pro then displays your Computer name: xxxxxxx which you have to make note of because clients will need to know this to connect so write it down > Close.

WARNING

Anytime you go mucking around with your network settings things can go wrong. If you lose your Network Connection try doing a system recovery back to your last known settings.

If you right click on the Incoming Connections icon that you just created and select Properties you will see three tabs at the top titled General, Users and Networking. On the General tab make sure that under Virtual private network, that Allow others to make private connections to my computer… is checked > on the Users tab check the users that you are going to allow to connect > decide how you want to allow them to connect by checking Require all users to secure their passwords and data or Always allow directly connected devices such as handheld computers to connect without providing a password.

Above is the bare minimum you should do to ensure the security of your VPN server. If you really want to lock things down consider creating a port forwarding rule that forwards a random "external port" to the "internal port" 1723 that the Windows VPN server is listening on. This will protect you from crackers who use automated hacking tools that attempt to connect to VPN servers through the default port.

In my book's chapter on how to set up your router, we went into detail about how to lock down your local area network. We did things, such as only allowing wireless devices with known MAC addresses to connect to your router, disabled SSID Broadcast, and much more. If you know you will be using the same hotspot that has a static IP address we can configure our router to only accept a connection from that specific IP address. Log in  to the router as 'admin' > click on the Advanced tab > on the left expand Advanced Setup and select Remote Management > check Turn Remote Management On and begin entering the IP addresses that you want to allow to connect to your router and VPN server in your local network. You can also use your VPN server firewall rules to only allow connection from specific IP addresses.

Now you need to set up your VPN Windows 10 Pro firewall to accept connections on port 1723. The website http://www.thewindowsclub.com/configure-vpn-connection-windows has an excellent description of how to do this but you will miss all the fun with cryptic Windows error messages getting your VPN client working... just kidding. After all, why go through all that pain when you have ThatCyberSecurityGuy, LLC to plow the road for you.

At this point I suggest you just disable your Windows 10 Pro server firewall and make sure you can establish a local client VPN connection behind your hardware firewall. With the client establishment we will cover all the things that can go wrong is you skip any of the steps I covered above.