First of all I'm not (yet) a fully trained IT professional but just a college student so please forgive me if some of the things I'm about to ask might seem "stupid" because the answers are totally obvious to you.
I'm almost done setting up a Windows Server 2012 Foundation server for our home network. It is configured with the following roles:
File Server, Print Server, DHCP Server, DNS Server and Security Server for Trend Micro Worry-Free Business Security. All of these are already up and running - so so far so good.
Overview & Goal
In addition to that I want to use the server as an OpenVPN router and firewall using the "Windows Firewall with Advanced Security" in combination with RRAS. I think I'm pretty much finished with setting up these services too but since as I mentioned before I'm not a fully trained IT professional and I did this for the first time I would really appreciate it a lot if some of you guys could tell me if my configuration is OK before I hook it up to a public/unsecured network.
So first here are the networks I have and what I want the server to do:
Internal home network: 192.168.0.0/24 - Server's IP 192.168.0.1 - connected to NIC1
Local "unsecured" network: 192.168.3.0/24 - Server's IP 192.168.3.2 - connected to NIC2
OpenVPN Internet connection: 10.8.1.52/30 - Server's IP 10.8.1.54 - connected to OpenVPN's virtual NIC
Now what I want to do is let the Windows Server 2012 server route my internal home network's Internet traffic through that OpenVPN Internet connection. It also has to block all unsolicited incoming traffic from the OpenVPN Internet connection no matter if it's targeted at the server itself or my internal home network and in addition to that it has to block all traffic to and from the local "usecured" network except for OpenVPN's connection to my VPN service provider's VPN server. The main reason why I'm doing this is that I live in Germany and by routing all Internet traffic over my US based provider's VPN connection my entire home network will be connected using an US based IP address which allows me to use services like Netflix, Hulu, Vevo and so on which wouldn't work with a Germany based IP address. Another reason is that by completely separating my internal home network (on NIC1) from the outer "unsecured" network (on NIC2) I can use the "unsecured" network to provide Internet access for less secure / untrusted devices (like smartphones, an Internet radio or devices brought along by guests) directly over the German ADSL connection without the risk of those devices somehow compromising my internal home network.
On the "unsecured" network there is a standard ADSL router appliance with an IP address of 192.168.3.1 which should be used by OpenVPN to establish a secure, encrypted connection to my VPN service provider's server. Except for that all other incoming and outgoing traffic over NIC2 should be completely blocked by the server.
What I did so far:
Windows Firewall with Advanced Security
General:
-Using "gpedit.msc" I set up the "Windows Firewall with Advanced Security" with the following parameters:
(I configured the "Domain", "Public" and "Private" profiles all with the same settings so that I don't have to deal with network location awareness)
Firewall state: On (recommended)
Inbound connections: Block (default)
Outbound connections: Block
Allow unicast response: No
Apply local firewall rules & Apply local connection security rules: No (I did this to prevent third party applications from "messing" with the firewall settings by adding their own rules)
Inbound Rules:
Allow if local address = 192.168.0.1 & remote address = 192.168.0.0/24 (this should allow all inbound connections from my internal home network through NIC1)
Outbound Rules:
Allow if local address = 192.168.0.1 OR 10.8.1.54 (this should allow all outbound connections over NIC1 and OpenVPN's virtual NIC)
Allow if program = "%ProgramFiles%\OpenVPN\bin\openvpn.exe" and local address = 192.168.3.2 and remote address = "my VPN provider's server's public IP address" and protocol = "UDP" and remote port = 1194 (this should allow OpenVPN to establish a secure encrypted connection to my VPN provider's server over NIC2)
"Control Panel\Network and Internet\Network Connections"
NIC1
in NIC1's properties I unchecked the IPv6 protocol since I'm not using it and I configured IPv4 to use a static IP address of 192.168.0.1, network mask 255.255.255.0, no default gateway and preferred DNS server 192.168.0.1
NIC2
for NIC2 where it says "This connection uses the following items" I unchecked everything but IPv4 and then configured IPv4 to use a static IP address of 192.168.3.2, network mask 255.255.255.0, no default gateway, no preferred DNS server
OpenVPN's virtual NIC
for OpenVPN's virtual NIC where it says "This connection uses the following items" I unchecked everything but IPv4 and then configured IPv4 to use a static IP address of 10.8.1.54, network mask 255.255.255.252, default gateway 10.8.1.53, preferred DNS server 127.0.0.1 [I have to add a line to OpenVPN's config file that tells it not to "mess" with those manually configured parameters but I think that shouldn't be a problem]
"Routing and Remote Access"
General
in the "Configure Routing and Remote Access" wizard I picked the "NAT" option and then picked NIC1 as private interface and OpenVPN's virtual NIC as public interface
I went to the server properties and unchecked "IPv6 Router" on the "General" tab, then I went to the "IPv6" tab and unchecked "Enable IPv6 forwarding"
"IPv4 \ General"
NIC2 properties
in the properties of NIC2 I checked "Enable fragmentation checking" [is this necessary/recommended???] and then set up the following static filters
inbound filters:
picked "Drop all packets expect those that meet the criteria below" and then added the following filter
source address = ANY, source network mask = ANY, destination address = 192.168.3.2, destination mask = 255.255.255.255
outbound filters:
picked "Drop all packets expect those that meet the criteria below" and then added the following filter
source address = 192.168.3.2, source network mask = 255.255.255.255, destination address = ANY, destination mask = ANY
(these filters should prevent any inbound or outbound routing from happening over NIC2 and should only allow packets that either originate from the server itself or are targeted at the server itself - and such connections should then be handled by "Windows Firewall with Advanced Security")
OpenVPN's virtual NIC properties
in the properties of OpenVPN's virtual NIC I checked "Enable fragmentation checking" [is this necessary/recommended???] and then set up the following static filters
inbound filters:
picked "Drop all packets expect those that meet the criteria below" and then added the following filter
source address = ANY, source network mask = ANY, destination address = 10.8.1.54 , destination mask = 255.255.255.255
outbound filters:
picked "Drop all packets expect those that meet the criteria below" and then added the following filter
source address = 10.8.1.54 , source network mask = 255.255.255.255, destination address = ANY, destination mask = ANY
(these filters should prevent any inbound or outbound routing from happening over OpenVPN's virtual NIC while they shouldn't affect NAT since all NATed packets should have 10.8.1.54 either as their source or target address)
"IPv4 \ Static Routes"
I added the following route
Destination: "my VPN provider's server's public IP address"
Network mask: 255.255.255.255
Gateway: 192.168.3.1
Interface: NIC2
Metric: 1
"IPv6 \ General"
Since I already unchecked IPv6 in the NIC properties and I also unchecked "IPv6 Router" and "Enable IPv6 forwarding" in RRAS I don't think that I would have to worry any more about IPv6 but just to be on the safe side I went to "IPv6 \ General" and configured static filters for NIC2 and OpenVPN's virtual NIC that should block any inbound or outbound IPv6 traffic over those NICs.
Thank You for reading!
I know that this is A LOT to read and to go through but since this is the first time I did such a setup I could really sleep much better knowing that sb more experienced than myself had a look at those settings before I hook up the server to my "unsecured" network & the Internet. So I would really appreciate that a lot.
Thank you so much in advance and have a nice weekend!
Aleksandar
