Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Untanglit
    Join Date
    Nov 2020
    Posts
    19

    Default Captive Portal & WireGuard VPN

    Hi,

    Are you able to advise if its possible to capture username authentication via local directory for roaming users on WireGuard VPN?

    We have a similar policy like this:

    https://forums.untangle.com/captive-...ter-rules.html

    https://forums.untangle.com/wireguar...nnel-mode.html

    1) Firewall app configured to block all traffic.

    2) WireGuard VPN users are roaming profiles.

    The idea is to send WireGuard VPN users to Captive Portal for authentication after they have connected in order to access internal web applications.

    Unfortunately Captive Portal never appears and access is blocked when the rule is enabled.

    Is this because roaming profile is not a full tunnel and it doesn't work?

    Thanks!
    Last edited by reachmedia; 11-18-2021 at 11:19 PM.

  2. #2
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,258

    Default

    Do you have a Policy rule that forces traffic in to the CaptivePortal Rack?

    I normally do a standalone CaptivePortal Rack that I have at the buttom.
    And then I have a Policy rule with Group/User Going to a "normal" rack.

    That way it dosent matter if the user comes from OpenVPN/Wireguard/IPsec/WiFi they all match the same rules.

  3. #3
    Untanglit
    Join Date
    Nov 2020
    Posts
    19

    Default

    Quote Originally Posted by WebFooL View Post
    Do you have a Policy rule that forces traffic in to the CaptivePortal Rack?

    I normally do a standalone CaptivePortal Rack that I have at the buttom.
    And then I have a Policy rule with Group/User Going to a "normal" rack.

    That way it dosent matter if the user comes from OpenVPN/Wireguard/IPsec/WiFi they all match the same rules.
    Are you able to share your rules? How do I get username going to a "normal" rack?

    Thanks!

    Screenshot 2021-11-20 025154.jpg
    Last edited by reachmedia; 11-19-2021 at 11:52 AM.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,734

    Default

    This rule captures wireguard connecting clients.

    wireguard-capture.png
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,258

    Default

    Quote Originally Posted by reachmedia View Post
    Are you able to share your rules? How do I get username going to a "normal" rack?

    Thanks!

    Screenshot 2021-11-20 025154.jpg
    I use ActiveDirectory and always want to match to a few groups so i tend to not use the [ANY] Option but it should work.

    If you look in you session tab you should be able to see what rack/policy the sessions are hitting.

  6. #6
    Untanglit
    Join Date
    Nov 2020
    Posts
    19

    Default

    Quote Originally Posted by jcoffin View Post
    This rule captures wireguard connecting clients.

    wireguard-capture.png
    Hi jcoffin, my rules are exactly like yours but it is on roaming profile. Does it applies to full tunnel or roaming profile or BOTH?

    Thanks!

  7. #7
    Untanglit
    Join Date
    Nov 2020
    Posts
    19

    Default

    An example I've tested to access a Synology NAS at internal IP: https://192.168.1.4:5001

    The management web gui is hosted on port 5001.

    If I were to disable the captive rule, it can be accessed as per normal.

    However if I enable the rule, the Captive Page - Basic Logon doesn't appear. and the web gui is inaccessible.

    Screenshot 2021-11-20 163730.jpg

    Screenshot 2021-11-20 164049.jpg

    Thanks!

  8. #8
    Untanglit
    Join Date
    Nov 2020
    Posts
    19

    Default

    I've set the authentication method -> None and Captive Page -> Basic Message.

    Is this the correct redirect page that should be set to either in firewall rules?

    http://untangle/capture/handler.py/index?appid=54 ==> I've gotten this from the Preview Captive Portal Page.

    Thanks!

  9. #9
    Untanglit
    Join Date
    Nov 2020
    Posts
    19

    Default

    I think my issue is similar to his: https://forums.untangle.com/captive-...ogin-page.html

    The Captive Portal page does not appear.

  10. #10
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,734

    Default

    This is no full tunnel create config on WG. WG connections routes are based on the routing in the client config. Whether tunnel or roaming, either can be full tunnel based if the client side has the 0.0.0.0/0 route.

    The blocked access is coming from the Firewall app. We'll need to understand your UT setup. Do you have different policies? Any tagging? etc.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2