Remote Desktop problem over OpenVPN Gui->Lan

  • I'm having a problem with a specific road warrior client and connecting with remote desktop to workstations on LAN. I have been staring on the problem from various angles for days now, so I need some help working out what is wrong.

    This is the situation:

    The hosts A & B are on the LAN (same subnet). Host C is the problematic laptop which connects from outside (the users home network) to the OpenVPN endpoint. Host C usually connects to host A. All hosts are running windows xp sp3.

    Other VPN roadwarriors have no problems with the same setup (except for another cert/key).

    The VPN tunnel seems to establish correctly. I push 2 routes to the DMZ and the LAN subnets. These routes sometimes gets not set correctly on Host C for some reason. I can't isolate when & why this happens. In the OpenVPN gui output it seems that one of the routes are pushed twice (I dont know why, the option is only set once in pfsense).

    But even when routes gets added correctly (as checked with "route print" on Host C) I have problems with Remote Desktop as follows:

    Host C cannot connect to host A with Remote Desktop when connecting over the VPN.
    But host C can ping host A when connecting over the VPN.
    And Host C can connect to host B with Remote Desktop when connecting over the VPN.
    Host B can connect to host A with Remote Desktop.
    Host C can connect to host A with Remote Desktop if I put it on the LAN.

    I have tried disabling the windows firewall on Host C with no changes.

    I'm not sure where to go from here as the above seems to eliminate "everything" as a cause of the problems. So, I'm kind of baffled, but I hope some of you guys can help me get this to work.

  • I'd install tcpdump and run:

    tcpdump -i XXX0 port 3389 [and host A]

    Naturally, substitute your LAN adapter name for XXX0. Optionally put in the "and host A", substituting the IP address for A if the output contains the trace for irrelevant machines.

    Start this command off and get your user to make a connection, see what passes through etc.

    Post the results here if you're not sure how to interpret them.

  • Hey Bern, thanks for the hint. I seem to have gotten further thanks to it.

    I did a few experiments with windump on the hosts. It was interesting, I could see RDP traffic going out on the LAN interface rather than the tap device as long as the routing was not in place. The routing entries seems to lag behind for some reason, or only arrive on reconnect, I'm not sure why.

    When the routing were in place I could see RDP traffic going out on the TAP device but not coming in on the LAN interface of the other machine (the one being connected too). Im not sure if this meant that no RDP traffic was arriving to the interface or if traffic arrived but was blocked by the firewall. Does tcp dump see traffic dumped by the firewall?

    So I took another look at the firewall settings at that machine. There was an exception (= open port) for the RDP in there in the exceptions tab of the windows firewal settings, but not in (the LAN entry properties in the) advanced tab. Putting a check mark here fixed the problem. Im not sure I understand why, as I don't need a check mark in this place on other hosts. Also one should think that I should not have to add an additional exception here if one is already set in the general exceptions. So this is a bit of a mystery to me, but many things in Windows is :-D

    Again, thanks Bern for pushing me in the right direction.

  • No problem, glad you got it sorted. Sometimes you have to go down to nearly bare metal!

Log in to reply