Juan's picture
I need to connect external computers to a local domain. What ports must be open on the router to allow the connection? or I have to make it other way? I use the domain controller version 16.0
Forum: 
Jeremy Davis's picture

Ports are:

TCP: 22 80 88 135 139 389 443 445 464 631 3268 12320 12321
UDP: 123 137 138

FYI, they are noted in the appliance's Makefile. You could also check the firewall config in Webmin.

Note, of the TCP ports, that is all the ports that need to be open to access every service. If you just want Samba, then you can skip many of them. E.g. 22 is SSH, 80 & 443 are HTTP & HTTPS respectively; 12320 & 12321 are Webshell & Webmin respectively.

Having said that, personally I wouldn't be connecting a domain across the internet like that. I would be linking into the site via a VPN. Then connect to the domain via the VPN.

Juan's picture

I have downloaded and installed openVpn, but I am not sure how to use it. Any manual that can guide me?

Jeremy Davis's picture

You'll need to have 2 VPN instances running - one on each end (i.e. one within each separate LAN you want to join together). One will be the "server" and the other the "client" (it shouldn't matter which is which). The OpenVPN setup docs give an overview and the specific "site to site" instructions give more details. Note that the site to site instructions explicitly explain linking a LAN to an AWS VPC - but the theory remains the same to link 2 LANs.

Out of interest, as well as OpenVPN, we also have a WireGuard appliance. WireGuard is a newer and much more performant open source VPN. Unfortunately we haven't yet published the v17.x release yet, but it shouldn't be too far away (it's sitting in the bucket - just waiting on my colleague to do final signing and publishing to the mirror). Hopefully within the next few days.

Juan's picture

To connect a computer outside the local network with this topology.

Central Offices                                                                 
Sample static IP 45.62.84.156                                                     Dinamic IP
| domain       | openvpn   |             <=> internet <=>               remote computer  
|--------------+------------+                                                            +---------------------------+
           DMZ

          192.168.1.13                                                          
+--------------------------+                  
                lan                                     
       192.168.1.0/24                          
+--------------------------+

Domain and openvpn are separate server.

How would the setup be?

Would it be necessary to use the openVPN application to join the machine to the local domain?

Can be done? 

Jeremy Davis's picture

Hi Juan, to be completely honest with you, I'm a bit vague on the specific details, but if the remote end is a standalone system (i.e. not 2 separate LANs that you want to join together) then you should be able to just install the OpenVPN client software on the remote end. Then join the VPN and access the domain server via the VPN. Obviously that won't work for roaming users or folder redirection, but it should allow the remote machine to connect to the domain server (although I'm not sure if that will support your use case or not?).

Even if that is workable for you, I'm not completely sure about how you would set it up with a DMZ as well. But I'm fairly sure that it could be done.

I'm not the best person to assist with VPN setup. I know the theory, but haven't spent a ton of time playing with VPNs - OpenVPN or otherwise.

We have a dev who is much more knowledgeable than me who I'll ask to have a look at this (and he isn't super VPN expert - just way more knowledgeable about VPNs and networking than me). Unfortunately, that won't be until Tue next week at the earliest. In the meantime (or perhaps even better still), I suggest asking over on the OpenVPN forums? If you describe your desired usage (i.e. connecting to a remote domain via OpenVPN) I'm sure someone over there should be able to help out.

Juan's picture

The truth is that this distribution has greatly facilitated the VPN connection, to access the local domain through a VPN connection, it is only necessary to configure the "push option" so that the equipment connected by VPN can access the network where the domain server is working, then you have to configure the DNS of the virtual network device that the client computer uses for the VPN connection with the address of the local domain server.

 

In OpenVPN settings example:
# push routes to clients to allow them to reach private subnets
push "route 192.168.1.0 255.255.255.0"

server.conf

 

DNS for the client computer example:
192.168.1.7

 

Jeremy Davis's picture

Great news! Glad to hear that you got it up and running! Thanks for posting back with info. I'm sure that will be of use to others! :)

Juan's picture

Important, to be able to enter the domain, the VPN connection must be working.
We must start the VPN connection with the system administrator user, once the VPN connection is activated we can join the domain.
When we restart the system, to enter the domain, we must first start the local user session and connect the VPN,
without closing the local session with which we have connected the VPN,
we use the change user option and start our session with the domain user.
If we have configured the option to remember the data of connected users,
we can start the session without being connected to the domain, this can cause security problems.
We can use the windows autolon tool to automate the VPN connection.
This solution is best suited for multi-user computers.

Link: https://learn.microsoft.com/es-es/sysinternals/downloads/autologon

OpenVPN's connection automation script:

timeout 5
cd C:\Program Files\OpenVPN\bin\
openvpn-gui.exe --connect example.ovpn

Save to C:\Users\My-User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup as .bat or .cmd

Note: So far I haven't been able to connect to OpenVPN without logging in, I guess it's due to the nature of the app that needs to be launched graphically.
I will continue investigation.

Juan's picture

OpenVPN as a system service without the need to start a user to establish the connection.

Starting from OpenVPN Connect v3.2 the application includes a method to set up an OpenVPN connection as a system service. This allows to have the connection up and running right after system boot, even when nobody is logged on. A few possible use cases:

  • A Windows Server with Remote Desktop Services, where the users need access to some VPN resources, and it is not practical or possible to have them each individually establish their own connections because of technical and organizational reasons.
  • A Windows client system that is joined to a domain that needs access to a VPN network domain that is required for logon purposes, so the connection needs to be up and running before the user logs in.
  • Connecting your Windows system as an unattended host system offering certain services and resources to your OpenVPN server or to the OpenVPN Cloud.

This system service mode is designed to be managed only by system administrators. Once the connection is up, resources available through this VPN connection can be reached by administrators and unprivileged users on the system.

Prerequisites

  • OpenVPN Connect v3 of version v3.2 or higher.
  • Administrator shell (PowerShell or cmd).
  • An autologin type connection profile (the service daemon has no interactive capabilities).
  • Close OpenVPN Connect v3 window before setting up the system service.
  • Run all commands from the program location (as specified below).

Location

  • x64: %ProgramFiles%\OpenVPN Connect\ovpnconnector.exe
  • x86: %ProgramFiles(x86)%>\OpenVPN Connect\ovpnconnector.exe

Instructions

Step 1. Go to the correct location for x64 systems:

cd "%ProgramFiles%\OpenVPN Connect\"

Note: if you have the 32 bits program installed on a 64 bits OS, replace %ProgramFiles% with %ProgramFiles(x86)%.

Step 2. Install the system service:

ovpnconnector.exe install

Step 3. Specify connection profile to use (optional):

ovpnconnector.exe set-config profile <FULL_PATH_AND_FILENAME_TO_PROFILE.OVPN>

Note: if your OpenVPN Connect installation file was downloaded from Access Server or OpenVPN Cloud and came with a bundled autologin connection profile, then you can skip step 3. It will then simply default to the bundled connection profile. It can be found in the program location with the name "ovpnconnector.ovpn" - that is the bundled connection profile.

Step 4. Specify the path to a log file (optional):

ovpnconnector.exe set-config log <FULL_PATH_AND_FILENAME_TO_LOGFILE.LOG>

Note: if you skip step 4, the service will write to the default log file in the program location with the name “ovpnconnector.log”.

Step 5. Start the service:

ovpnconnector.exe start

The service will now start the VPN connection and log output to the log file.

Note: you will not receive feedback after starting the service if the connection succeeded or not. You can check the log file or use the ping command to verify that the connection is now up and running.

Important: OpenVPN Connect client should not be running, otherwise service startup will abort.

Full information in the link

https://openvpn.net/vpn-server-resources/use-openvpn-connect-v3-on-windows-in-service-daemon-mode/

 

Add new comment