Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Master Untangler
    Join Date
    Dec 2018
    Posts
    165

    Default Assign local IP range to L2TP client connections?

    In other routers that I've used (Mikrotik and the EdgeRouter/USG) you could set the IP range that is handed out to be anything that you wanted so that I could use a split-tunnel with our remote clients as our internet connection sucks so we only want VPN traffic to flow over it.

    In my case I have the DCHP server on the EdgeRouter hand out 192.168.0.100-192.168.0.240.

    I could then have the L2TP connection hand out 192.168.0.241-192.168.0.254 for remote clients to use.


    That doesn't appear to be case with Untangle?

    I see a thread referencing this here - https://forums.untangle.com/ipsec-vp...-config-2.html

    Has anything ever come of this or is the only solution to add a new route to Windows to make this work?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,189

    Default

    No, with Untangle all VPNs are routed, unique IP networks.

    That IP configuration has nothing to do with full vs split tunnel. That is the use the remote network's gateway option when configuring the client. As for device behind Untangle, they don't need routes, because Untangle is the router, if Untangle isn't he default gateway, then whatever device is the default gateway needs the route.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler
    Join Date
    Dec 2018
    Posts
    165

    Default

    The EdgeRouter/USG works just fine by dumping all of the L2TP clients into the same subnet as the network that you want to use remotely and you can uncheck that option you are referring to on the client side VPN connection and yet it all works just fine.

    We've been doing it for years at work and I've been doing it at home as well.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,189

    Default

    Yes, I'm sure you have. And that configuration is reliant on a bucket of proxy-ARP magic that can detonate in your face. It's a solution that one only loves right up until it doesn't work. Untangle doesn't work that way, so now you get to change gears or products.

    For what it's worth, I don't think Untangle can work that way at all due to the virtual rack and how the filtration is performed. It needs a clear routing table, because it's doing a ton more than just shoving packets out an interface.

    So you can in a lot of ways say this is a difference between a VPN enabled router, and a UTM.

    Oh, and that reminds me. If you want a split tunnel solution, please use OpenVPN. You'll have a BUCKET better time with it. The problem you're having I'm assuming is the desire to NOT do full tunnel, and the client's cannot connect. This issue exists on Meraki as well, and it's due to Window's L2TP client being utterly terrible. OpenVPN requires a 3rd party VPN client install, but it also has the ability to push settings from the server, to the connecting clients, this gives you the ability to push routes, and makes all this seamless. Much like the full Cisco VPN client does if you're on real Cisco and not Meraki. Untangle lets you do all of this at the same time, so you can even hammer out an emergency VPN when you have an exec stuck in a terrible hotel somewhere. This is one of the reasons I recommend Untangle is this flexibility. OpenVPN, L2TP, or IPSec, one of the three is going to work. But if you want easy, OpenVPN is where it's at.

    So TLDR, don't use L2TP for split tunnel, it will give you gray hair. Use OpenVPN instead, it'll just work, and give you a bunch of flexibility against potential issues in the future.

    P.S. If you're adverse to installing a 3rd party VPN client, then I suggest you look into deploying SSTP on a Windows Server somewhere. I'm presuming most of your remote users are Windows based. Do that even once and I promise you'll never use anything but SSTP or OpenVPN ever again.
    Last edited by sky-knight; 05-27-2019 at 12:42 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Master Untangler
    Join Date
    Dec 2018
    Posts
    165

    Default

    I use OpenVPN at home myself and like it much more than L2TP so I'll see what they say when I go over all of this with them.

    Thanks for the very clear explanation!

    Most are Windows, however, I know of at least 1 Chromebook. Multiple other people want to dial in with the phones (Android and iOS) as well so there's that too.

    I just want something that works since as you said the current method appears to be a hack so it probably needs to be changed. They were using PPTP up until a couple of years ago so at least there's been some progress.

    I'm just working on this on my spare time since it's not really my job but I was tired of the horrible network we had before. We are a software company but I like to do networking at home. There's a steep learning curve though!

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,189

    Default

    Well then, use OpenVPN for the Windows / Mac units, and fire up L2TP for the Chromebook / mobile OS's, and make those run full tunnel.

    I know you have bandwidth constraints, but those mobile operating systems are extremely light on that specifically, so you should be fine!

    P.S. You can OpenVPN iOS and Android too, it's just a little more work than I think it should be. But you might want to give it a whirl too.
    Last edited by sky-knight; 05-27-2019 at 02:06 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Master Untangler
    Join Date
    Dec 2018
    Posts
    165

    Default

    I think that I will plan on having everyone switch to OpenVPN for split tunnel and use L2TP as a backup.

    OpenVPN for Android seems to work pretty well on my Android phone. It is more work than it really needs to be though.

    I may just look at using OpenVPN for site-to-site as well.
    Last edited by jlficken; 05-27-2019 at 06:01 PM.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,189

    Default

    OpenVPN is SSL VPN, SSL VPN honestly is the future for a reason. The SSTP I mentioned earlier is also SSL VPN, and Microsoft's implementation of it is pretty darned magical if you have AD running somewhere.

    But OpenVPN specifically from a network perspective just looks like a UDP packet stream, it's almost identical to what most multiplayer games create. This means the routers in homes and everywhere implicitly know how to handle it, so the cases where it doesn't work is specifically due to some network somewhere explicitly blocking it. Which I find annoyingly frequent in some conference centers. I had one of my Execs doing a training in a place in Dallas a couple weeks ago that blocked OpenVPN, ScreenConnect, L2TP, AND Logmein... I gave up I told her I'm sorry, but these people are nuts and nothing you have will work on their network, just pop off and use your hotspot.

    But Untangle's implementation of OpenVPN is excellent as well. It's got some warts from time to time, but normally the thing just works for years on end. The only standing issue is keeping the deployed clients up to date. But compared to the limitations of the utterly terrible built in VPN client in Windows? Bah, all that's a walk in the park!
    Last edited by sky-knight; 05-27-2019 at 06:18 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Master Untangler
    Join Date
    Dec 2018
    Posts
    165

    Default

    I've been very happy with the OpenVPN server in Untangle and at one point had 23 days of uptime from a tunnel before I had to reboot the machine.

    We are very small so while with have a Domain with AD I don't know why exactly as nobody uses it and it just runs for no reason. We'd still be running 10/100 switches on a flat network if it wasn't for my pestering constantly about backups and segregating devices.

    I want to do lots of things, however, I also can't go too nuts or else nobody else will have any idea as to what's going on and I'd be on the hook for it 24/7/265. I also have to actually do the job I was hired for

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,189

    Default

    No one uses AD? You're saying not a single person logs into a Windows or domain connected piece of equipment ever?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2