Hoe moet ik VPN over SSTP installeren met RRAS in Windows Server?

Dit is echt een hel als je niet weet wat er mis gaat. Vandaar deze handleiding.

Installeer IIS and RRAS

In Server Manager, Manager → Add Roles and Features, check Remote Access and Web Server (IIS).

Under the Features pane, select Remote Server Administration Tools and all submodules, and under Remote Access Role Services, select DirectAccess and VPN and Routing.

Installeer wacs in bijv. C:\WACS

https://github.com/PKISharp/win-acme

First, we must get RRAS set up.

Run rrasmgmt.msc.

Right click server → Configure → Custom Configuration → VPN Access & Demand-dial connections

Start the service

Right click the server → Properties

IPv4 tab, select static address pool and choose an appropriate IP range for VPN clients (e.g. 192.168.26.0 , 192.168.26.50)

 

Next, ensure that the Default Web Site host in IIS has an HTTPS binding, and furthermore has its Server Name Identification box unticked the host used for an SSTP VPN must not require SNI.

To begin, we should get rid of any certificates for the VPN host.

 

$ $hostname = "vpn.company.com"

$ Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match $hostname} | Remove-Item

 

Typically, certificates for IIS are stored in the WebHosting certificate store. However, RRAS can only use certificates under the Personal certificate store, so we must place the certificate in the Personal store explicitly. To do so make sure you do the additional installation steps. Make the .pfx files with password so you kan import them into your personal store.

 

C:\WACS\wacs.exe --ocsp-must-staple

 

 

Dubbelklik de .pfx --> import in Personal store

 

Finally, we can import the RRAS module, and set our RRAS cert to the one we just created.

 

RRAS properties --> security --> SSTP certificate

 

LetsEncrypt certificates expire every 3 months, so it's a good idea to make this script run periodically in Task Scheduler, so that you're not faced with unexpected VPN outages.

Next, since RRAS doesn't start up by default on a machine boot, we should make it do so,

Open up Services

Find the Remote Access Connection Manager service, right-click → Properties → Startup type: Automatic

Do not use default gateway on remote network:

Open the Network and Sharing Center, and click into Change adapter settings. Right-click the VPN connection you just created, and select "Properties". Switch to the Networking tab.

Select the Internet Protocol Version 4 (TCP/IPv4) list item, then click the Properties button. Click Advanced, and uncheck Use default gateway on remote network.

 

Troubleshooting:

 

VPN user must be allowed to dial-in

Run mmc.exe

Add the Local Users and Groups snap-in from the File menu

Click into your user account, then right-click Properties

Dial-in tab, Allow access under Network Access Permission

Network Policy Server must allow VPN connections

If you have NPS enabled, you will have to configure it to allow VPN connections.

Under the NPS snap-in from mmc.exe → Advanced Configuration → Network Policies → Grant access to both policies relating to VPN connections (they are deny by default).

Host machine must be discoverable

Open up the Network and Sharing Center

Click Advanced sharing settings

Expand the Private and Guest or Public groups, and turn on Network Discovery and File and printer sharing on both

 

Let op! Elke 3 maanden moet je het certficaat vernieuwen!