MS Windows 10: Always on VPN using an OPNsense as VPN server

[rainerle]

Hi,

for our home office users we would like to use Windows 10 Always On VPN. See here:
http://blog.tofte-it.dk/tutorial-deploy-always-on-vpn/ - This is the shortest explanation I have found compared to the Microsoft documentation.

So basically the Windows 10 Device is creating a device VPN tunnel based on a machine certificate authentication.

Is this possible with OPNsense?

Has anybody tried yet?

Best regards
Rainer

[mimugmail]

Use OpenVPN with Certificates and let it start as a service.
If your clients depend on internal DHCP, DNS etc. you could also use tap to bridge them in your LAN

https://strongvpn.com/autoconnect-windows-10-openvpn/

[rainerle]

Hi,

to solve this problem I changed our Windows PowerShell VPN Configuration script. I added the parameter -AllUserConnection and the users are able to log into the VPN before logging into their machine.

The file looks like this now:

Code: [Select]

## This is executed in the computers/system/administrator context
Remove-VpnConnection -Name "Contoso VPN" -Force
# If the Windows Logon is the same as the logon to the VPN you can use -UseWinlogonCredential - otherwise remove
# To allow connecting before logon add -AllUserConnection
Add-VpnConnection -Name "Contoso VPN" -ServerAddress "vpn.contoso.com" -EncryptionLevel "Required" -SplitTunneling -AllUserConnection -UseWinlogonCredential
# See https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
Set-VpnConnectionIPsecConfiguration -ConnectionName "Contoso VPN" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -DHGroup ECP256 -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA256 -PfsGroup ECP256 -Force
# Split DNS
Add-VpnConnectionTriggerDnsConfiguration -ConnectionName "Contoso VPN" -DnsSuffix "test" -DnsIPAddress "10.20.30.1"
Add-VpnConnectionTriggerDnsConfiguration -ConnectionName "Contoso VPN" -DnsSuffix "contoso.com" -DnsIPAddress "10.20.30.1"
# DNS search domains - seems not to work
Set-VpnConnectionTriggerDnsConfiguration -ConnectionName "Contoso VPN" -DnsSuffixSearchList "service.prd.contoso.com","node.prd.contoso.com","service.dev.contoso.com","node.dev.contoso.com","node.tst.contoso.com","dc1.contoso.com","ad.contoso.com","muc.contoso.com" -Force
# Split Tunneling - See https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
# If there are further networks to be tunneled they have to be added here and this has to be executed again.
Add-VpnConnectionRoute -ConnectionName "Contoso VPN" -DestinationPrefix 10.0.0.0/8
Add-VpnConnectionRoute -ConnectionName "Contoso VPN" -DestinationPrefix 173.194.0.0/16
Add-VpnConnectionRoute -ConnectionName "Contoso VPN" -DestinationPrefix 64.233.160.0/19
Add-VpnConnectionRoute -ConnectionName "Contoso VPN" -DestinationPrefix 172.217.0.0/16
# To allow for using hostnames only
Set-DnsClientGlobalSetting -SuffixSearchList @("service.prd.contoso.com","node.prd.contoso.com","service.dev.contoso.com","node.dev.contoso.com","node.tst.contoso.com","dc1.contoso.com","ad.contoso.com","muc.contoso.com")

Before the users log in they have to press an extra Icon now on the bottom right and are then shown a VPN login screen. Since the credentials are the same they are automatically logged into their account on the machine as well. Logon scripts etc. are executed just like in the office now...

Best regards
Rainer