25

Nov

Create a confusing Windows VPN connection very easily by copy and paste [Telework freely]: Tech TIPS

This article is for members only. If you register as a member (free), you can see everything.

Table of Contents

Target OS: Windows 10

There are probably many companies (organizations) that allow their staff (employees) to work remotely (telework) from home by connecting their home PCs to their internal networks with a VPN.

It requires setting up a VPN connection (VPN client) on the staff's home PC.

However, when I try to create a VPN connection with the Windows 10 GUI, the number of steps in the procedure is very large. If you ask the staff to create it themselves, the burden is considerable. If it is a GUI, there is a risk that mistakes will occur during creation.

For system administrators, there is also the problem that the procedures for creating VPN connections that must be prepared are lengthy. Writing and updating it can be a daunting task.

Therefore, let's make it possible to easily create a VPN connection with much fewer steps than the GUI by using "PowerShell", which is a standard feature of Windows OS. The procedure manual can also be simplified, and support costs due to setting errors should be reduced.

In this Tech TIPS, I will introduce how to create a VPN connection with PowerShell to the Windows 10 PC at the employee's (staff's) home. As a premise, the system administrator prepares and distributes a VPN connection creation script file, and has the staff who received it execute it. In terms of the method of distributing the script, if anything, priority is given to ease of use. It would be unsuitable for a system environment operated with a strict security policy.

The VPN connections that can be created are limited to those using the Windows 10 standard VPN provider, and those that require third-party plug-ins are not included.

The PowerShell code posted has been confirmed to work with Windows 10 standard PowerShell Ver.5.1 as well as Ver.7.1.

First, I will explain how to create a VPN connection using PowerShell that uses a relatively simple authentication method such as MS-CHAP v2. A VPN connection using Extensible Authentication Protocol (EAP) will be described later.

Copy and paste complicated Windows VPN connection Super easy to create [Telework freely]: Tech TIPS

To create a VPN connection with PowerShell, use the "Add-VpnConnection" cmdlet. If it's a simple authentication method, you can create a VPN connection with just this.

The list below creates a VPN connection with L2TP/IPsec as the tunnel and MS-CHAP v2 as the authentication. Please change the name of the VPN connection (variable "$vpnName") and the destination VPN gateway (variable "$serverAddress") as appropriate. Each option will be described later.

$vpnName = ""$serverAddress = ""$pskInput = (Read-Host "Enter the pre-shared key for $serverAddress " -AsSecureString)Add-VpnConnection -Name $vpnName `-ServerAddress $serverAddress `-TunnelType L2tp `-EncryptionLevel Maximum `-AuthenticationMethod MSCHapv2 `-RememberCredential `-SplitTunneling `-L2tpPsk ([System.Runtime.InteropServices.Marshal]::PtrToStringBSTR ([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pskInput))) `-ForceGet-VpnConnection -Name $vpnName

Example of creating a VPN connection at once with PowerShell (in the case of a simple authentication method such as MS-CHAP v2)

Start PowerShell. For Windows 10, open the Start menu, search for "powershell" and run "Windows PowerShell" when it is found.

Next, after correcting the necessary parts in the above list, copy it, paste it into the PowerShell window that was started, and execute it. You will be prompted for an L2TP/IPsec pre-shared key, enter it and press Enter to create the VPN connection. If a VPN connection with the same name already exists, an error will occur, so change the value of $vpnName or delete the existing VPN connection with the same name.

Example of creating a VPN connection with the above script

Once successfully executed, the final "Get-VpnConnection" cmdlet will display the main settings of the created VPN connection. be.

Settings such as the tunnel method and encryption level are specified using cmdlet options as shown below.

< th>-AllUserConnection >
OptionsFunctions and how to specify
Allow all users of the source Windows OS to use this VPN connection
-AuthenticationMethod Select the basic authentication method for the VPN. Specify one of "Pap", "Chap", "MSChapv2", "Eap", and "MachineCertificate"
-DnsSuffix For VPN connection Specify the DNS suffix to be linked
-EapConfigXmlStream Set Extensible Authentication Protocol (EAP) according to the contents of (details will be described later) )
-EncryptionLevel Select the VPN encryption level. Specify one of "NoEncryption" (←encryption is not allowed), "Optional" (←encryption can be omitted), "Required" (←encryption is required), "Maximum" (←strongest encryption), or "Custom"
-IdleDisconnectSeconds Specify the number of seconds to wait before disconnecting the VPN connection. If not specified, "do not disconnect"
-L2tpPsk Specify pre-shared key for L2TP/IPsec tunnel
-Name Specify the name of the VPN connection to create. Enclose names with spaces in double quotes
-RememberCredentialCredentials (username/password, etc.) specified for VPN connection authentication to save.
-ServerAddress Specify the VPN gateway to connect to . Example: "vpngw.example.jp" "203.0.113.101"
-SplitTunnelingPackets for destinations not included in the VPN connection destination network
-TunnelType Select the protocol type of the encrypted tunnel that is routed so as not to go through the VPN connection. Specify one of "Pptp" "L2tp" (← L2TP/IPsec) "Sstp" "Ikev2" "Automatic" (← automatic selection)
-UseWinlogonCredentialUse source Windows OS sign-in name and password to authenticate VPN connection
-ForceConfirmation prompt
Major options for the "Add-VpnConnection" cmdlet

The correspondence between the setting items displayed when you open the VPN connection properties in the GUI and the main options above is described below.

Correspondence between VPN connection properties and Add-VpnConnection options (1/6)Correspondence between VPN connection properties and Add-VpnConnection options (2/6) Correspondence between VPN connection properties and Add-VpnConnection options (3/6)Correspondence between VPN connection properties and Add-VpnConnection options (4/6) Correspondence between VPN connection properties and Add-VpnConnection options (5/6)Correspondence between VPN connection properties and Add-VpnConnection options (6/6)

The above Add-VpnConnection cmdlet does not allow you to specify a username and password. Therefore, if you want to authenticate with a username/password to connect to the VPN, you need to specify it in the dialog that appears when you actually connect with the created VPN connection.

If you specify the "-RememberCredential" option when running Add-VpnConnection, the username and password you entered during the first connection will be saved in the system. Subsequent runs of the same VPN connection will connect without re-entering the username and password. There is a need).

When authenticating with a smart card or user certificate when connecting to a VPN, it is essential to set the extensible authentication protocol "EAP" (Extensible Authentication Protocol). EAP settings are also required for MS-CHAP v2 authentication via PEAP (Protected EAP).

If EAP is being used, you cannot create a VPN connection using the Add-VpnConnection method described above.

Whether an existing VPN connection uses EAP or not is determined by whether the [Use Extensible Authentication Protocol (EAP)] radio button is selected in the [Authentication] frame on the [Security] tab of its properties. can be determined by

To view more, you need to enable JavaScript in your browser settings.

Copyright© Digital Advantage Corp. All Rights Reserved.