tirsdag 14. juli 2015

How to deploy a windows image with PXE over internet using bridged VPN

So this is the scenario:
You have a PC in a remote home office that you will need to reinstall with your enterprise windows image.
At the HQ office you normally just deploy the image using a windows WDS server or similar.
This means that you boot a new PC on the network (pressing F12) and then using WDS with a network broadcasted PXE package and a unattended.xml file, you apply the image and domain settings for a windows machine.

So what we want to do here is to extend your HQ office network settings so that the remote user  is able to do the WDS installation at his remote home office network over internet.
This is not possible to do with a "normal" routed point to point VPN. The installation method we have choosen is based on broadcasted network packages which is not routable.

This is where a bridged VPN is working perfectly. Seen from the network perspective, the remote home office and the HQ office is then at the "same" network, so all network broadcasts are forwarded over the VPN connection. We got a virtual layer two ethernet cable between the sites
This means
(1) when the remote machine is requesting a DHCP address, it gets it from the office DHCP server
(2) the WDS server broadcasted PXE and BINL packages will be received in the home office as well, so that the windows image installation will be able to run..

What is needed:

In the HQ office: 
DHCP server
Softher VPN server (or a piVPN in VPN server mode)
Some kind of PXE service able to deploy the windows image (I will use Serva 64 for this)
A fairly good internet connection

At the home office (where the image will be deployed) :
A piVPN  machine, or any other machine running softether VPN, in bridged mode.
The machine to be installed is connected to the same switch\router  as the piVPN machine.
A fairly good internet connection (approx 10 mbit should be OK).

The image of the scenario is then like this:

Now, there is one problem with the remote home office setup.
It have a router ( which probably already got a DHCP server and we may not be able turn that service off or modify it.
What we will have to do to make sure that the remote laptop is only seeing the office network. We will need to have two network cards on the piVPN running in bridged mode at the remote site.
Any supported USB ethernet card will do, in addition to the built in ethernet card on the raspberry pi.
The first network card (the built in eth0) is then connected to the remote router and the other network card (USB eth1) is connected to the laptop to be reinstalled. Both cards can just run as DHCP clients (as they will do by default, so no modifications of the network settings are needed, and either is any knowledge of the remote infrastructure)

Another clever way can be to connect a wireless card to the piVPN and connect that to a wireless access point at the remote site and then connect the PC to be reinstalled to the ethernet port. This opens up for installations over mobile access points (wifi and USB tethering) and guestWiFi's on hotels :-) Of course you can also put a switch in the USB ethernet port and connect several PC's to it for multiple PC deployments.

Experiment time in the mini lab:

First I will setup two separate networks with two different routers.

Network 1 (e.g the main HQ office network) is a network with IP range /24
accessing 75 Mbits/s internet with a ASUS  RT-AC66U (ip address: which is also a DHCP server for this range)
Also I connect a lenovo think pad hosting Serva64 (a cheap WDS clone) which is able to do a unattended deploy of an install image of Windows 7 Enterprise.
Also it got a tiny pre setupAcer Ubuntu SoftEther VPN server (192,168.50.2) which is nat'ed through the Asus router on port 443. Of course you could have used a piVPN, a Softether VPN server running on windows or whatever you want. The best reason to run on port 443 is that this port is close to always available on remote networks with internet access.

Network 2 (e.g the remote home office network) is a network with IP range /24 accessing a 4g (approx 30 Mbits/s) internet using a D-Link DIR 615 (with dd-wrt set in client mode towards a 4g phone with wifi tethering). All incoming ports are closed.
A very old HP laptop (to be reinstalled)
My piVPN box with an additional USB ethernet card (asix of some kind)

piVPN setup

First I have modified the pivpninstall.sh script for VPN bridging instead of VPN server.
I have also commented out the original X application removal, added xrdp (to be able to log in using X and connect to a wireless network using gui)
The script can be found here.
On a freshly installed Raspian you can just install and run the script using:

wget http://home.pivpn.net/pivpnbridgeinstall.sh
chmod 777 pivpnbridgeinstall.sh

When the script has finished the RPi will reboot and the VPN in bridgemode will be enabled.

You will see the IP address of the ethernet card (eth0) on the Raspberry which is connected to the remote router, in this case it gets by DHCP from the remote router. Eth1 (the USB NIC) is not connected yet.

I connect a windows PC  to a port on the remote router to be able to configure the VPN bridge using the SoftEther Server Manager (it gets from the DHCP on the remote router):

Choose "New Setting", and the IP address of the raspberry PI (eth0, as the host name you will connect to.

Click connect

Choose a password

Click OK

Go with default, and click next

Press yes (or "Ja" if you are Norwegian :-))

Click "Step 2" "Configure Connection settings". the host name here will be the softether VPN server that you connect to at the HQ office. When you install the VPN server in HQ you will get the option to use a address in the cloud provided by SoftEther (vpnazure.net), or a dynamic DNS name (requires a NAT'ed open port on your router to the VPN server).
 I have set my own DNS address for the HQ VPN server, as I own a DNS server and a domain (test.pivpn.net). The user and password also have to be set at this VPN server prior to your connection from the bridge VPN (in my case the user is pi with password pi)

Connection is successful

For the local bridge I chose the network card that is not connected to the remote router (eth0), as I will connect my computer to the USB Ethernet card (eth1)

All done

I connect my windows PC to the USB card (eth1) on the raspberry, and now it gets an IP address from the "HQ office" router (

Make sure the serva64 is running on the network, and reboot the PC (in my case is the same machine as I have configured the VPN bridge with) connected to the raspberry USB card and remeber to press F12 for network boot :-)

It actually works :-)

Installation time is of course dependent on image size and internet connection speed.

1 kommentar:

  1. Nice information thanks for sharing it..!it will be helpful for people searching this kind of information..

    HP Envy 5540 Wireless Setup