VPN to Internal LAN - NO GO

[cnewman]

okay.. I've spent the last few hours reading this forum looking for some gold nugget that would solve my vpn problem.

My OpenVPN client is able to connect and get an ip (10.10.10.5) from the VPN pool.

I have "exported" the LAN - Internal (10.1.1.0 - 255.255.255.0) in the OpenVPN configuration.

The "windows firewall" is turned off on the client pc running the OpenVPN client (10.10.10.5)

LAN Network: 10.1.1.0 / 24
VPN Pool: 10.10.10.0 /24

I have made a rule in the firewall:
traffic type: any
client interface: any
server interface: any
source address: 10.10.10.0 / 24
client address: any
source port: any
client port: any


I have also tried putting a "pass" packet filter rule for the "VPN" source interface any that didn't work as well.


I have removed and readded the OpenVPN module and reboot the UT server and still nothing is working.

I'm not sure if I am having routing issues or traffic is being blocked somewhere.

Help?!?

[mdh]

Welcome to the forums!

Your post does not say whether you are using Untangle as a bridge or as a router. If it is a bridge, you must open ports on your upstream router so traffic can get to Untangle. If you are using Untangle as the edge device in router mode, you should not need that. You shouldn't need to make a firewall rule as you have shown. Also, the vagueness of the rule wouldn't help much...I tell people to use "any" only when "any" is the only valid response. Removing and readding OpenVPN module could invalidate your key, so you should send a new one. That said, you didn't mention how you determined it wasn't working. What were you trying to do?

[cnewman]

Thank you for the welcome!

The UT server is in router mode.

I'm wanting to have access to my network (10.1.1.0 /24) via VPN when I'm on the road. I need to access various resources on my network (IE SVN, RDP, SQL, etc.)

Right now, I don't have any firewall rule. I just have the Packet Filter "Pass" rule for the VPN.

The OpenVPN key is valid because after I removed and readded the OpenVPN module I resent myself a new key.

[cnewman]

okay this is more weird...

So last night I was testing my VPN from a public IP on the same public subnet that the UT server is on at my house (I used one of my 10 public IP addresses and assigned it to my laptop. The UT server has the other 9 IPs as aliases). I was able to connect to the OpenVPN however, I was unable to ping any host inside my internal network (10.1.1.0 / 24).

Now I'm at my office, I am able to connect via OpenVPN client and I am able to ping any host on the (10.1.1.0 / 24) but I am unable to connect to these host via any port (IE RDP, SVN, FTP, SMTP, SQL, etc.).

I am soo confused.

[cnewman]

So now its all working. I forwarded a RDP port to one of my servers and I was able to look at the UT interface and I noticed a new option on the firewall for the client interface column... "VPN" which wasn't there last night. I'm thinking that it only shows up when a VPN client is connected.

So the packet filter "pass" rule I have for VPN was allowing to ping any host on the internal network but I wasn't able to connect to any ports (RDP,SQL,SMTP..etc).

So I added the following rule in the firewall:
traffic type: TCP & UDP
client interface: VPN
server interface: Internal
source address: 10.10.10.0 / 24
client address: 10.1.1.0 / 24
source port: any
client port: any

And now it all works. I thought I could have one or the other (Firewall rule or Packet Filter rule) to open traffic from the VPN network to the internal network?

[cnewman]

OMG.. this is so freaking annoying. So I rebooted my laptop here at my office. Reconnect to the OpenVPN and now I'm back to square 1. I can't ping any host on my internal (10.1.1.0 / 24) and I can't access any host on any port.

What is going on here?

[cnewman]

So once again...I needed to reboot my laptop... reconnected to UT server via OpenVPN and now everything works. ugh... what am I doing wrong here?

[mmarx82]

Is it possible that you were trying to connect to your internal network before the connection was established?

[dmorris]

what is the IP/netmask of the physical remote network? it should not conflict with the 10.1.1.x or the 10.10.10.x

btw, I suggest leaving the pool at 172.16.1.1
if you set it to 10.10.10.x you won't be able to contact any machine with an incorrect netmask (255.0.0.0) on the parent network.

[cnewman]

my office IP / netmask is 192.168.1.0 / 24

I'll try setting back to 172.16.1.0 /24