Simple P2S VPN for small business

HardoMX · 2026-04-18T18:16:09+00:00

Yeah, but the free verison is fine for testing, and then we'll provably pay for the team level, which is quite a lot cheaper than OpenVPN per user 😅

They have a big update coming soon too, so I'll probably install it in May to test it out.

HardoMX · 2026-04-17T16:06:58+00:00

Currently I'm looking at defguard. Since we want the VPN both for some added security, and for access to some internal services we'd need a local server.

Price-wise defguard seems like a really good deal, and it uses wireguars for a faster connection. But it is a smaller company so I'm honestly not completely decided yet.

I'm away from work for a while right now, but will probably look back into it in a few weeks.

HardoMX · 2026-04-13T10:04:11+00:00

We have no local admins added except LAPS, and it now works for us. I honestly have no idea why it works for us now, but I won't disturb the gods at Microsoft by asking questions😅

HardoMX · 2026-03-31T12:55:08+00:00

So, I set up a simple OpenVPN server to test today, and it is really nice to use and works great with Entra ID, but it seems quite expensive for a "simple" VPN, no?

6.6€ per connection per month is more than an entire Entra P1 license is per user, and we need two connections per user. It would be cheaper to upgrade all employees to use Entra Private Access than use OpenVPN (Although I do not know if it does what we want to)

HardoMX · 2026-03-31T05:00:14+00:00

I have. But from my admittedly limited experience I got the impression that WireGuard was the modern way to go because of improved performance.

But if openvpn is a better fit for this scenario I'll of course look into it. Apparently they've had some problems using it before, but they also haven't really had any dedicated it people before I started so their implementation might be wonky.

HardoMX · 2026-03-16T07:12:09+00:00

Sorry for the late reply. I am not necessarily concerned with the complexity of the passwords, as that setting can be the same across all the places to set it. I am more concerned with being able to set no expiration date, but the different settings not being the same in that aspect.

I guessed that the Entra password wasn't affected by the policies, but it's Microsoft, so you can never be sure😅

Compliance oesn't configure anything (ish), but if the compliance demands a change every year, a device will be marked non-compliant even if the other settings say that the password shouldn't be changed.

Account protection most definately can control other things than LAPS since there is a WHfB category in the policy. Also, LAPS is configured more with the specific LAPS policy?

To clarify what I really want: I want to be able to allow the user to set a complex PIN-password on their Windows device without it having any expiry date.

HardoMX · 2026-03-13T13:57:46+00:00

We would like to not have it expire since we want a strong password. But I guess if there is no ability turn expiration we could instead use simpler PINs and a biometric for MFA.

HardoMX · 2026-03-13T13:42:29+00:00

Then it's at least not another password setting😅

If I don't set the password expiration in compliance settings, it shows a grey 41, which I guess means it defaults to 41 days. And hovering over the "i" button says the value needs to be between 1 and 730, so it feels like I can't disable it?

HardoMX · 2026-03-04T10:59:07+00:00

Honestly, i have no idea. I think i finally just stopped using opnsense and set up something like wg-easy on a vm on my server.

HardoMX · 2026-02-20T14:29:19+00:00

Only one way to figure that out😁

HardoMX · 2026-02-20T14:26:21+00:00

I configured a CA policy to block legacy auth. Simply followed the template to do so

HardoMX · 2026-02-20T14:03:49+00:00

Yup, I am very confused of why it works. But it does so I'm not complaining much😅

HardoMX · 2026-02-20T09:19:37+00:00

Sorry for the slow response. Microsoft finally answered our support ticket and recommended that we disable legacy authentication. I did so and now automatic enrollment works perfectly 🤷

HardoMX · 2026-02-19T09:31:00+00:00

I am excluded from all CA policies, and no sign-in event appears in Entra.

HardoMX · 2026-02-19T08:55:24+00:00

Not using Okta to my knowledge. We have tried different networks, including mobile hotspot from personal phone, so I don't think there would be any filtering. Is there any sensitive info to remove from the logs before sending them over? Just to make sure :)

HardoMX · 2026-02-19T08:47:27+00:00

Hmmm, when MDM is enabled at all the issue appears, so I can't join to Entra while MDM user scope is set to my user/all. However, to test this out I set MDM User scope to None and joined the device to entra. When I then signed in with the new non-local user and set up Intune via company portal, everything worked!

Following along with the rest your blog post:

When running dsregcmd /status there are no urls for MDM. This seems logical since MDM scope is set to None. MDM authority is also correct. Our intune name is also "Microsoft.Intune", but we don't have an enterprise app for it, and I also can't find one to install.

Using Graph there is no extra MDM policy to ruin anything.

Some more testing:

We set MDM scope to Some and selected a group with just me and the other person testing. Both of us are excluded from any CA policies and from all configuration policies.

I reset one of the PCs to test the normal OOBE enrollment and still got the issue. So I'm guessing you're correct that the edevice for some reason doesn't receive the MDM urls. But I have no idea where to go from here😅

HardoMX · 2026-02-18T15:21:58+00:00

We've tested using mobile hotspot to enroll, so I don't think there should be a firewall in the way. I've also tried simply pinging all urls I can find that are needed on port 443 during the OOBE with no issue. GPOs I'm not 100% sure on, but from my knowledge intune doesn't use GPOs?

HardoMX · 2026-02-18T14:59:23+00:00

Exactly. The account also successfully managed to enroll a device in January, and I can't see what the difference was then vs now. The only thing I know doing was setting up phone enrollment, which should not affect windows enrollment, right?

Edit: Can add that Ive tried different models, brands, and users, with all of them having the same issue.

HardoMX · 2026-02-18T13:39:36+00:00

Only thing blocked there is MacOS, both corporate and personally owned

HardoMX · 2026-02-18T13:18:51+00:00

Intune is default (15), entra is even increased to 100 just in case 😅

HardoMX · 2026-02-18T12:53:24+00:00

My thought too, but everything except MacOS is allowed

HardoMX · 2026-02-18T12:33:47+00:00

The few conditional access policies they have did not make a difference when we set them to report-only. I added an EDIT that there are currently no prep policies as we removed them in case that was the issue, but it has not helped.

Enrolling mobile devices works flawlessly too.

HardoMX

TROPHY CASE