- Architecture Overview
- Requirements
- What we will provide you with
- Step 1: Remote Desktop Login to Your Server
- Step 2: Install Tunnel Windows Features
- Step 3: Create a new tunnel interface
- Step 4: Get Origin Public InterfaceIndex ID
- Step 5: Assign Lectron public IP address to the current origin interface
- Step 6: Get the new InterfaceIndex of Lectron Tunnel
- Step 7: Get Origin Default Gateway
- Step 8: Establish Tunnel
- Every time you reboot your server machine:
- Troubleshooting
This is for servers with 1 public IP address attached to your machine
Architecture Overview #
- Your Windows Server will dig a end-to-end private tunnel with Lectron, where data will either go inbound or outbound using that your Origin Tunnel Private IP (provided by us).
- The data is analyzed, filtered and transmitted by Lectron Netflow transit station (provided by us)
- Clean data is then pass through to private IP of Lectron Tunnel Private IP (provided by us)
- Data goes out to the public and interact with your users via Lectron Public IP (provided by us). Lectron public IP is now attached to your public internet interface to represent your machine. Interactions from your previously attached origin public IP address is now of lower priority than Lectron public IP.
and vice versa
In short, a Lectron Tunnel is protecting your server machine at a deeper level, where the data is transmitted to and from your new anycast Lectron IP address to your server machine via public internet but with less hops and more consistent than PROXY, as if the anycast Lectron IP address assigned to you is virtually your local server’s IP address. It’s like a bypass train tunnel under a city, where you get through the city but not getting bothered by traffic lights.
Requirements #
You need the followings for the tunnel setup to work:
- Windows Server 2016 and up
- Windows Server 2016 and Windows Server 2019 natively supports tunnel setup
- Although there have not been any comprehensive guides on the internet showing you how to do it, we have been able to find the correct guidelines and explainations, step by step and provide it to you
- 1 public IP address assigned to your server machine to interact to the internet
- for this example, let’s say your server’s public IP address is:
- 11.22.33.44
- for this example, let’s say your server’s public IP address is:
- Your current origin public IP address’ default gateway
- this can be found by a simple ipconfig command in PowerShell (see detailed guide below)
- for this example, let’s say your default gateway is:
- 11.22.33.254
- All commands below are done using PowerShell ISE, in Administrator Mode
What we will provide you with #
- Unique Lectron Public IP address
- for this example, let’s say we provide you with a new Lectron public IP address:
- 168.100.15.1
- we will call this <lectron-public-ip>
- for this example, let’s say we provide you with a new Lectron public IP address:
- Lectron Netflow endpoint
- you should add your new Lectron IP address into the subdomain in this format:
- 168-100-15-1.netflow.lectron.com
- we will call this <lectron-netflow-endpoint>
- the endpoint should be in the format presented above to make sure the netflow records and traffic data are properly categorized, analyzed and transmitted
- you should add your new Lectron IP address into the subdomain in this format:
- Lectron Private IP Subnet:
- we will provide you with a /30 private subnet, which means it will include one private network address, two usable private addresses, and one private broadcast address
- for this example, we provide a 10.10.56.0/30 private subnet, the order of the addresses are in order like below
- Private subnet
- 10.10.56.0/30
- we will call this <lectron-private-subnet>
- Network Address
- 10.10.56.0
- we call this <network-address>
- Origin Private IP
- 10.10.56.1
- we call this <origin-private-ip>
- Lectron Private IP
- 10.10.56.2
- we call this <lectron-private-ip>
- Broadcast Address
- 10.10.56.3
- we call this <broadcast-address>
- Private subnet
- Other information:
- Origin Interface Index
- we call this <origin-interface-index>
- Lectron Interface Index
- we call this <lectron-interface-index>
- Route Metric
- Use route print command in PowerShell to get a list of route metrics for all active routes
- The lower number the more metric priority is given to the route, the higher number the less priority is given to the route
- This is important, because we want to route almost everything through the new Lectron tunnel public IP address instead of your current origin IP address
- We will only need to allow outbound data from your Windows Server machine to some specific websites or IP addresses (mainly for outbound authentication with services specifically made for your specific applications to work)
- This is important, because we want to route almost everything through the new Lectron tunnel public IP address instead of your current origin IP address
- You will need to add Route Metric for Lectron Tunnel Public IP
- typically a lower number (for example 5), for more route priority, as most traffic will be transitted here
- You will also add a Route Metric for your own origin public IP
- typically a super high number (for example ranging from 50 to 500), for lower route priority
- mostly for inbound logging in via Remote Desktop and outbound browsing the internet
- Origin Interface Index
Step 1: Remote Desktop Login to Your Server #
On your Windows personal machine, use the natively installed Remote Desktop software to connect to your server
On mobile devices, Mac OS, please check guidelines publicly available on the internet.
Step 2: Install Tunnel Windows Features #
Open Powershell ISE using Administrator Mode and run the following commands:
Install-WindowsFeature RemoteAccess
Install-WindowsFeature RSAT-RemoteAccess
Install-WindowsFeature Routing -IncludeManagementTools
Install-RemoteAccess -VpnType VpnS2S
Set-Service RemoteAccess -StartupType Automatic
Start-Service RemoteAccessthen, reboot your Windows server
Step 3: Create a new tunnel interface #
Add-VpnS2SInterface -Name Lectron -Destination <lectron-netflow-endpoint> -SourceIpAddress <origin-public-ip> -IPv4Address <origin-private-ip> -IPv4Subnet <lectron-private-subnet>:2 -PassThru -GreTunnel
then, you can check the newly created interface to see if the status is shown as Connected or not
Get-VpnS2SInterface
Step 4: Get Origin Public InterfaceIndex ID #
Run Get-NetIPAddress in PowerShell to get InterfaceIndex of your current origin public IP address, you will get an output below
| find your origin public IP address in the output results |
| IPAddress: 11.22.33.44 InterfaceIndex: 7 ← Use this, we will now call this number <origin-interface-index> InterfaceAlias: AddressFamily: IPv4 Type: PrefixLength: PrefixOrigin: SuffixOrigin: AddressState: ValidLifetime: PreferredLifetime: SkipAsSource: PolicyStore: |
Step 5: Assign Lectron public IP address to the current origin interface #
New-NetIPAddress -IPAddress <lectron-public-ip> -InterfaceIndex <origin-interface-index> -PolicyStore ActiveStore
Step 6: Get the new InterfaceIndex of Lectron Tunnel #
route print
you will be able to find a InterfaceIndex of interface named Lectron near the top of the results list
for example, we would see Lectron with the number 30, we can call this <lectron-interface-index>
based on your server’s route print results, you should choose the <lectron-route-metric> (low number) and <origin-route-metric> (high number) accordingly.
- You should make the <lectron-route-metric> number be lower than the Network Destination to 0.0.0.0/0’s Metric Number because it should have priority to pass traffic to and from the public than others.
Step 7: Get Origin Default Gateway #
ipconfig
After typing this command, you will get the output results. You will find the entry with your origin IP address and note the default gateway IP address accordingly
Step 8: Establish Tunnel #
New-NetRoute -Destination 0.0.0.0/0 -NextHop <lectron-private-ip> -RouteMetric <lectron-route-metric> -InterfaceIndex <lectron-interface-index> -PolicyStore ActiveStore
Remove-NetRoute -DestinationPrefix 0.0.0.0/0 -NextHop <origin-default-gateway> -PolicyStore ActiveStore; Start-Sleep -s 3; New-NetRoute -Destination 0.0.0.0/0 -NextHop <origin-default-gateway> -RouteMetric <origin-route-metric> -InterfaceIndex <origin-interface-index> -PolicyStore ActiveStore
After the last line, you will wait for a few seconds for the origin interface index to be detached and reattached with the new route metric priority
Every time you reboot your server machine: #
If you reboot your Windows Server machine, you should first remote desktop login to your server machine via the origin public IP address.
Then do the following commands below to re-establish the tunnels on both origin IP address and Lectron public IP address assigned to your machine:
Start-Service RemoteAccess
New-NetRoute -Destination 0.0.0.0/0 -NextHop <lectron-private-ip> -RouteMetric <lectron-route-metric> -InterfaceIndex <lectron-interface-index> -PolicyStore ActiveStore
Remove-NetRoute -DestinationPrefix 0.0.0.0/0 -NextHop <origin-default-gateway-IP> -PolicyStore ActiveStore; Start-Sleep -s 3; New-NetRoute -Destination 0.0.0.0/0 -NextHop <origin-default-gateway-IP> -RouteMetric <origin-route-metric> -InterfaceIndex <origin-interface-index> -PolicyStore ActiveStore
Troubleshooting #
If you can’t connect to your server machine via both the origin IP address or the Lectron public IP address, then most likely your <lectron-route-metric> and <origin-route-metric> are chosen incorrectly and didn’t work.
- In this case, you should reboot your server via your hosting provider’s web dashboard, and run the commands after everytime you reboot again, but with a different <lectron-route-metric> and <origin-route-metric> numbers.
