locked
VPN Auto Connect RRS feed

  • Question

  • we have a meraki client vpn, which has no client vpn software. we use windows 10 built in vpn. i used powershell script below (and a batch file) to auto connect the vpn.

    1. is there way to add a condition in where the attempt to connect to vpn isnt made if the computer lan/wifi is in the office and already behind the meraki?

    2. also, a way to hide the credentials in the script? below it lists in plain text.

    3 lastly, notify user if the vpn is not connected?

    while ($true)
            {
                $vpnname = "YOURVPNCONNECTIONNAME"
                $vpnusername = "YOURUSERNAME"
                $vpnpassword = "YOURPASSWORD"
                $vpn = Get-VpnConnection -AllUserConnection | where {$_.Name -eq $vpnname}
                if ($vpn.ConnectionStatus -eq "Disconnected")
                {
                    $cmd = $env:WINDIR + "\System32\rasdial.exe"
                    $expression = "$cmd ""$vpnname"" $vpnusername $vpnpassword"
                    Invoke-Expression -Command $expression 
                }
                start-sleep -seconds 30
            }

    Friday, May 8, 2020 8:54 PM

Answers

  • 1) you can ping corpo site\domain to be sure that you already connected and otherwise tries to connect

    if (test-connection domain.name.com){write-host "VPN not needed or already connected"}

    2) During the first script run you can ask for a credentials (or make a script which save encrypted password somewhere on a PC) and then in your connection script use that secure string as a input

    But you need take in a mind that secure string can be decrypted only on the same PC and by that user who create this secure string.

    So if your script will start VPN connection from service user - great you have pretty secure mechanism to do that, but if script will be executed from general user this user can decrypt creds and get plain text password

    3) How and which user you want to notify?

    Bonus track:

    * You do not need recreate static variables every 30 seconds

    * Loops like yours could generate memory leaks, so my recommendation put this into the scheduller with 15 or 30 minutes loops inside and kill this process at least after every 30 minutes

    # Save password to the file on a disc. Same can be done with the registry. *Extension could be set to any value like .txt, .zip, .avi etc
    # ConvertTo-SecureString 'p@s5w0r9' -AsPlainText -Force | ConvertFrom-SecureString | Out-File C:\FolderWithLimittedAccess\VPNPassword.zip
    
    $vpnname = "YOURVPNCONNECTIONNAME"
    $vpnusername = "YOURUSERNAME"
    # $vpnpassword_secure will contain encrypted line
    $vpnpassword_secure = Get-Content C:\FolderWithLimittedAccess\VPNPassword.zip | ConvertTo-SecureString -Force
    # Converting secure string to the plain text needed for rasdial
    $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($vpnpassword_secure)
    $vpnpassword_plain = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
    
    
    while ($true){
        if (!(Test-Connection domain.local -Count 2 -Quiet)){
            $cmd = $env:WINDIR + "\System32\rasdial.exe"
            $expression = "$cmd ""$vpnname"" $vpnusername $vpnpassword_plain"
            Invoke-Expression -Command $expression 
        }
        start-sleep -seconds 30
    }



    The opinion expressed by me is not an official position of Microsoft



    • Edited by Vector BCO Friday, May 8, 2020 10:14 PM
    • Marked as answer by Dan732 Thursday, May 21, 2020 9:49 PM
    Friday, May 8, 2020 9:33 PM

All replies

  • I suppose you could try connecting to/pinging a resource accessible only behind your firewall. It it's successful, don't establish the VPN connection.

    The password can be a 'Secure String'. You'd have to convert it to a plain-text string to use it as a value for rasdial.exe, though.

    Why not let the user supply the password?


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Friday, May 8, 2020 9:31 PM
  • 1) you can ping corpo site\domain to be sure that you already connected and otherwise tries to connect

    if (test-connection domain.name.com){write-host "VPN not needed or already connected"}

    2) During the first script run you can ask for a credentials (or make a script which save encrypted password somewhere on a PC) and then in your connection script use that secure string as a input

    But you need take in a mind that secure string can be decrypted only on the same PC and by that user who create this secure string.

    So if your script will start VPN connection from service user - great you have pretty secure mechanism to do that, but if script will be executed from general user this user can decrypt creds and get plain text password

    3) How and which user you want to notify?

    Bonus track:

    * You do not need recreate static variables every 30 seconds

    * Loops like yours could generate memory leaks, so my recommendation put this into the scheduller with 15 or 30 minutes loops inside and kill this process at least after every 30 minutes

    # Save password to the file on a disc. Same can be done with the registry. *Extension could be set to any value like .txt, .zip, .avi etc
    # ConvertTo-SecureString 'p@s5w0r9' -AsPlainText -Force | ConvertFrom-SecureString | Out-File C:\FolderWithLimittedAccess\VPNPassword.zip
    
    $vpnname = "YOURVPNCONNECTIONNAME"
    $vpnusername = "YOURUSERNAME"
    # $vpnpassword_secure will contain encrypted line
    $vpnpassword_secure = Get-Content C:\FolderWithLimittedAccess\VPNPassword.zip | ConvertTo-SecureString -Force
    # Converting secure string to the plain text needed for rasdial
    $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($vpnpassword_secure)
    $vpnpassword_plain = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
    
    
    while ($true){
        if (!(Test-Connection domain.local -Count 2 -Quiet)){
            $cmd = $env:WINDIR + "\System32\rasdial.exe"
            $expression = "$cmd ""$vpnname"" $vpnusername $vpnpassword_plain"
            Invoke-Expression -Command $expression 
        }
        start-sleep -seconds 30
    }



    The opinion expressed by me is not an official position of Microsoft



    • Edited by Vector BCO Friday, May 8, 2020 10:14 PM
    • Marked as answer by Dan732 Thursday, May 21, 2020 9:49 PM
    Friday, May 8, 2020 9:33 PM