Problem with VPN configuration, please help



  • Hi guys,
    On my new working place I inherited a network structure based on server 2012 R2 domain. The domain server provides a VPN connection to several native Win7 clients. For the gateway to the Internet I had a simple (home) TP-Link router. It was configured to forward port 1723 (PPTP) from word site to the VPN server. And clients didn't have any problems to touch the internal network.
    I changed the router with a pfsense box (computer with 2 NIC and installation of the latest version of the pfsense.
    Of course I configured a linked rure on the NAT section, which suppose to forward port 1723 to the server machine.
    But now the clients cannot connect to the VPN. They get error 800.
    What is my mistake and what must be changed?
    BTW I tried to change the protocol to GRE ... nothing changed so far. Obviously I missed somthing or it is lack of knoledge.
    So please help.

    Regards


  • Rebel Alliance Global Moderator

    Your still having your clients connect to a PPTP vpn? Dude that has not been secure for years and years..

    Its time to move to a more secure vpn solution.. Why would you not let your vpn clients endpoint to pfsense which is now at your edge..



  • @johnpoz I know dude,
    But the clients who connect remotely to the corporate network are simple clarks.
    They don't want even to hear somthing about certificates and openVPN clints. They are old shcool guys and they prefer to use (as they called) "the proved way to connect to the corporate network", which means to click on the VPN to the xxx.xxx.xxx.xxx and to type user name and password.
    So probably step by step I will change their mind, but for now they are close to the boss than me and have bigger influense on the "decisionmakers".


  • Rebel Alliance Developer Netgate

    If they do not know better it is up to you to convince them of the correct security procedures. Once the VPN is setup all they need to do is click it and sign in. It's not that different. Nothing 10 minutes of training couldn't fix.


  • Rebel Alliance Global Moderator

    ^ exactly... Use of a vpn solution that has been non secure for YEARS is not acceptable be it the users don't like change or not.. It not there place to determine the security of of the network.. Do you tell them how to do their jobs?

    Do a simple google to the insecurity of PPTP.. It is no longer a viable method - that MS has not on purpose disabled it is beyond belief to be honest. Windows server supports other vpn solutions that are secure.. IKEv2 and SSTP are viable windows server options.

    I do believe you can setup pfsense to be connectable from native current windows clients.. But I have not looked into those since the openvpn client works and is easy to use both on window, linux, bsd and ios and android devices. Macs even can connect to openvpn..

    I believe this is an option for windows native client
    https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html



  • The OpenVPN client nowadays is as simple as connecting to PPTP, especially since the latest Updates which doesn't require Administrative rights to work 100% as before.
    And by the way, you as Administrator can generate a well adapted Client openvpn.exe Package for each User with only one Click out of pfSense, containing all the Settings and Certificates. The User just installs this package clicking next-next-next-done and then just runs it.

    -Rico



  • Thank you for advises guys. Keeping in mind what you say I can consider that non of you ever hit the wall of incompetence and self confidence like "I am BOSS - you are FULL".
    I did shown all the "remote coleagues" and the bosses the open VPN solution. The answer was - "it is too complicate for us. If the old solution was working - find a way to make it work again!".
    I will try the solution JohnPoz proposed.
    And of course I will continue to ask for approval to teach old coleagues to the "new" technology.
    Any other advise will be appreciated.
    Thanks again.


  • Rebel Alliance Global Moderator

    To be honest, working in such an environment is not going to do anything for your IT resume.. You prob should polish that up and find a place where you can grow your skillset..

    If they do not want to use something like openvpn because its too "complicated" OMG!!! Then just windows for your vpn server, just use a secure protocol not pptp.. Setting up MS always on VPN would be a good learning experience for sure.. But wow talk about "complicated" vs something as drop dead simple as openvpn.

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy

    But let me guess their remote devices are still running XP? Since they seem to be stuck in dead tech..



  • @johnpoz Le me be honest too John. I was forced to start working in such an environment, because giving my CV to lots of companies I got and answer "You are too qualified (well trained) for the position we are offering". They gave such an answer in case they ask for IT guy whu must know windows administration, windows server systetems administration, network administration, Linux (Unix) administration, scripting, virtualization and to know at least one language (exept the native one of course :)). So the truth is that the employers in my country prefer "short term" contracts, with not so high educated people, who to do some jub somehow. After that they hire the next "IT guy" to fix the mess, which is not so easy for the short period of time or some time you should start from the scratch. And after "enlightening" that they want you to do everything for nothing ... the cicle starts from the beggining.
    Don't worry about my IT resume, it is rich enough. I made my caрeer in several government organization (as DoD for example) and after that in several private companies. So I proved my knowledge and skils. BTW in DoD I had very similar problems. But there if you have commander smart enough - he order what must happen and nobody can influence. In the private companies ... the situation is different.
    However, my "coleagues" do not use Windows XP any more. I bought for them Windows 10 licenses and ... can you imagine ... I was forced to downgrade to Windows 7. So now, after 2 months courses, they all use windows 7 pro.
    That is why I told you that I will try step by step to "clear" mind of the bosses and to adchieve better IT structure in this company (if I continue working for them of course).
    The solution in the article you pointet me to doesn't work for me. There are some strange readings in the firewall log. I saw several attempts a port 1723 to be reached, but more of the records show that if I try to connect by using the native Windows 7 VPN I knock on the port 500 via UDP protocol, which is very strange.
    I cannot use the last microsoft article you pointed to, because (ohhh again you are going to have fun with my situation) - in the organization I have just one DC, one file share server and one application server. There is no backup DC, there is no mirror on the file server, there in no CA server. So I cannot provide tham even with the right Microsoft solution for the VPN. Fortunately the Server 2012 VPN can provide connectivity without certificates, just as remote access. and that is what they use so far.



  • Now because you know PPTP ist nasty unsecure and completely broken since like 2012 I can tell you that you need two NAT/Portforwarding and associated Firewall Rules:

    1:
    TCP
    WAN ADDRESS
    DEST PORT RANGE=PPTP 1723
    REDIRECT TARGET IP=IP of your Windows VPN server.
    REDIRECT TARGET PORT=1723
    ADD ASSOCIATED FILTER RULE

    2:
    Exact same Forwarding again, but change TCP to GRE.

    -Rico


  • Rebel Alliance Global Moderator

    Good luck dude.. Please do not use PPTP... Use SSTP.. It's 1 port and secure..

    Maybe take a look at https://www.softether.org/

    It will allow you to run sstp or openvpn, etc. L2TP/IPsec, etc.. pretty robust vpn solution... Which you can do with just pfsense - but something like this would allow you to run the ms-sstp clone so they can connect with windows client native, and then maybe transition them to openvpn, etc. Which you could then move to your firewall, the edge device.

    Just a reminder windows 7 supports ends jan 2020.. This is really just around the corner.. Its not to early to start the migration plan to OS that gets you past 2020 ;)



  • @rico Thank you very much Rico. That was the key to the stupid PPTP.
    You are great guys.
    Now I will have time to convinse "wooden heads" to switch to the most secure solution.

    Thanks again.



  • You're welcome. But you need to get rid of PPTP asap seriously.
    And make sure the 'wooden heads' don't blame on you if PPTP really fuck things up.

    -Rico


  • Rebel Alliance Global Moderator

    If you want just post up your public IP and maybe someone would be nice enough to print out some goatse images on any printers you have with the caption - PPTP is NOT SECURE ;) Should get the point across quick enough heheheh ROFL..

    More fuel to catch those wooden heads on fire with

    https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2012/2743314

    This is from 2012 and even then MS recommended moving away from PPTP
    "Microsoft recommends using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication."



  • Hello guys,
    Just to show off and to ask again for a help.
    But first things first:
    Today I successfuly convinsed the bosses that the PPTP is old facion, not secure etc. etc. etc.
    We got to the agreement that Open VPN should be used.
    So I successfuly started the OpenVPN on the pfsense. I tried two ways - only with SSL/TLS and with SSL/TLS + user authentication. Both methods work just perfect.
    My problem now is that we have two ISP (two Internet lines). Now they are configured as main and backup (with automatic switching between them) and as a loadbalanser.
    The OpenVPN works on the main (fiber-optic) line. The second one is via ADSL (which is not so important ... the starnge thing is that some time packet have less latenci on this line than on the fiber-optic ... but this is other topic).
    How to make Open VPN to work on both lines, because you never know when you will have potential problem with one of the ISP's?
    Any advises?
    Thanks in advance.

    BTW your comments on this treat was my main weapon in today discussion and it was the weapon of the winner ;)


  • Rebel Alliance Global Moderator

    You can run openvpn on your public IPs all of them, You can then setup the ovpn file for the clients to try 1st and if that fails drop to 2nd one. That would be one way.

    2nd way you could have fqdn that points to primary IP, and if that fails to answer ping then it resolves to 2nd IP. There are multiple dnsservices that provide this failover method..

    You could do it old school and just have 2 configs for the users - and they can pick which one they want. If one doesn't work have them use the other one, etc.

    To be honest if your running on connections that go down so often that your worried about failover for your road warriors maybe you need to find better isp...



  • @johnpoz What you mean John? In the VPN - OpenVPN - Servers to start one server on WAN1 and another one (identical) on the WAN2?
    And second question - which openVPN client can I use in order to use option one (you proposed)? So far I use the VPN client dounloaded from here https://openvpn.net/index.php/open-source/downloads.html


  • Rebel Alliance Global Moderator

    Yes the openvpn can do that, you just put them in the ovpn file..

    And yes just run another instance on your other 2nd wan. You can run as many instances of openvpn you need. I run 3.. 1 on tcp 443, one on 1194 udp and another as client too my vps, etc.



  • @johnpoz Sorry to ask "stupid " questions, but teacher teached me that "it is better to ask how to do things right than to do stupid things and after that to fееl sorry".
    So speaking about the config file - do you mean to have something like:

    dev tap
    persist-tun
    persist-key
    cipher AES-128-CBC
    ncp-ciphers AES-256-GCM:AES-128-GCM
    auth SHA1
    tls-client
    client
    resolv-retry infinite

    remote xxx.xxx.xxx.xxx 1194 udp

    remote yyy.yyy.yyy.yyy 1195 udp

    verify-x509-name "myserver" name

    pkcs12 whatevername1-UDP4-1194-myclient.p12
    tls-auth whatevername1-UDP4-1194-myclient-tls.key 1

    pkcs12 whatevername2-UDP4-1195-myclient.p12
    tls-auth whatevername2-UDP4-1195-myclient-tls.key 1

    remote-cert-tls server

    Will this make the client if xxx.xxx.xxx.xxx (WAN1 public address) is not reachible to try to connect to the yyy.yyy.yyy.yyy (WAN2 public address)?
    Or I have to add something else in the configuration file?

    I red the documentation, but the description of this is vague and almost not clear.
    So again sorry to ask, but it is better to ask experience people than to conduct series of experiments with not clear exit :).



  • And one more question.
    When I added the second instance (server) for the WAN2 and try to export the configuration for the OpenVPN client, in the configuration file there is no lines for the second WAN.
    I mean there is :
    pkcs12 whatevername1-UDP4-1194-myclient.p12
    tls-auth whatevername1-UDP4-1194-myclient-tls.key 1
    But there are missing:
    pkcs12 whatevername2-UDP4-1195-myclient.p12
    tls-auth whatevername2-UDP4-1195-myclient-tls.key 1
    Is this normal?



  • Or may be I missed to issue manually certificates for the second server instance?



  • No, I just took a look at the server certificate options - there is no place where you to point to which server you issue the certificate. May be all instances using one server certificate?



  • Hi,
    @jimp did some VERY great pfSense Videos on OpenVPN RAS combined with MultiWAN.
    I recommend you check them out to get some things clear.
    https://www.youtube.com/embed/qscIIZ10WTQ
    https://www.youtube.com/embed/iJ5GACqfIGs
    https://www.youtube.com/embed/ku-fNfJJV7w
    https://www.youtube.com/embed/svZ6PKqGdtg

    -Rico



  • @rico Thanks Rico. I will take a look right now.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy