A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Windows Server: VPN Access [closed] was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, security, vpn, openvpn, .
Currently I am running a Windows Server in a local network which is not accessible from Internet.
But I need to expand my business and need to move the server to a more powerful one which will be hosted in Internet. Hosting local is no longer possible due to the expansion.
The server will be a dedicated one which will act as a Domain Controller. Hyper-V is running and a hosting a guest Windows Server which has its own public IP and serves Remote Desktop Services. Several programs can be access through Remote Desktop.
But that will not be a secure environment because rds and the DC will be accessible through Internet.
Will VPN a good solution? Where do I need to install the VPN Server? Can I install it on the server which is serving RDS? The DC will join this VPN and I can use it there?
The client should be connected as site-to-site VPN.
Can I improve anything?
My 2 cents?
Always use VPN when you access remote ressources.
I will always setup firewall on a remotely hosted machine, where all incoming traffic is denied, with the notable exception being traffic bound for the VPN port.
The only other ports I would open is for SMTP and IMAP if it is a mail server and port 80 and 443 if it is a Web server.
The ports allowed in the firewall depends on the VPN software, like:
- 500/UDP and 4500/UDP for IPsec.
- 1194 TCP/UDP for OpenVPN (depending on service).
- 51820/UDP for WireGuard
The software you choose for your VPN depends on quite a few things, but mainly how you want to integrate it into existing setup.
That being said: From a purely bandwith speed point of view the preferred order is WireGuard, IPsec and finally OpenVPN.
If simplicity is the goal, well… Stay clear of IPsec! You can do a lot with it, but it is not userfriendly.
As for authentication against the VPN server, there are several options, such as client certificates and/or login with username and password. It all depends on which kind of VPN software you want to use.
You may want to look into the “hub and spoke” architecture, when you are designing your VPN. It is useful when you want communication between individual clients as they can communicate with each other by using their VPN assigned ip address.
It is even possible to do site to site routing between two subnets over the VPN connection.
Beware though as with all hosted traffic. You will have to monitor how much traffic is exchanged over VPN, as hosted solutions usually comes with a limit on how much data you are allowed to upload and download combined and data sent from one client to another client counts twice as it is simultaneously an upload and a download depending on which direction you are looking from.
