Cannot connect with RDP via openVPN
-
-
@IrixOS
Just a question ...
You do have RDP enabled , and allowed in the WIN firewall ... Correct -
I'll complement this one :
@bingo600 said in Cannot connect with RDP via openVPN:and allowed in the WIN firewall
When you activate the RDP server process in your Microsoft OS, by default (as per Redmond's rules) only connections from the local LAN, like 192.168.1.1/24 (or whatever your LAN is) are accepted, as Microsoft doesn't want you to use RDP from 'everywhere' aka the Internet.
The protocol just isn't safe enough, it was written with speed in mind, not security.When you use a VPN connection, this isn't really an issue, as you control the entire connection, and the dangerous part is "secured" as it is running over OpenVPN.
So : go to the Windows firewall, and modify (easier, you will find it) it.
This is mine :
Two rules, as there is one for TCP and one for UDP.
Btw : Double check that your PC recognizes the LAN network as private, not public. In Public mode it will accept no connections - from no one.
I know : you said it was working before, so my words are actually useless.
Just double check ^^ (maybe if some one has reset the windows firewall recently ) -
@Gertjan said in Cannot connect with RDP via openVPN:
you said it was working before, so my words are actually useless.
Or maybe it changed from private to public.. But if that was the case you would think ping wouldn't work either, because if blocked ping would be blocked too, etc.
But yes checking the firewall rules on the PC for sure prudent..
If I was troubleshooting this problem, I would validate that the traffic is even being sent to the client.. So you know where to look - this would be as simple as sniffing for port 3389 on the lan side interface the pc is connected too.. So for example I just connected to vpn on my iphone.
setup a sniff on lan for 3389.. Then connected via my phone rdp client. Screen pops right up on my phone, and you can see from the sniff traffic flowing both ways. If download and open in wireshark - can see the syn, and then syn,ack response..
The 10.0.200.250 address is the address my iphone when it connects to the vpn.. I am using rd client on my phone
https://apps.apple.com/us/app/remote-desktop-mobile/id714464092
If your never seeing the traffic get sent to the PC IP, then you need to look upstream.. If you see traffic sent to the client IP, but no answers - then you have the wrong IP your trying to connect too? Its not running remote desktop? Its on a different port than the standard 3389, its running a firewall? Its not using pfsense as its gateway, etc. But the simple sniff would tell you where to look next, either in pfsense firewall rules, etc.. Or towards the client.
edit: other obvious indication of a connection from client started at least, was I saw my PC that using (which is one I rdp to from phone) screen go to the login screen..
-
How can I close the ticket on this forum?
I have to mothball everything. My distribution switch has failed. I can't believe this is happening right now! From the port LEDs I can see that the switch has a serious problem.
The console says SYSTEM INIT: NOT ENOUGH MEMORY TO BOOT
Pure nonsense!
The switch may be outdated but it's brand new, I've only turned that retarded thing on and off three times!
It's certainly not the first time!
The other one I bought also had a problem. All the LEDs are flashing but it won't boot.
I already tried heating the solder joints, and then the port LEDs all came on, but no console.
A dead fish in the water! How is that possible, that damn thing was brand new, never used, ever programmed!DAMN YOU CISCO!!!!!!!
PFSENSE sucks and CISCO sucks, I haven't touched that moronic thing for years. VPN has always worked! RDP has always worked! PERIOD!
I thank you all for trying to solve my problem, I shall return to this forum as soon I have bought another piece of their cisco junk!
-
@IrixOS why pfsense suck tho?
-
-
Nothing, absolutely nothing, has changed in openVPN's settings since I reanimated the network which was recently. Whether pfsense is partly to blame for that, I don't know.
Pfsense and openVPN sucks because of this problem. Can't be unless it sabotaged itself. No one seems to know the answer.
Did I mention with the build-in terminal in pfsense you can't connect with a cisco terminal console! That's why it sucks!
The RDP client from microsoft on android also sucks! It sometimes loses connection with my windows servers. Is it openVPN to blame, might be.
I don't have that problem from the inside!
-
@IrixOS said in Cannot connect with RDP via openVPN:
build-in terminal in pfsense you can't connect with a cisco terminal console!
I ssh from pfsense to my switches all the time - I don't know what you would be trying to do with actual console cable?
Are you getting an error like this?
Unable to negotiate with 192.168.9.98 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1The RDP client from microsoft on android also sucks! It sometimes loses connection with my windows servers. Is it openVPN to blame
Which is - you can't connect, or you connect and the connection drops?
-
@johnpoz No I was in windows server with the desktop in front of me and suddenly zippo, can't remember which error it gave, happened occasionally. Regarding our issue here,I am thinking to reinstall pfsense on the box. I have no other choice unless someone comes up with some findings.
First I have to buy another switch, I think this one has a hardware error. That piece of trash is brand new, can't believe it is failing.
-
@IrixOS said in Cannot connect with RDP via openVPN:
unless someone comes up with some findings.
Findings from what - you haven't provided any info.. Did you do the sniff like I showed? Lets see that the traffic even gets sent to your box your trying to rdp to - that test takes all of like 1 minute to do.
-
@johnpoz I haven't forgotten about that, I tried to do that today, but I have no knowledge of wireshark, not yet. I installed it one week ago. When I came back from sports, I saw the switch was failing so I am stuck right now.
-
@IrixOS packet capture under diagnostics - clicky clicky..
-
G Gertjan referenced this topic on Sep 7, 2023, 6:02 AM
-
@johnpoz Thanks I am looking forward to perform the sniff.
-
Plan A is getting the internet back running
Plan B is the sniff for that horseshit vpn-RDP problem.The switch has been swapped. I ran into some other problem. I had to free networkspace for my management vlan. So I also had to recalculate the subnet of pfsense.
The procedure to change the ip address of pfsense according to the documentation seems to be quiet easy. I changed the LAN IP en guess what? No internet. That's very silly.
I knew I was going to run in some bullshit problem.Again an error in disguise, and I'm stuck.
Did I mention that serial console not working on pfsense? That's why it sucks, could be very valuable if you have your cisco switch near the pfsense box and can't mobilize it.
Any thoughts about the changed LAN ip in pfsense? There is alot of configuration, I an not planning to begin from scratch.
Thank you,
-
@IrixOS said in Cannot connect with RDP via openVPN:
Did I mention that serial console not working on pfsense?
Works for me..
I console in pretty much every time I do an update. I like to watch the progress.
Is this a netgate appliance - console on some other hardware would be on that hardware maker, etc.
Changing the lan IP - confuses a lot of users, they forget to update their pc they are using to the new IP range, or don't renew their dhcp lease.
When changing the IP your connecting too, especially if in a different range - that can be difficult. Would be best to change that either via console, or just connect to another IP on a different interface..
-
@johnpoz I will look into that later.
I have a subnet /30 between pfsense and the internal network.
I defined the gateway and the static route in pfsense. As soon as I do that, I cannot access the internet. Took me two days and two nights to realize that. However I can ping my ISP DNS servers or access the bridged modem.Normally that should work, it always have worked with that exact setup.
I have the feeling there is some DNS issue.
When I connect my PC straight with the pfsense, I can access the net, strange,...Do you have a clue why this occurs? Normally DNS on pfsense should work out of the box.
Thank you,
-
@IrixOS so you have a transit network.. Did you adjust rules on the transit to allow for this downstream network?
Out of the box sure it should just work for dns, but you setup your routing - this should auto adjust your acls on unbound to allow your downstream network to query unbound.
Easy enough to test for dns, just do a dig or nslookup or host - whatever your fav dns tool is.
I don't use the auto acls - when you add a route to your downstream network(s) the acl should adjust. But you might have to restart unbound?
-
@johnpoz said in Cannot connect with RDP via openVPN:
Did you adjust rules on the transit to allow for this downstream network?
10.214.1.66/30 is the ip of the pfsensebox, 10.214.1.65/30 is the interfaces of the Layer3 switch that performs intervlan routing. I have a 0.0.0.0 0.0.0.0 default route pointing to the pfsense interface address.The 10.214.1.0/25 is the summary of all subnets.
-
@IrixOS looks like your actual internet is down, ie your wan_pppoe so not sure how internet would work??
And your default gateway for pfsense is your LAN, so its pointing to the switch to go anywhere.. So not sure how that would work either.
