Forum Discussion
Peter Holland
Apr 28, 2021Iron Contributor
Prevent users from disconnecting AOVPN user tunnel
Hi, Is there any client configuration I can apply, registry entries or other policies, to remove the 'disconnect' button from the AOVPN user tunnel? It's not very 'always on' if users can dec...
- Mar 06, 2023Microsoft have implemented the required change (just needs to filter into Windows 10 and the intune management profiles)
https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenamedisabledisconnectbutton
posted for anyone else seeking this info in the future
also see the blog post by the incomparable Richard Hicks https://directaccess.richardhicks.com/2023/03/06/always-on-vpn-csp-updates/
Mousefluff
Feb 24, 2023Iron Contributor
Peter HollandI know I'm providing support for someone who doesn't understand any of these topics. So I did actually give you replies, but for some reason they didn't show up lmao. I wrote some examples for you. I'm going to post them again, with PowerShell examples. I saved them, just in case nothing worked out. It's very generic, so read it at your own leisure:
Routers allow you to create VLANs where you can partition each device on the network. Obviously if you're worried about a client not being able to see a LAN address, then of course you could enable that network service, but block all the rest, so the client is forced to tunnel through the VPN to get to a WAN address ( all incoming connections MUST be blocked. ) The most basic service configuration has Unicast DNS ( UDP 53, ) Multicast DNS / mDNS ( UDP 5353, ) HTTP ( TCP 80, ) HTTPS / SSL / TLS 1.3+ ( TCP 443, ) and maybe WireGuard ( UDP 51820. ) In a rare situation, it would be UDP 123 for NTS / NTP ( Network Time Security / Network Time Protocol. ) Often you can tunnel almost any other service, including NTP, over the VPN, other than using DNS to bootstrap a DNS Stub Resolver, which in turn feeds a DNS server. In actuality, you could block all outgoing connections that don't utilize WireGuard ( UDP port 51820, ) and it would still work, although it will fail if the timestamps are inaccurate, or the system clock is not up to date. This is for the router though, not the operating system's firewall. You could even use a 3rd-party service to update the system clock if you're REALLY worried about security. Don't try to offload EVERYTHING to a software firewall, unless you want really high latency, and high power usage. That is a really big mistake. Even if you have interrupt moderation enabled for the network adapter, tons of receive buffers, and a decent multi-core CPU, it won't be anywhere near as fast as the ASIC / ASSP ( in this case a form of applications processor that has hard-IP blocks specifically made for encryption ) that comes with the VPN Router. A CPU is a general purpose processor, and will always be slower and less efficient at this task ( networking 101. )
Most commercial-grade entry-level SOHO routers have VPN support, and VPN passthrough, which is above and beyond the speed of any desktop computer you have. The method you have chosen ensures maximum lag for anyone on your network, if you were wondering. Nobody does that. You have to see the VPN is just an extra layer, a virtual one at that, in which packets / traffic are encapsulated over / through, and they traverse this one layer, to reach this specific endpoint. All you're doing is tunneling traffic from the router to the VPN server, which is treated much like an exit node. So while it still uses the service provider's network, the exit node in this sense will not be the router, but the VPN server. Split tunneling just removes that layer for one particular program or service. You could actually change the firewall rules to unblock certain services, and add an extra VLAN that has another DNS server and HTTPS port that bypasses the VPN, if you are that worried. You could even change the service configuration to assign it a fixed IP address based on the port, or a certain range, and assign that one particular range to another VLAN, which of course uses up memory to do this ( VLAN partitioning, a feature based on the concept of Software Defined Networking / Network Virtualization. ) The operating system settings could be bypassed, regardless of what you do, or if there is a BYOD policy, anyone can bypass it, so this is why the router is used to configure this and not the device itself. When you properly configure the VPN, the device is not even aware the traffic is being tunneled through the VPN, because the router handles it, and you can't change it no matter what you do. This is why people do this, and they don't do anything else. Any other solution doesn't work. People will use simple DNS workarounds to bypass it, and you will look like an amateur ( even a lot of teenagers know how to get around this. ) Most Public WiFi hotspots are set up like this btw, and they often have a captive portal as well. If you don't want to use a hardware router, you could use VyOS, or some other combination of software on Solaris 11,x, or another operating system ( lots of open source software routers / software appliances that can run in a container, docker image, or whatever it is you have in mind. )
NOTE: I would suggest looking at a certification like CompTIA's Network+, Security+, or even CCNP, MCSE, etc. Here are some more free resources to help: https://techcommunity.microsoft.com/t5/windows-deployment/educational-resources-for-systems-administration-servicing/m-p/3062844/highlight/true#M836
Here is another obvious thing most people do with VPNs. You might not like this idea as it sounds strange, but I assign a VLAN to every SINGLE device, and disable multicast ( it's to sandbox / partition every device on my local area network. ) The router's MAC address is used instead of the one on the device. When I close the connection, and those resources are freed from memory, nothing is left, and the configuration is actually way more simple ( less of a focus on randomly generating MAC addresses for client devices on the network. Of course some VPNs have features to block LAN addresses entirely, or network probing / port scans from other devices, but that's not the same as this. I already hardened my network stack, so it does this from the very beginning. That's a separate concept. ) It's way more secure, but it uses up more memory if you have a lot of services going, almost 50MB per device, which is a lot for an older VPN router. It sounds like something straight out of the early 1990s, but I have so much filtering that all incoming ports are blocked, all outgoing ports are blocked except the most basic things needed for VPN / VPN Passthrough, which is practically ONE port, for the entire VLAN. When you have A LOT of sockets open, and ephemeral key encryption enabled, it slows down, almost overheats my router too. I don't notice any slowdowns, just because my router handles the service configuration ( not any of my devices. I have a very light software firewall setup going, just to schedule which types of programs I want to connect to the network, but that's it. ) Of course if you scale up to a branch router or a rackmount system with service-grade hardware, your power consumption goes way up ( not to mention the amount of heat that generates. That would be excessive for a very simplistic setup, like the one I have. ) You have to be very mindful of power draw, especially if you add a lot of devices to your network.
Windows Defender Firewall with Advanced Security Administration with Windows PowerShell -> https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell
Service overview and network port requirements for Windows -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements
Configure network infrastructure to support the NLB ( Network Load Balancing ) operation mode -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-network-to-support-nlb-operation-mode
Windows Admin Center -> https://www.microsoft.com/en-us/windows-server/windows-admin-center
This script blocks all traffic, as described in some of the documentation ( I use things like this to deal with programs that try to automatically enable rules for no good reason. )
@ECHO OFF
SETLOCAL
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled True -DefaultInboundAction Block -DefaultOutboundAction Block -AllowUnicastResponseToMulticast False -NotifyOnListen True -EnableStealthModeForIPsec True}"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallRule -Enabled True | Disable-NetFirewallRule}"
ENDLOCAL
Here's an example of a script that creates a firewall rule for the Windows Time Service:
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'Windows Time Service' -Profile Any -Protocol UDP -LocalPort 123 -RemotePort 123 -Service W32Time}"
- MousefluffFeb 24, 2023Iron Contributor
MousefluffI'm going to rewrite this one as well, due to some sort of issue with posting replies about service configurations on a site designed solely for sharing technical information with other people ( someone either edited it, or it disappeared due to a glitch. ) Windows itself isn't a client. Windows is an operating system ( monolithic kernel. ) You can switch at the drop of a hat from workstation to server using the MMC snap-in ( services.msc, ) enabling the Server service, disabling the Workstation service, and then going into System Properties and changing this -> Advanced -> Performance -> Advanced -> Processor Scheduling: Background Services
Knowing that this is modular enough that you can script it in the same way as Windows Server, you can partition each adapter on the network, and isolate / sandbox each program, enough that you could create your own "kill-switch" functionality just using scripts ( to block all traffic in the event that you lose the connection. Of course my VPN has this, as well as split-tunneling, but it's a post-paid product. ) Most commercial-quality VPN routers have WAN failover for HSPA / 3G, 4G / LTE, 5G, etc, and WiFi support. The main difference between these and the software firewall implementation on a PC, is that you can't block the Network Time Service like you can on a PC, or tunnel it over the VPN. You'll never be able to connect, and you won't know why, but the obvious reason is the time stamp doesn't match. If you pull out the battery as well, with the "kill-switch" engaged, you can't reconnect, and you have to reinstall it, or disable the VPN to be able to use it ( this is why they bypass the VPN / Firewall sometimes to allow NTP, or they synchronize the clock on startup. It's really problematic with mobile devices, but nothing else. ) With VyOS, all you need is an adapter to create your own access point, or you could even use a HTPC board with two Ethernet MACs ( it's very flexible, and you can even run it in a container using WSL / docker, on top of the operating system image. ) You could also make your own fixed-login process by forking OpenVPN and hard-coding the login, so nobody could disconnect, along with a custom network stack and service configuration. It's still vastly inferior to a VPN router, but understanding the drawbacks is an important part of learning how it works. If you don't understand this, then you won't be able to learn from your mistakes, or you won't understand the limitations of what you've learned. This is how I think about things, not just what I would tell someone else:
"the VPN clients are external on random connections, home broadband, mobile hotspot, coffee shop wifi etc"- Peter HollandFeb 24, 2023Iron Contributoryour previous replies dissapeared as i marked them as spam.
are you familiar with the actual Microsoft service named "Always On VPN"?
if you were, then you would realise that none of your responses are relevant.- MousefluffFeb 24, 2023Iron Contributor
Peter HollandThat's unfortunate, given I wrote several workarounds for this problem, but you have to learn how to use PowerShell to bypass this ( I did give examples as well, similar to the ones I use. ) I don't think I was trying to write spam at all:
"your previous replies dissapeared as i marked them as spam."
- BestowFeb 24, 2023Copper Contributor
From what I've read, the OP is referring to Enterprise Windows 10 deployments, specifically the use of Always On VPN (https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/always-on-vpn-enhancements) which is commonly deployed via Intune.
This isn't about a single VPN that needs to be 'Always On' this is about the literal technology which Microsoft have called 'Always On VPN'. Specifically the OP seems to be referring to this:
Which can be toggled by the user and has no method of policy control. That about right Peter Holland ?
- MousefluffFeb 24, 2023Iron Contributor
BestowOk so he already identified the problem, and I gave examples of how to deal with this issue, using a solution that I already use:
"Which can be toggled by the user and has no method of policy control. That about right"