Fun (or not) with VPN

Last modified by Mitchell on 2022/01/25 07:42

For the past several days, I've been working on getting a VPN working for my little cluster. There are several different options available for Windows Server. It didn't take too long to get PPTP working, which I would consider the base level. I'd prefer not to try to implement L2TP, as that would require installing client certificates on all systems, which is annoying.

As a result, I've been spending the past several days trying to get SSTP working instead, which looks pretty straightforward on paper. Unfortunately, there are all too many problems you can stumble across, and the one I've been fighting for a while has been error 0x80092013 (which lots of other people also seem to fight with). What's depressing is that Windows offers almost no logging, so I've been slowly working through all the issues, but I've now hit a dead end.

  • The CDP and DeltaCRL locations now refer only to externally-accessible locations (verified via Enterprise PKI).
  • The certificate's CRL distribution point is externally-accessible.
  • The domain CA certificate is installed on the VPN client.
  • IIS double-escaping has been enabled.

Disabling the CRL check does let SSTP work (which means that this is strictly a CDP issue), but that's far from ideal. What's particularly frustrating is, as I mentioned previously, there are several different places where this could be breaking, and Windows is being very opaque as to where. For example, the IIS server logs don't show any download attempts of the CRL or delta CRLs.

On the other hand, this isn't something I want to sink too much more time into, however, especially when I have several other things to work on.... I'll probably come back later to work with it more.

Edit: Predictably, I end up fixing this because I found I couldn't log in via SSTP any longer. As it turns out, it's pretty easy to have IIS SSL settings clobber your SSTP port binding (really?), so Microsoft has a knowledge base article on how to fix that. I ended up disabling the Default Web Site (largely to remove contention for the 0.0.0.0:443 binding, as I'll be using SNI for my SSL sites), which ended up fixing the CDP issue as well.