How to configure Windows Direct Access with PIA?

tddtdd
edited February 2018 in Windows VPN Setup
Windows versions marked as Ultimate, Enterprise, or Server (including windows 10) have a service called Routing and Remote Access or RRAS, which is a truly always-on tunneling service for connecting either to specific work server protocols either VPN protocols. (Source

I'm not a networking and vpn wizard. Can anyone explain how to connect PIA or OpenVPN through this RRAS service? Or if it's possible?

Why we need it:
RRAS does not allow any connections to be made outside the PC if they're not through the VPN. Whereas PIA's client is more of a user triggered program, which turns on after login, and is by no means the first internet-connecting app to open up when you turn on your PC. Furthermore the PIA app can die or be killed (thus circumventing the "killswitch"), whereas something like RRAS cannot.

[EDIT] Upon further research it seems that RRAS is for configuring a VPN on the server side, while I'm looking for something on the client side. 
The client version is called Microsoft Direct Access, so I'm changing my question to how to configure Direct Access. (Source)

Comments

  • Max-PMax-P
    I don't think this is possible with OpenVPN. All of those technologies seems to integrate somewhat tightly with Microsoft's server architecture and appears to only work with IPSec for DirectAccess, and only the built-in Microsoft VPN profotols for AutoVPN. It looks like this might even be meant to be deployed as an Active Directory policy as does most of the Windows ecosystem.

    You may be able to follow our L2TP guide and then configure that VPN connection for always-on, but for the OpenVPN side of things the way I would approach the problem is a bit different. I would simply set up a Windows service that just runs OpenVPN as early as possible during the boot process to do the same thing.

    Unfortunately I'm more of a Linux guy so maybe someone else will be able to help you better for the specifics.
  • tddtdd
    edited February 2018
    Max-P said:
    I don't think this is possible with OpenVPN. All of those technologies seems to integrate somewhat tightly with Microsoft's server architecture and appears to only work with IPSec for DirectAccess, and only the built-in Microsoft VPN profotols for AutoVPN. It looks like this might even be meant to be deployed as an Active Directory policy as does most of the Windows ecosystem.

    You may be able to follow our L2TP guide and then configure that VPN connection for always-on, but for the OpenVPN side of things the way I would approach the problem is a bit different. I would simply set up a Windows service that just runs OpenVPN as early as possible during the boot process to do the same thing.

    Unfortunately I'm more of a Linux guy so maybe someone else will be able to help you better for the specifics.
    Thanks Max-P for taking a look at those protocols for me. L2TP is also not a good solution (PIA app has encryption).

    How's the always-on situation like on Linux? Better? I'm thinking of running windows as a VM inside a Linux host at some point.

    Basically I was looking for a fullproof/crashproof/microsoftproof way to make sure my pc does not connect to the internet unless it's through PIA.

    What I have now actually is a batch file in windows that I run on Logoff using a group policy event (User Configuration > Windpws Settings > "Scripts (Logon/Logoff)"). In this script I turn off all network adapters (except the PIA TAP one), so that next boot I can wait until the PIA app is finished loading up and then enable the network adapter after.

    The problem is, Microsoft has the power to turn on all network adapters on system startup (before user log on) and connect to the internet if it so pleases (like it does for example after you upgrade to a new windows OS milestone). So it's potentially unsecure especially if you have a laptop with a built in wifi chip.

    Also if the PIA process dies (as I've caught it do a couple of times on my machine) , then you connect to the unprotected internet..
  • kedgedrizzlykedgedrizzly
    edited February 2018
    Hi there,

    One way to achieve this,  is to install the standard OpenVPN client.  And then,  much similar to how the Linux configuration done.  You can configure/run OpenVPN as a Windows Service (running on boot).  Thus being able to achieve this result of having an "always-on" VPN solution.
  • kedgedrizzlykedgedrizzly
    Here's some info:

    https://openvpn.net/index.php/open-source/documentation/howto.html#startup

    The exerept you're looking for:
    Configuring OpenVPN to run automatically on system startup
    The lack of standards in this area means that most OSes have a different way of configuring daemons/services for autostart on boot. The best way to have this functionality configured by default is to install OpenVPN as a package, such as via RPM on Linux or using the Windows installer.
    Linux
    If you install OpenVPN via an RPM or DEB package on Linux, the installer will set up an initscript. When executed, the initscript will scan for .conf configuration files in /etc/openvpn, and if found, will start up a separate OpenVPN daemon for each file.
    Windows
    The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic start on the next reboot.
    When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config folder for .ovpn configuration files, starting a separate OpenVPN process on each file.

    So basically, from the basic installation.  So long as you choose to install the "Service" option of OpenVPN.  This is achievable simply by putting the required OpenVPN configuration file into the specified directory.
Sign In or Register to comment.