RDP wont work on FullTAP?



  • I'm trying to RDP into my remote office computer. OpenVPN is all setup and I connect to the office network, but for some reason I CANT connect to the computer via RDP. It is enabled and everything but it giving me the default error when I try to connect.

    Any ideas?



  • windows firewall blocking unknown subnets ?


  • Rebel Alliance

    What RDP authentication level is set on the machine?



  • @heper its a bridged config so im on the same subnet



  • @gil I tried without network level authentication but that still didnt solve it


  • Rebel Alliance

    I assume RDP works when directly connected to the subnet & windows firewall rules are therefore correct?



  • @gil yes, and thats the part that doesnt make sense when it comes to RDP being fully enables and still not working



  • Assuming Windows client to Windows server. you are patched up to the same level both ends and not getting hit with the CredSSP message?
    You mention that you connect to the office network in your first post, but can the server ping the client machine?



  • @milkwyrm yes, I am connecting to a server and I tried pinging, it gave me:

    Destination host unreachable.
    

    I don't know about "CredSSP message?"



  • Some of the recent RDP patches from MS caused an issue where the device/server you were connecting to didnt have the same level of patching applied. You'd know it if you saw it.
    You might want to confirm the firewalls on both client and server allow RDP and Ping (ICMP) through (even going so far as to temporarily turning the Windows firewalls off). Then, with the VPN running, check both can ping each other to confirm that the routing is correctly established. Then move on to resolving any RDP issue that may or may not exist.



  • First off, thanks for your tips @Milkwyrm !

    Second, I tried allowing remote desktop through group policy, AND turning windows firewall off - both gave me no luck. Turns out I cant RDP into a windows 10 computer either, which makes me think that this might be a OpenVPN issue?

    I don't know if this means anything but I do get this log error when connecting into OpenVPN:

    TLS Error: local/remote TLS keys are out of sync: my ip
    TLS Error: local/remote TLS keys are out of sync: my ip
    TLS Error: local/remote TLS keys are out of sync: my ip


  • Rebel Alliance

    Looks like you are not connecting and have no routing at all.
    Not really an RDP issue



  • @profit @Gil should clarify *i still get routed connection and am on local network despite those errors."



  • seems to be a fairly common issue.
    https://forum.netgate.com/topic/113174/tls-error-local-remote-tls-keys-are-out-of-sync

    https://www.google.com/search?q=TLS+Error%3A+local%2Fremote+TLS+keys+are+out+of+sync&ie=utf-8&oe=utf-8&client=firefox-b

    You might want to start over. I always try to find at least 3 articles/how-to's for any setup I'm not experienced with and cheery pick the parts that are common between them to figure it out. My primary PFsense unit runs 13 IPSEC site-to-site tunnels and 2 Ovpn client/server instances and one Ovpn site-to-site without issue from day one, so it's definitely a rock solid solution once you figure it out.



  • @milkwyrm reconfigured my server, created new users and that TLS thing is gone, and I connect to the network with no problems now, I can browse the internet and sign into pfsense gui.

    However, still cannot ping anything on the network

    ☺



  • @profit i want to mention im not on a different subnet either, im actually bridged onto the LAN. Is this the moment where i post my config file in here?



  • Is there a particular reason you have for using a bridged network? I'm guessing from the first post this is a road warrior vpn rather than a static site to site connection.
    Are you using local Auth, or AD for your users.
    can you post the config for both ends (minus any sensitive info).



  • @Milkwyrm No particular reason. Am using local auth.

    verb 1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local x.x.x.x
    engine rdrand
    tls-server
    mode server
    push "route-gateway 10.0.1.1"
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user TG9jYWwgRGF0YWJhc2U= false server1 1194" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'ServerCert' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "redirect-gateway def1"
    client-to-client
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM
    fast-iojava
    


  • Forget RDP not working, I'm having trouble connected to a mapped network drive at the office...


  • Rebel Alliance

    Have you set up your routing?
    It is possible to have an openvpn connection but no routing.



  • I've got a really stupid question but have you rebooted your pfSense box (on both ends if it's site-to-site). I had some trouble last week getting an OpenVPN connection set up. I've done it so many times I can't remember. I even wrote myself a step by step tutorial a few months ago just in case. But no matter how many times I reset everything and started over I couldn't ping the other side. Even tried resetting the firewall states after re-configuring.

    I rebooted the pfSense boxes on both ends and BAM! It worked fine.

    Last thought, you've got the firewall rules in pfSense, right?