Introducing Microsoft Edge Secure Network
Today, we're excited to share that we have kicked off experiments for Microsoft Edge Secure Network in the Canary channel of Microsoft Edge. We are opening this preview to a small audience to get initial feedback and recommendations so we can offer the best in-browser Secure Network experience. What does Secure Network do? With Edge Secure Network, you can connect to public Wi-Fi at coffee shops, airports, restaurants, hotels, & other venues, complete transactions, and shop online, all with the improved privacy and security that gives you the peace of mind you deserve. Secure Network helps you protect your information by masking your device's IP address, encrypting your data, and routing it through a secure network (powered by Cloudflare) to a server that is geographically co-located so it’s harder for malicious actors to see your true location and what you’re doing. It also prevents your internet service provider from collecting your browsing data, like details about which websites you visit, and helps prevent online entities from using your IP address for profiling and sending you targeted ads. As part of our first experiment, we’re giving everyone who tries this out a small amount of free Secure Network bandwidth to use however they see fit. For some activities like streaming videos, this allotment may be used significantly quicker than other activities like shopping and browsing the web. We encourage you to use the built-in controls to enable and disable the Secure Network and use this data however it best suits your needs and send us feedback about how Secure Network works for you. See our support page for more details. We will be diligently reviewing feedback as we over the coming weeks, so keep an eye out for Edge Secure Network and help us create the best experience possible! How it Works Whenever Secure Network is connected, your browsing traffic will be encrypted and routed through our service’s servers and then to its final destination. This helps ensure that your personal data will be more secure no matter what complicated route your browsing data takes or how many parties are involved in providing the content inside your favorite web page. Geo Location and Regions A lot of web technology relies on trying to intelligently provide results based on where you are located. We want to ensure that the web still works as you expect it to so when you search for a nearby restaurant or local movie showtimes, you can still get relevant results. We also want to help protect you as an individual, so you’re not personally associated with those results just by browsing the web. We’ve partnered with Cloudflare to help ensure that if VPNs are allowed in your region, wherever you connect to the Secure Network service, you will connect to a local data center and the IP address your browsing data flows through will be geographically similar to your actual region. However, websites will not see your individual network address, keeping your browsing disassociated from you while still allowing the internet to ‘just work’ as you expect. Microsoft Account and Data Collection During this preview phase Secure Network requires users to be signed into the browser with their Microsoft account. Sign-in is used solely to authenticate to the service and ensure you’re to receive more free data during the current period. No data about your user identity or account is sent over the Secure Network connection as part of this service. Additionally, limited diagnostic data may be ephemerally present on our partner’s servers for no more than 25 hours to help troubleshoot connection and performance issues, but is not persisted or directly associated with any given user. See our privacy promise and Cloudflare privacy notice for even more details. Send Us Feedback Be on the lookout for Secure Network as we expand our testing. We look forward to discovering how you would like to use Secure Network to protect your data, what works well, and what we can improve. Let us know on the shield icon flyout by giving us a quick thumbs up or down or use the in-browser feedback icon to send us more detailed feedback. Alt + Shift + I – Shortcut to send feedback As always, thanks for being a part of this journey towards a more private and secure web! Brandon Maslen, Principal Software Engineer Kelda Anderson, Product Manager[Resolved] Windows Sandbox has NO Internet when the host is connected to a VPN
When the host is connected to a VPN, such as PPTP/L2TP and then I launch Windows Sandbox, I have no internet in it. please fix this. this problem existed on build 19H1 and it still exists on build 20H1 (18885). Old post, no longer an issue.There needs to be a policy to enable Edge Secure Network
As soon a single policy is set for Microsoft Edge, either through group policy or registry, the Edge Secure Network becomes unavailable. There needs to be a policy to enable it again. Using a registry key or local policy to control Edge doesn't mean it's controlled by an organization or personal Microsoft accounts are not used.
Azure AD Joined Hello for Business and NPS Radius Authentication
Hi guys, I am starting to roll out the Windows VPN client using L2TP to our computers which are a mixture of Hybrid Joined and Azure AD joined. All computers in the business have got Windows Hello for Business and this works well. The issue I am having is for the Azure AD joined machines only signing in with biometrics. They are unable to connect to the VPN with successfully when they use the '-UseWinlogonCredential' switch. This is not an issue with Hybrid Joined machines signing in with biometrics. I am struggling to find a solution to this problem, so for the interim those machines are simply prompting the user for their username and password which gets accepted. I suspect it's a certificate issue for Azure AD joined machines only but not too sure how to configure the NPS to allow these through. Any advice is greatly appreciated!The only thing that keeps me from switching to Bing as my default and daily search engine is This.
Bing changes my safe search settings every time I connect to my VPN (another Country). Every single time. Google does Not do this. so it happens like this. at first I don't use VPN and I'm connected with my own IP address to the Internet, I do a search in Bing and from the side panel I see safe search is set to restricted, so I go to the settings and turn that thing off. after few minutes I connect my VPN, reopen my browser and do a search in Bing, I see the safe search setting is back to restricted/moderate. again I go to the Bing settings and turn it off. now I turn off my VPN and use my own IP again, reopen my browser, do a search in Bing and there it is. safe search is back to restricted again! this is beyond frustrating, words can't even describe it. I do love Bing and I hate to use Google knowing they are a data mining company. but things like that....LITTLE things like that, prevent me from using Bing. I have this problem with Bing on both mobile and PC. using Microsoft Edge browser. Bing should retain my preferences Either in the form of cookies or in my Account settings. when I explicitly set a specific country in Bing settings and then turn off safe search for it, it shouldn't be changed automatically, no matter what IP I use, because it's still MY Microsoft account, not somebody else's, I don't set the country to "Auto-detect" or anything like that and I don't want safe search preferences to be reset when my country changes/I use VPN. the problem with Bing is that Microsoft tied Safe search preference to country. that's so wrong. they are 2 different things.OPNsense Firewall as Network Virtual Appliance (NVA) in Azure
This blog is available as a video on YouTube: youtube.com/watch?v=JtnIFiB7jkE Introduction to OPNsense In today’s cloud-driven world, securing your infrastructure is more critical than ever. One powerful solution is OPNsense. OPNsense is a powerful open-source firewall that can be used to secure your virtual networks. Originally forked from pfSense, which itself evolved from m0n0wall. OPNsense could run on Windows, MacOS, Linux including OpenBSD and FreeBSD. It provides a user-friendly web interface for configuration and management. What makes OPNsense Firewall stand out is its rich feature set: VPN Support for point-to-site and site-to-site connections using technologies like WireGuard and OpenVPN. DNS Management with options such as OpenDNS and Unbound DNS. Multi-network handling enabling you to manage different LANs seamlessly. Advanced security features including intrusion detection and forward proxy integration. Plugin ecosystem supporting official and community extensions for third-party integrations. In this guide, you’ll learn how to install and configure OPNsense Firewall on an Azure Virtual Machine, leveraging its capabilities to secure your cloud resources effectively. We'll have three demonstrations: Installing OPNsense on an Azure virtual machine Setting up point-to-site VPN using WireGuard Here is the architecture we want to achieve in this blog, except the Hb and Spoke configuration which is planned for the second part coming soon. 1. Installing OPNsense on an Azure Virtual Machine There are three ways to have OPNsense in a virtual machine. Create a VM from scratch and install OPNsense. Install using the pre-packaged ISO image created by Deciso the company that maintains OPNsense. Use a pre-built VM image from the Azure Marketplace. In this demo, we will use the first approach to have more control over the installation and configuration. We will create an Azure VM with FreeBSD OS and then install OPNsense using a shell script through the Custom Script Extension. All the required files are in this repository: github.com/HoussemDellai/azure-network-course/205_nva_opnsense. The shell script configureopnsense.sh will install OPNsense and apply a predefined configuration file config.xml to set up the firewall rules, VPN, and DNS settings. It will take 4 parameters: GitHub path where the script and config file are hosted, in our case it is /scripts/. OPNsense version to install, currently set to 25.7. Gateway IP address for the trusted subnet. Public IP address of the untrusted subnet. This shell script is executed after the VM creation using the Custom Script Extension in Terraform represented in the file vm_extension_install_opnsense.tf. OPNsense is intended to be used an NVA so it would be good to apply some of the good practices. One of these practices is to have two network interfaces: Trusted Interface: Connected to the internal network (spokes). Untrusted Interface: Connected to the internet (WAN). This setup allows OPNsense to effectively manage and secure traffic between the internal network and the internet. Second good practice is to start with a predefined configuration file config.xml that includes the basic settings for the firewall, VPN, and DNS. This approach saves time and ensures consistency across deployments. It is recommended to start with closed firewall rules and then open them as needed based on your security requirements. But for demo purposes, we will allow all traffic. Third good practice is to use multiple instances of OPNsense in a high-availability setup to ensure redundancy and failover capabilities. However, for simplicity, we will use a single instance in this demo. Let's take a look at the resources that will be created by Terraform using the AzureRM provider: Resource Group Virtual Network (VNET) named vnet-hub with two subnets: Trusted Subnet: Internal traffic between spokes. Untrusted Subnet: Exposes the firewall to the internet. Network Security Group (NSG): attached to the untrusted subnet, with rules allowing traffic to the VPN, OPNsense website and to the internet. Virtual Machine: with the following configuration: FreeBSD OS image using version 14.1. VM size: Standard_D4ads_v6 with NVMe disk for better performance. Admin credentials: feel free to change the username and password with more security. Two NICs (trusted and untrusted) with IP forwarding enabled to allow traffic to pass through the firewall. NAT Gateway: attached to the untrusted subnet for outbound internet connectivity. Apply Terraform configuration To deploy the resources, run the following commands in your terminal from within the 205_nva_opnsense directory: terraform init terraform apply -auto-approve Terraform provisions the infrastructure and outputs resource details. In the Azure portal you should see the newly created resources. Accessing the OPNsense dashboard To access the OPNsense dashboard: Get the VM’s public IP from the Azure portal or from Terraform output. Paste it into your browser. Accept the TLS warning (TLS is not configured yet). Log in with Username: root and Password: opnsense you can change it later in the dashboard. You now have access to the OPNsense dashboard where you can: Monitor traffic and reports. Configure firewall rules for LAN, WAN, and VPN. Set up VPNs (WireGuard, OpenVPN, IPsec). Configure DNS services (OpenDNS, UnboundDNS). Now that the OPNsense firewall is up and running, let's move to the next steps to explore some of its features like VPN. 2. Setting up Point-to-Site VPN using WireGuard We’ll demonstrate how to establish a WireGuard VPN connection to OPNsense firewall. The configuration file config.xml used during installation already includes the necessary settings for WireGuard VPN. For more details on how to set up WireGuard on OPNsense, refer to the official documentation. We will generate a Wireguard peer configuration using the OPNsense dashboard. Navigate to VPN > WireGuard > Peer generator then add a name for the peer, fill in the IP address for the OPNsense which is the public IP of the VM in Azure, use the same IP if you want to use the pre-configured UnboundDNS. Then copy the generated configuration and click on Store and generate next and Apply. Next we'll use that configuration to set up WireGuard on a Windows client. Here you can either use your current machine as a client or create a new Windows VM in Azure. We'll go with this second option for better isolation. We'll deploy the client VM using Terraform file vpn_client_vm_win11.tf. Make sur it is deployed using command terraform apply -auto-approve. Once the VM is ready, connect to it using RDP, download and install WireGuard. Alternatively, you can install WireGuard using the following Winget command: winget install -e --id WireGuard.WireGuard --accept-package-agreements --accept-source-agreements Launch WireGuard application, click on Add Tunnel > Add empty tunnel..., then paste the peer configuration generated from OPNsense and save it. Then click on Activate to start the VPN connection. We should see the data transfer starting. We'll verify the VPN connection by pinging the VM, checking the outbound traffic passes through the Nat Gateway's IPs and also checking the DNS resolution using UnboundDNS configured in OPNsense. ping 10.0.1.4 # this is the trusted IP of OPNsense in Azure # Pinging 10.0.1.4 with 32 bytes of data: # Reply from 10.0.1.4: bytes=32 time=48ms TTL=64 # ... curl ifconfig.me/ip # should display the public IP of the Nat Gateway in Azure # 74.241.132.239 nslookup microsoft.com # should resolve using UnboundDNS configured in OPNsense # Server: UnKnown # Address: 135.225.126.162 # Non-authoritative answer: # Name: microsoft.com # Addresses: 2603:1030:b:3::152 # 13.107.246.53 # 13.107.213.53 # ... The service endpoint ifconfig.me is used to get the public IP address of the client. You can use any other similar service. What's next ? Now that you have OPNsense firewall set up as an NVA in Azure and have successfully established a WireGuard VPN connection, we can explore additional features and configurations such as integrating OPNsense into a Hub and Spoke network topology. That will be covered in the next part of this blog. Special thanks to 'behind the scene' contributors I would like to thank my colleagues Stephan Dechoux thanks to whom I discovered OPNsense and Daniel Mauser who provided a good lab for setting up OPNsense in Azure available here https://github.com/dmauser/opnazure. Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.Windows 11: Show us a notification when built-in VPN in Windows 11 suddenly disconnects
it's important for security and privacy reasons, when the built in VPN connection in Windows 11 suddenly disconnects and its connection drops, we should receive a notification and be warned. right now, nothing happens and VPN silently disconnects without warning user. Upvote this suggestion in Feedback hub: https://aka.ms/AAd56mm
