Cannot connect with RDP via openVPN

IrixOS · Sep 3, 2023, 9:19 PM

I use openvpn to connect to my virtual servers at home.
I can ping everything, but when I try to connect to my servers via RDP, the login takes too long and I get a message on the RDP client app on android that there is a network problem. I connect with 4G. It's the same network setup at home as before. (Has been covered in dust for a few years and I haven't touched the network since)

OpenVPN and RDP has always worked correctly.
I haven't tested it on a regular remote PC yet, it should work as before. I do have another smartphone in the meantime. There may be a bug in the phone or a bug in the openVPN connect app.

I don't know what to double check anymore.

All RDP settings on the windows servers are OK.

Can someone help me and give me a tip?

Thank you,

michmoor · Sep 4, 2023, 1:14 AM

@IrixOS do you see your firewall rules being hit?

IrixOS · Sep 4, 2023, 7:24 AM

@michmoor Hello, the rule in pfsense is automatically created when you do the openvpn wizard. How do I see if it hits the firewall?

Thank you,

Gertjan · Sep 4, 2023, 8:43 AM

@IrixOS

Here :

means : my connection has transferred 2,72 Gbytes - no open states right now.

IrixOS · Sep 4, 2023, 12:30 PM

@Gertjan

Is this correct?

Thank you,

Gertjan · Sep 4, 2023, 1:58 PM

@IrixOS

Yep, looks fine, traffic comes into the OpenVPN interfaces, go to the OpenVPN server.

@IrixOS said in Cannot connect with RDP via openVPN:

All RDP settings on the windows servers are OK.

Like : the server/PC on which RDP runs, accepts connection form the OpenVPN interface - which is not the LAN network ?

IrixOS · Sep 4, 2023, 2:20 PM

@Gertjan

No there is a default 0 route pointing to the pfsense box, and routes back to the switch. This setup has always worked.
I have a VDSL2+ modem bridged with the pfsense. The pfsense box is connected with the cisco L3 switch and that router/switch is connected to a L2 distribution switch which connects to the rest of the access switches.
From the inside network I can RDP no problem.

Also noticed that I cannot access the pfsense webpage from the openVPN client on the smartphone. This exact setup has worked before you know. Nothing has changed since then. It's bizar.
I can ping everything from the openVPN client on the smartphone but RDP does not work. I can hardly believe there is something with the VPN routing itself, I don't know.

To my opinion the fact I cannot access the pfsense webpage and cannot RDP makes the VPN connection useless. Such a shame.

Any findings would be appreciated.
Ask me anything you want to know to acquire a solution,

Thank you,

IrixOS · Sep 4, 2023, 10:43 PM

@IrixOS

That is the model setup. The default router representing pfsense.

marvosa · Sep 5, 2023, 1:52 PM

@IrixOS Post your openvpn config (config.ovpn)

Post the rules on your OpenVPN tab

Verify your VM's are using your SVI's as the default gateway

Are you entering the hostname or the IP in the "Computer" box for RDP?

michmoor · Sep 5, 2023, 1:19 AM

Could always provide a traceroute to confirm routing

Gertjan · Sep 5, 2023, 5:19 AM

@IrixOS

Can you post : the startup openvpn log sequence of the OpenVPN server ?
and
The openvpn log at moment you (try to) connect to the OpenVPN server

@IrixOS said in Cannot connect with RDP via openVPN:

Nothing has changed since then

Things can break over time. Like certificates become expired.

IrixOS · Sep 5, 2023, 1:53 PM

This post is deleted!

IrixOS · Sep 5, 2023, 1:54 PM

@marvosa

VM's Checked SVI and default gateway, all ok, BTW, I can ping every machine from the openvpn app on the smartphone.

Tried both IP and DNS resolution, no connection

bingo600 · Sep 5, 2023, 1:55 PM

@IrixOS

Are you having an MTU issue ??

Maybe try this

fragment 1400
mssfix 1400

https://forum.netgate.com/topic/182605/solved-firewall-wan-blocking-packets-destined-for-a-working-openvpn

Remember to do it on both ends

/Bingo

IrixOS · Sep 5, 2023, 2:04 PM

@Gertjan

Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_VER=3.git::081bfebe:RelWithDebInfo
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_PLAT=android
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_NCP=2
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_TCPNL=1
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_PROTO=30
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_LZO_STUB=1
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_COMP_STUB=1
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_COMP_STUBv2=1
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_SSO=webauth,openurl,crtext
Sep 5 16:03:01 openvpn user 'kurkunv' authenticated
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1559'
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 [kurkunv] Peer Connection Initiated with [AF_INET]94.109.209.23:2845
Sep 5 16:03:01 openvpn 27362 kurkunv/94.109.209.23:2845 MULTI_sva: pool returned IPv4=172.16.1.2, IPv6=(Not enabled)

IrixOS · Sep 5, 2023, 2:43 PM

@marvosa

persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
remote rshafw000000001.ddns.net 1194 udp
verify-x509-name "www.rsha.de" name
auth-user-pass
remote-cert-tls server
compress lz4-v2

<ca>
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIBADANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJCRTEQ
MA4GA1UECBMHQW50d2VycDEPMA0GA1UEBxMGRHVmZmVsMQ0wCwYDVQQKEwRSU0hB
MSgwJgYJKoZIhvcNAQkBFhl2b2xrYW4ua3Vya3VuQGhvdG1haWwuY29tMRQwEgYD
VQQDEwtpbnRlcm5hbC1jYTAeFw0xODA3MDExNzQ4MDlaFw0yODA2MjgxNzQ4MDla
MH8xCzAJBgNVBAYTAkJFMRAwDgYDVQQIEwdBbnR3ZXJwMQ8wDQYDVQQHEwZEdWZm
<snipped by mod>
aJjpXervXoYbqjMwiSOaaUcFgMqBngV120WYlmrhes7DdLGImFePGGMKC9VE7krZ
vGAiZe+nPEVjFoJTypc6+6NX12o4cfq3qg==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIEvDCCA6SgAwIBAgIBAjANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJCRTEQ
MA4GA1UECBMHQW50d2VycDEPMA0GA1UEBxMGRHVmZmVsMQ0wCwYDVQQKEwRSU0hB
MSgwJgYJKoZIhvcNAQkBFhl2b2xrYW4ua3Vya3VuQGhvdG1haWwuY29tMRQwEgYD
VQQDEwtpbnRlcm5hbC1jYTAeFw0xODA3MDExNzQ5MzhaFw0yODA2MjgxNzQ5Mzha
MHsxCzAJBgNVBAYTAkJFMRAwDgYDVQQIEwdBbnR3ZXJwMQ8wDQYDVQQHEwZEdWZm
ZWwxDTALBgNVBAoTBFJTSEExKDAmBgkqhkiG9w0BCQEWGXZvbGthbi5rdXJrdW5A
<snipped by mod>
jMS6LIf0YDcHlXxGff/chxVkidbKQoa8gMd0qf0UhtF3Qd4qHKK8rPjBF8cptckB
3WQTokQXuKTvtsWe+HFt9pdSqLOSs58jSEB+ZZfoMU7kScnFXJ1pgW1M7cHIVBqG
L1VCkJEcTKHvbGKNIlsHa/S/VoEME0EGn7MCh1F/hvK4hc80MxzU7p6MBBN+Z8Zm
4UNT4g6aTjsMYp5XzywdWMXBw5tuSx8lc9qhIPQf6+5B5sekC1WZPPOlAT2P1BF8
gZBKUNdYPGt+3vrChjaLY2pfrSxgk6N3w24T4OIUx6qwwH/5GgzDFhynww2uSa+V
eblidbXb9sAXqAJweCNNUg==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8tPHojOuy6ZHb
Y3KfN1Gh0bmHUa8qZxLO9UzcJBhq4Mr1Ml8UFSRNCZ2MszXLU9YGaDiA9RBFDRx/
HjYKKhfxFX2QrYdT61LFBpBUDkorTuuYJ1bPgDsV3IHbcOiE5Nk8vAqT8KAAh+vS
tgAO6RLH3Ncp15+nYmSrkeQECzAF3aOT9T8r1bqxSHFUojJKjPoQeZ62dIWD9Mxs
<snipped by mod>
tetslkmM3VGBiDsK8j5dfBQcPHc4Rt2kUFLjRQHmmiQDUuTGywuldkQ7Pw8Rl/xd
1IEp1x7ZLY1d4o68YPvYYL0m/u7/o4w28UP27v69mTtgnV5wGDnPofsoNQKBgFG1
7e7ULd3+XeZZMqzqL3caXtq7f3P725CXCauEeMpgxJBei77oFhb8tHdg62enxh6N
WsQj6DZmHOqtBhx+M26ud4VrJSpKZ+UrsVQ3R629ryv+Xu75CudrB2VIMM39Gp+r
zPrfOAk/VC/GZoStBj8SZEynVHPeAq/pdBknlUx1AoGAbxsocW68vmTVy/pHJdA6
MQxQKyp4rAARVTMRyhYZhaNcaie/Qmb2vdbrqIDJfCFlIICoqThi1j5zjFt1HvBk
x/Dprv6UspaoFWOGhicwGY0tRcx7lkGsehbVmgoynOkwlyQVMfPcu5C4ecXTnAVH
V7yNsaepx91mwVZRhL6qaJk=
-----END PRIVATE KEY-----
</key>
<tls-auth>

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
dd18a2ffe3bd789cd0f4287bde6a90ba
cfe34ea65521461d69582f82f9d30c59
c3fed75174b1bcf2fca5636854f9a896
<snipped by mod>
ab1ef19de29738094360a33e2fa9ed2e
9591ac77b0dc611ddd7a3ce9a5219dad
7fecdef9c325b80c3902820057d734ac
552493644a44c8719a85d26e35845ec1
c3e0e04b4365e7c47d5e757ed69d16a3
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

IrixOS · Sep 5, 2023, 2:25 PM

@bingo600

This is the log, how doe you change the MTU, I found a field on the WAN if tab, you said both ends, I will try to find the setting in openVPN client.

Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_VER=3.git::081bfebe:RelWithDebInfo
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_PLAT=android
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_NCP=2
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_TCPNL=1
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_PROTO=30
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_LZO_STUB=1
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_COMP_STUB=1
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_COMP_STUBv2=1
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 peer info: IV_SSO=webauth,openurl,crtext
Sep 5 16:03:01 openvpn user 'kurkunv' authenticated
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1559'
Sep 5 16:03:01 openvpn 27362 94.109.209.23:2845 [kurkunv] Peer Connection Initiated with [AF_INET]94.109.209.23:2845
Sep 5 16:03:01 openvpn 27362 kurkunv/94.109.209.23:2845 MULTI_sva: pool returned IPv4=172.16.1.2, IPv6=(Not enabled)

bingo600 · Sep 5, 2023, 2:42 PM

@IrixOS

You set it in the openvpn client + server config windows - Advanced configurations window

See here for an example:
https://forum.netgate.com/topic/182605/solved-firewall-wan-blocking-packets-destined-for-a-working-openvpn

Do it on the "remote first" , then the local .....

Aaaannnd it's always good to have https access to the box, if accessing/managing it via openvpn.

Edit: Looks like your listed client above is "Android" ....
If you used Client export , you can add the options there too , to be exported.

johnpoz · Sep 5, 2023, 2:45 PM

@IrixOS I snipped out some of that info - that is dangerous to post your full certs/keys on public forum..

IrixOS · Sep 5, 2023, 6:43 PM

@bingo600

That didn't work.

Thank you,