We are in the process of migrating a datacenter hosted web application to a cloud provider, and we need to set up a VPN tunnel between one of the cloud servers and our internal office network so that we can move/access data securely from an internal database server.
In our current setup we have a hardware VPN tunnel which is setup on the firewalls of the two different networks (office and datacenter). However, if we set up a hardware VPN tunnel to the new cloud hosting provider, we'll incur a hefty monthly charge which I'd like to avoid.
Is there a way to set up a software VPN tunnel between one server running Windows Server 2008 R2 on one network and a hardware firewall on a different network?
Best Answer
I would simply use the Windows Routing and Remote Access VPN built into windows. You'll need to configure the server (maybe with some certificate setup too), then configure the cloud server to demand-dial into your network or start a VPN connection on boot via script. COnfigure the VPN to redial automatically if it drops.
Winodws 7/2008r2 support four types of VPN: PPTP L2TP SSTP IKEv2
PPTP is insecure, so don't use it.
L2TP requries both client and server certificates issued by the same certification authority (which can be a Windows cert server, external like say Digicert, or even your own OpenSSL install).
SSTP and IKEv2 only require a trusted certificate on the server side (your home office) for remote users doing VPN, but since you will likely want to use computer certificate authentication "EAP-TLS" instead of a username and password so your cloud server can automatically connect, you might need the client certificate anyway.
SSTP is baed on TCP, which is terrible for performance (TCP-in-TCP does not perform well), so don't use it unless you have no other choice.
I would suggest using an L2TP or IKEv2 with EAP-TLS authentication. Set it up as a persistent demand-dial connection in Windows RRAS so it connects automatically whenever it has connectivity home.