All posts tagged routing and remote access service

Always On VPN April 2024 Security Updates

Microsoft has released its security updates for April 2024. This month, a few vulnerabilities are potentially impacting Always On VPN administrators. Specifically, three updates address issues with the Windows Server Routing and Remote Access Service (RRAS). In addition, vulnerabilities affect the Remote Access Connection Manager (RasMan) service, affecting both VPN servers and clients.

RRAS

Windows Server Routing and Remote Access (RRAS) has three security updates available this month. All three are Remote Code Execution (RCE) vulnerabilities but require user interaction to exploit the vulnerability. All three updates are rated as Important.

CVE-2024-26179

CVE-2024-26200

CVE-2024-26205

RasMan

In addition to the vulnerabilities in RRAS, Microsoft announced numerous updates for vulnerabilities discovered in the Remote Access Connection Manager (RasMan) service. These vulnerabilities are related to information disclosure via buffer overruns. These updates affect both Windows RRAS servers and Windows Always On VPN clients. All updates are rated as Important.

CVE-2024-26207

CVE-2024-26211

CVE-2024-26217

CVE-2024-26255

CVE-2024-28900

CVE-2024-28901

CVE-2024-28902

Recommendations

While none of these vulnerabilities are critical, Always On VPN administrators are urged to update their affected systems soon.

Additional Information

April 2024 Security Updates

3 Comments
by Richard M. Hicks on April 9, 2024  •  Permalink
Posted in Always On VPN, AOVPN, CVE, Enterprise, enterprise mobility, Hotfix, Infrastructure, Microsoft, Mobility, Operational Support, Remote Access, routing and remote access service, RRAS, Security, Security Update, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , ,

Posted by Richard M. Hicks on April 9, 2024

https://directaccess.richardhicks.com/2024/04/09/always-on-vpn-april-2024-security-updates/

Always On VPN Client IP Address Assignment Methods

When Always On VPN clients connect to the VPN server, they must be assigned an IP address to facilitate network communication. When using Windows Server and Routing and Remote Access Service (RRAS) for VPN services, administrators must choose between Dynamic Host Configuration Protocol (DHCP) and static address pool assignment methods.

DHCP

DHCP is a quick and easy way to handle VPN client IP address assignment. However, there are some drawbacks and limitations associated with this option. Consider the following.

Allocation

DHCP for Always On VPN clients does not work as you might expect. For example, when a VPN client connects, it does not obtain its IP address directly from the DHCP server. Instead, the VPN server leases a block of IP addresses from the DHCP server and manages those on behalf of its clients. On the DHCP server, you will see the Unique ID column of these IP address leases indicating RAS.

Address Block Size

After configuring the VPN server to use DHCP VPN client IP address assignment, the VPN server will automatically lease a block of ten IP addresses from a DHCP server. When this initial block of ten IP addresses is exhausted, the VPN server will lease another block of ten IP addresses. Administrators can increase the size of the requested address block by creating the following registry key on each VPN server.

Key: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\IP
Value: InitialAddressPoolSize
Type: DWORD
Data: <size of DHCP pool request>

Alternatively, administrators can download Update-VpnServerDhcpPoolSize.ps1 from my GitHub repository and run it on each VPN server to increase the size of the initial DHCP address pool request.

DHCP Options

The VPN server discards all DHCP option information returned by the DHCP server. The VPN server uses only the IP address from the DHCP lease. The client is unaware of any other information in the DHCP lease.

Subnet

By default, the VPN server will only request DHCP addresses from a scope that matches the same subnet as the IP address assigned to the VPN server’s network adapter. If the VPN server has more than one network interface, it will send DHCP requests from the network interface listed on the Adapter drop-down list, as shown here.

Note: This option is only available on servers configured with multiple network interfaces. Also, if the value is set to Allow RAS to select adapter, it is best to specifically define the network interface where DHCP and DNS requests are made.

Scope Size

When using the DHCP assignment method, ensure the DHCP scope contains enough IP addresses to support the number of concurrent connections expected on all VPN servers.

IPv6

DHCPv6 is not supported on RRAS for VPN client IP address assignment. The only option for IPv6 is prefix assignment.

RRAS in Azure

DHCP is not supported when deploying RRAS in Azure. Administrators deploying RRAS in Azure to support Always On VPN must use the static address pool assignment method. More details here.

Known Issues

When using DHCP with Windows Server 2019 RRAS servers, a known issue prevents this from working correctly. Administrators can download Update-VpnServerDhcpPrivileges.ps1 from my GitHub repository and run it on each VPN server to ensure proper DHCP operation.

Increased Complexity

Since the VPN server leases IP addresses on behalf of clients and discards DHCP option information included in the lease, there’s no real benefit to using DHCP. Using DHCP only adds complexity and introduces another dependency, making the solution more brittle and difficult to manage. Using the static address pool assignment method is a better choice.

Static Pool

Implementation best practices dictate using the static address pool assignment method instead of DHCP. The following is guidance for configuring RRAS to support the static address pool option for VPN client IP address assignment.

Unique Subnet

Using a unique IP subnet is best when using the static address pool assignment method. However, this also requires configuring internal network routing to return traffic for that subnet to the individual VPN server where that subnet is assigned. Each server must have a unique IP address pool assigned. Define static address pools using subnet boundaries when configuring multiple VPN servers. Assigning IP address pools along subnet boundaries simplifies internal network routing configuration. Ensure that assigned IP address pool subnets are large enough to accommodate the total number of concurrent connections expected on each server. Be sure to overprovision to handle failover scenarios.

Same Subnet

Alternatively, administrators can assign VPN client IP addresses from the same subnet as the VPN server’s network interface. Assigning VPN client IP addresses from the same subnet as the VPN server eliminates the need for any internal network routing configuration, simplifying deployment. However, server subnets are often small and may not have enough IP address space to support numerous concurrent VPN connections. Be sure to plan accordingly.

Static IP Addresses

It is possible to assign a static IP address to an individual user. However, assigning a static IP address to a specific device is not. I will discuss static IP address assignments for Always On VPN clients in a future blog post.

Other Limitations

Here are some additional things to consider when creating a VPN client IP addressing strategy.

DNS

Always On VPN clients can be configured to register their IP address in DNS. However, the VPN client configuration controls this setting. The DHCP server does not register IP addresses in DNS when using DHCP. The client registers its IP address in DNS directly after it connects. In addition, a VPN client will receive a different IP address each time it connects to the VPN server. DNS propagation can delay hostname resolution on-premises for remote-connected VPN clients.

Selective Addressing

Regardless of which assignment method is selected, assigning different IP addresses to different types of connections is not possible. For example, a common ask is to assign user connections from one IP address pool and device connections from another. The only option to support this is to use different servers for each type of connection.

Summary

The best practice for IPv4 VPN client addressing is to use the static address pool method with a unique IPv4 subnet per server. Using static address pool assignment provides the most flexible configuration options and eliminates the dependency on internal services, making the solution more resilient and easier to manage. A unique address pool per server ensures that a large enough subnet can be defined to support the expected number of concurrent connections, regardless of the subnet size the VPN server is assigned to. Also, a unique IP subnet for VPN clients makes configuring internal firewall rules to control VPN client access easier.

Additional Information

Always On VPN and IPv6

Always On VPN Client DNS Server Configuration

Always On VPN Routing Configuration

Always On VPN RRAS Internal Interface Non-Operational

Leave a comment
by Richard M. Hicks on February 12, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, device tunnel, DNS, Enterprise, enterprise mobility, Geographic Redundnacy, GitHub, Infrastructure, IPv6, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, routing, routing and remote access service, RRAS, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 12, 2024

https://directaccess.richardhicks.com/2024/02/12/always-on-vpn-client-ip-address-assignment-methods/

Always On VPN October 2023 Security Updates

Once again, it’s time to patch! After several quiet months, there are a few crucial updates Always On VPN administrators will want to get deployed soon. Thankfully, the impact of the security updates related to Always On VPN is low this time, as there is only one Remote Code Execution (RCE) vulnerability, and it’s for a legacy protocol that should be in limited use today.

IKEv2

CVE-2023-36726 addresses a security vulnerability in Windows Internet Key Exchange (IKE) that can lead to privilege escalation. An attacker who successfully exploits this vulnerability can elevate privileges to that of the local SYSTEM.

L2TP

This month’s update discloses several Layer Two Tunneling Protocol (L2TP) vulnerabilities. The following CVEs all address a vulnerability where an attacker can send a specially crafted protocol message to a Windows Routing and Remote Access Service (RRAS) server, which could lead to remote code execution on the server.

Mitigation

The impact of the L2TP security vulnerabilities should be minimal in most organizations. L2TP is a legacy VPN protocol not commonly used for Always On VPN. However, misconfiguration can leave vulnerable RRAS servers exposed. Administrators must ensure that inbound UDP port 1723 is not open from the Internet. In addition, L2TP should be disabled on the RRAS server if not in use. See the article on the May 2023 security updates for details.

Additional Information

October 2023 Security Updates

Leave a comment
by Richard M. Hicks on October 10, 2023  •  Permalink
Posted in Always On VPN, AOVPN, Enterprise, enterprise mobility, Hotfix, IKEv2, Infrastructure, Microsoft, Mobility, Operational Support, Remote Access, routing and remote access service, RRAS, Security, Security Update, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 10, 2023

https://directaccess.richardhicks.com/2023/10/10/always-on-vpn-october-2023-security-updates/

« Older Posts