Windows Server: VPN Access [closed]

Solution 1:

My 2 cents?

Always use VPN when you access remote ressources.

I will always setup firewall on a remotely hosted machine, where all incoming traffic is denied, with the notable exception being traffic bound for the VPN port.

The only other ports I would open is for SMTP and IMAP if it is a mail server and port 80 and 443 if it is a Web server.

The ports allowed in the firewall depends on the VPN software, like:

  • 500/UDP and 4500/UDP for IPsec.
  • 1194 TCP/UDP for OpenVPN (depending on service).
  • 51820/UDP for WireGuard

The software you choose for your VPN depends on quite a few things, but mainly how you want to integrate it into existing setup.

That being said: From a purely bandwith speed point of view the preferred order is WireGuard, IPsec and finally OpenVPN.

If simplicity is the goal, well... Stay clear of IPsec! You can do a lot with it, but it is not userfriendly.

As for authentication against the VPN server, there are several options, such as client certificates and/or login with username and password. It all depends on which kind of VPN software you want to use.

You may want to look into the "hub and spoke" architecture, when you are designing your VPN. It is useful when you want communication between individual clients as they can communicate with each other by using their VPN assigned ip address.

It is even possible to do site to site routing between two subnets over the VPN connection.

Beware though as with all hosted traffic. You will have to monitor how much traffic is exchanged over VPN, as hosted solutions usually comes with a limit on how much data you are allowed to upload and download combined and data sent from one client to another client counts twice as it is simultaneously an upload and a download depending on which direction you are looking from.