Monitoring with PowerShell: Monitoring client VPN settings

So with all that’s going on a lot of people are having trouble keeping up with setting up VPNs correctly. I’ve also struggled with clients that do not have a cloud only solution but are still on a hybrid method of working.

In the past I’ve talked about Always On VPN which we tend to deploy at clients. This, and even just SSTP connections are our most used VPN method. I tend to like Microsoft solutions for everything. 😉 In any case – We’ve been having trouble with this too. Some people suggest using CMAK to assist in deploying VPN. Of course like using my RMM system instead. 😉

As with most of the blogs I’ve created two scripts; one for monitoring and one for remediation.

The monitoring script

In our RMM we can give each monitoring script a set of input variables. Using these input variables we check if the VPN is set the way we want it. If you can’t setup input variables on your RMM, just change them in the script.

$Settings = @{
    name                  = "Client based VPN"
    alluserconnection     = $true
    ServerAddress         = "remote.clientname.com"
    TunnelType            = "SSTP" #Can be: Automatic, Ikev2m L2TP, PPTP,SSTP.
    SplitTunneling        = $True 
    UseWinLogonCredential = $true
    #There's a lot more options to set/monitor. Investigate for your own settings.
}
$VPN = Get-VPNconnection -name $($Settings.name) -AllUserConnection -ErrorAction SilentlyContinue
if (!$VPN) {
    $VPNHealth = "Unhealthy - Could not find VPN Connection."    
} 
else {
    $ExpectedVPNSettings = New-Object PSCustomObject -property $Settings
    $Selection = $propsToCompare = $ExpectedVPNSettings.psobject.properties.name
    $CurrentVPNSettings = $VPN | Select-object $Selection
    $CompareVPNSettings = compare-object $CurrentVPNSettings  $ExpectedVPNSettings -Property $Selection
    if (!$CompareVPNSettings) { $VPNHealth = "Healthy" } else { $VPNHealth = "Unhealthy - Settings do not match." }
}

So now that you are monitoring the VPN connection and if the settings are correct, we’re moving on to the remediation or setup side of the house.

Remediation script

the remediation works by looking up the current VPN connections based on the name property, if the VPN does not yet exists we will add one. If it does exists, we will reset the settings to the way we would like them to be.

$Settings = @{
    name                  = "Client based VPN"
    alluserconnection     = $true
    ServerAddress         = "remote.clientname.com"
    TunnelType            = "SSTP" #Can be: Automatic, Ikev2m L2TP, PPTP,SSTP.
    SplitTunneling        = $True 
    UseWinLogonCredential = $true
    #There's a lot more options to set/monitor. Investigate for your own settings.
}
$VPN = Get-VPNconnection -name $($Settings.name) -AllUserConnection -ErrorAction SilentlyContinue
if (!$VPN) {
    Add-VPNconnection @Settings -verbose
}
else {
    Set-VpnConnection @settings -Verbose
}

What’s cool is that these scripts work for any VPN that uses the Windows VPN client. This makes it super simple to deploy and monitor your clients VPN connections, and always have the same settings across your entire customer base.

And that’s it! as always, Happy PowerShelling.

14 thoughts on “Monitoring with PowerShell: Monitoring client VPN settings

  1. Eric Chapman

    Kelvin,
    Superb post!
    As a MSP we also utilize SSTP (CHAPv2) as well as the Always On VPN configuration. I do find that you need to keep an eye on these settings as they change from time to time or do not “auto-reconnect” as expected.

    Do you use any similar remediation and monitoring scripts for your “Always On VPN” configurations? (Device Tunnel or User Tunnel).

    Eric

    Reply
    1. Kelvin Tegelaar Post author

      Hi Eric,

      Yes, we actually compare the XML to the configured VPN connection at that moment. There’s some caveats in it and I might blog about this next week. 🙂

      Reply
      1. Eric Chapman

        Kelvin,
        That would be awesome. I would be quite interested to see your methods. I do find that most “Always On” documentation and posts are in a very corporate environment where it’s succeeded Direct Access. As an MSP – we typically are dealing with the SMB market where things quickly go out of the scope of a big corp. (i.e. – We are sending out a laptop to a user that has never even been to the LAN in the office, so no GPO’s, etc for certificates and such).

        I’ve noticed as of late, we have a number of user vpn profiles which seem to oddly change themselves / corrupt. The idea of auditing / re mediating is for sure the route we hope to expand.

        Looking forward to your post, and very much enjoying your previous posts. Glad I discovered your site. Thanks

        Reply
  2. Pingback: ICYMI: PowerShell Week of 03-April-2020 | PowerShell.org

  3. Tony

    Hey Kelvin,

    Really interesting post, thanks.

    I just wanted to ask how would these scripts deploy/work in production – assuming they are a real-time job rather than something that runs ongoing and saves the output somewhere for admins to view? At this stage we only have the option to deploy scripts via GPO but assume I could run this script against a list of machines from AD assuming WSMAN access to the machines is open?

    Thanks

    Reply
    1. Kelvin Tegelaar Post author

      Hi Tony,

      So most of my scripts are made to be run by an RMM system, which is what MSPs use to monitor and deploy environments for their clients.

      Other solutions could be running it as a startup logon script, or running it remotely yeah. 🙂

      Reply
  4. Nedim

    Hi Kelvin,
    How can I add Pre-Shared key into this script? I tried Adding below, but looks like the script is hanging… please advise.

    L2tpPsk = $ENV:PreSharedKey

    also i was adding Variable Value PreSharedKey. thank you

    Reply
    1. Kelvin Tegelaar Post author

      Good question. I normally don’t use L2TP, and the method you are describing is correct for when you use DattoRMM. I’ll test it myself and come back to you later on this 🙂

      Reply
  5. Dan Gilligan

    We also have clients setup with L2TP and use Datto RMM. Is there a way we can select unencrypted for password? I’m referring to the settings in the Security tab under “Allow these protocols. by default MS-CHAP is selected. We would like to have Unencrypted password selected (PAP) only.

    Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.