Always On VPN Part 1 – Installation Script

Always On VPN Part 1 – Installation Script

23 March 2023 Windows 0

The scripts described in the blog entries will be used to install and configure VPN connections, as well as trigger them using the Task Scheduler.

The main script is responsible for setting up VPN connections on Windows. In this post, I will describe its sections and the actions it performs.

The script begins with the #Disconnect VPN and #Clean sections. Their tasks are as follows:

  1. Disconnect existing connections (if necessary) and delete all configured VPN tunnels.
  2. Delete files that were previously created by running this script. The script saves these files in the following directory: C:\Program Files\VPN.
  3. Optionally, the script can delete scheduled tasks if we want to deploy them without using Group Policy.

The #Copy files section creates a directory and copies the required files to it. These files include:

  1. Connect-DeviceTunnel.ps1: This script contains the logic for establishing the Device Tunnel connection.
  2. Connect-UserTunnel.ps1: This script contains the logic for establishing the User Tunnel connection.
  3. Connect-UserTunnel.vbs: This VBS file is used to hide the PowerShell window from the user during the User Tunnel connection establishment.
  4. Root-CA.cer: This certificate is the root certification authority used to select the correct certificate when establishing a Device Tunnel. It is required when there is more than one certificate issued for the device account in the Personal container under device certificates.
  5. EAP-Config-UserTunnel.xml: This file contains information about trusted certificates for the User Tunnel connection. You can find more information about its creation on the following Microsoft page: EAP configuration – Windows Client Management | Microsoft Learn.

The #Scheduled Tasks section allows for optional import of scheduler tasks, although it is recommended to provide these tasks through Group Policy Preferences.

The #Create Device Tunnel section is responsible for creating and configuring the Device Tunnel. It includes information about the tunnel’s name, address, encryption parameters, and the certificate issuer file that determines the certificate selection during connection establishment.

The Device Tunnel’s purpose is to provide access to services that require authentication and management of the computer, such as AD DS, AD CS, WSUS/SCCM, or Bastion management stations. The tunnel is established before the user logs on and uses the computer account certificate.

The #Hide Device Tunnel section hides the Device Tunnel in the user interface.

The #Disable Class Based Default Route Device Tunnel section prevents class-based routes from being added to the routing table. For more information on this issue, you can refer to the following resource: class-based routing | Richard M. Hicks Consulting, Inc. (richardhicks.com).

In the #Add route to Device Tunnel section, you specify the routes for resources accessible within the Device Tunnel. This is a split tunnel configuration where you indicate which addresses should be reached through the tunnel, while other communication takes place without the use of VPN.

The #Create User Tunnel section contains the User Tunnel configurations. When creating the User Tunnel, you need to declare a variable containing the contents of the EAP configuration file mentioned earlier. In this configuration, all traffic will pass through the User Tunnel. The encryption parameters for both tunnels are set to the highest level supported by FortiGate v7.0.9 VPN connections.

The #Register DNS for All VPN section indicates that DNS registration should be performed for both connections on the DNS server, updating the IP address of the client.

#Set Interface Metric All VPN: This part assigns appropriate interface metrics to prevent incorrect name resolution in scenarios where Split DNS is used.

#Enable Services: This section starts the IKEEXT service.

Below is the complete installation script. In the next part, I will describe the scripts that trigger the tunnels.

#Execution Policy
Set-ExecutionPolicy RemoteSigned LocalMachine -Force

#Disconnect VPN
rasdial "Always On VPN (Device Tunnel)" /disconnect
rasdial "Always On VPN (User Tunnel)" /disconnect

#Clean
Get-VpnConnection -AllUserConnection | Remove-VpnConnection -Force -Verbose
Remove-Item -Path 'C:\Program Files\VPN' -Force -Recurse -Verbose -ErrorAction Continue
#schtasks /Delete /TN 'Auto Connect Device Tunnel' /F
#schtasks /Delete /TN 'Auto Connect User Tunnel' /F

#Copy files
New-Item -Path 'C:\Program Files' -Name 'VPN' -Force -ItemType Directory -Verbose
Copy-Item -Path .\Connect-DeviceTunnel.ps1 -Destination 'C:\Program Files\VPN' -Force -Verbose
Copy-Item -Path .\Connect-UserTunnel.ps1 -Destination 'C:\Program Files\VPN' -Force -Verbose
Copy-Item -Path .\Connect-UserTunnel.vbs -Destination 'C:\Program Files\VPN' -Force -Verbose
Copy-Item -Path .\Root-CA.cer -Destination 'C:\Program Files\VPN' -Force -Verbose
Copy-Item -Path .\EAP-Config-UserTunnel.xml -Destination 'C:\Program Files\VPN' -Force -Verbose

#Scheduled Tasks
#schtasks.exe /Create /XML '.\TS-DeviceTunnel.xml' /tn 'Auto Connect Device Tunnel'
#schtasks.exe /Create /XML '.\TS-UserTunnel.xml' /tn 'Auto Connect User Tunnel'

#Create Device Tunnel
Add-VpnConnection -Name "Always On VPN (Device Tunnel)" -ServerAddress "vpn.domain.com" -TunnelType "Ikev2" -AuthenticationMethod MachineCertificate -MachineCertificateIssuerFilter 'C:\Program Files\VPN\Root-CA.cer' -EncryptionLevel Maximum -AllUserConnection -SplitTunneling -RememberCredential -Verbose
Set-VpnConnectionIPsecConfiguration -ConnectionName "Always On VPN (Device Tunnel)" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -PassThru -Force -Verbose

#Hide Device Tunnel
((Get-Content -path C:\programdata\Microsoft\Network\Connections\Pbk\rasphone.pbk -Raw) -replace 'DeviceTunnel=0','DeviceTunnel=1') | Set-Content -Path C:\programdata\Microsoft\Network\Connections\Pbk\rasphone.pbk -Force
#Disable Class Based Default Route Device Tunnel
((Get-Content -path C:\programdata\Microsoft\Network\Connections\Pbk\rasphone.pbk -Raw) -replace 'DisableClassBasedDefaultRoute=0','DisableClassBasedDefaultRoute=1') | Set-Content -Path C:\programdata\Microsoft\Network\Connections\Pbk\rasphone.pbk -Force

#Add route to Device Tunnel
Add-VpnConnectionRoute -ConnectionName "Always On VPN (Device Tunnel)" -DestinationPrefix 172.16.0.10/32 -RouteMetric 10
Add-VpnConnectionRoute -ConnectionName "Always On VPN (Device Tunnel)" -DestinationPrefix 172.16.0.11/32 -RouteMetric 10
Add-VpnConnectionRoute -ConnectionName "Always On VPN (Device Tunnel)" -DestinationPrefix 172.16.0.20/32 -RouteMetric 10
Add-VpnConnectionRoute -ConnectionName "Always On VPN (Device Tunnel)" -DestinationPrefix 172.16.0.21/32 -RouteMetric 10
Add-VpnConnectionRoute -ConnectionName "Always On VPN (Device Tunnel)" -DestinationPrefix 172.16.0.30/32 -RouteMetric 10
Add-VpnConnectionRoute -ConnectionName "Always On VPN (Device Tunnel)" -DestinationPrefix 172.16.0.31/32 -RouteMetric 10
Add-VpnConnectionRoute -ConnectionName "Always On VPN (Device Tunnel)" -DestinationPrefix 172.16.0.40/32 -RouteMetric 10

#Create User Tunnel
$EAPXml = Get-Content -Path 'C:\Program Files\vpn\EAP-Config-UserTunnel.xml' -Verbose
Add-VpnConnection -Name "Always On VPN (User Tunnel)" -ServerAddress "vpn.domain.com" -TunnelType "Ikev2" -AuthenticationMethod Eap -EapConfigXmlStream $EAPXml -EncryptionLevel Maximum -AllUserConnection -RememberCredential -Verbose
Set-VpnConnectionIPsecConfiguration -ConnectionName "Always On VPN (User Tunnel)" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA384 -PfsGroup ECP384 -DHGroup ECP384 -PassThru -Force -Verbose

#Register DNS for All VPN
((Get-Content -path C:\programdata\Microsoft\Network\Connections\Pbk\rasphone.pbk -Raw) -replace 'IpDnsFlags=0','IpDnsFlags=3') | Set-Content -Path C:\programdata\Microsoft\Network\Connections\Pbk\rasphone.pbk -Force

#Set Interface Metric All VPN
((Get-Content -path C:\programdata\Microsoft\Network\Connections\Pbk\rasphone.pbk -Raw) -replace 'IPInterfaceMetric=0','IPInterfaceMetric=1') | Set-Content -Path C:\programdata\Microsoft\Network\Connections\Pbk\rasphone.pbk -Force

#Enable Services
Set-Service -Name IKEEXT -StartupType Automatic -Verbose
Set-Service -Name IKEEXT -Status Running -Verbose

 

Leave a Reply

Your email address will not be published. Required fields are marked *

©  2023 Admin Center. Built using WordPress and OnePage Express Theme.