Results 1 to 9 of 9
  1. #1
    Untangler
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    75

    Default OpenVPN on windows xp/2003

    Hello,

    I'm using untangle 14.1.1 and need to install openvpn on a windows xp and a windows 2004 machine. I know openvpn 2.4 doesn't work so I download 2.3. I could connect to my untangle but can't ping to any machine on my network, so it's not working properly, what are the proper steps to setup openvpn on an old windows machine?
    If I use the configuration file I download from untangle, it pops a message telling that it failed
    Last edited by Riven; 02-18-2019 at 07:34 AM.

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,878

    Default

    Windows XP is end of life, and has been for almost 5 years now. It no longer gets any updates... not even critical security patches. It's dangerous and irresponsible to continue using it anywhere that connects to a network. If at all possible, that machine just needs replaced.

    There is no such things as Windows 2004.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  3. #3
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,325

    Default

    It's hard to say without knowing your openvpn settings; if you recently installed or re-installed OpenVPN on your Untangle, it may be using settings that won't work with a 2.3 client.

    If you post the generated .ovpn file, we can probably tell you what to change to make it work. (just make sure it's not the version of the file with in-line certificates... that'd be bad)

    Screenshots of your OpenVPN->Advanced settings, both server and client, would help too as you may need changes there.
    Last edited by johnsonx42; 02-18-2019 at 09:04 AM.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    The answer is no, please do the world a favor and get that junk off the Internet. Windows Server 2003 extended support terminated on July 14, 2015, Windows XP terminated about a year earlier on April 8, 2014.

    These systems if they must remain in production are vulnerable to all sorts of really ugly things, and they need to be specially isolated on dedicated networks that do not have general Internet connectivity or all kinds of bad things happen. If you're in these circumstances and require VPN access to or from them, your only supported path is an Untangle site-to-site VPN connection with appropriate access control rules.

    No, it's not easy.
    No, it's not cheap.

    That's the price you pay for having ancient dangerous software in operation. I feel your pain, I've got several XP / 2003 platforms still in service myself for access to legacy systems. But when you're working with stuff that's been negative on support for four years, things stop working. OpenVPN on Untangle requires the more modern APIs present in newer versions of Windows, there is no way to downgrade Untangle to use older software, and even if you could downgrade it, you'd be vulnerable on that front to a slew of issues with OpenVPN itself.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    75

    Default

    Hello, thanks for the answers. I know windows 2003/xp is deprecated, the problem is my customer a program for manufacturing working in that machine, the company that programmed it are out of business and there's no chance to get any support for it, so it's impossible to update it. It's a shame, but there's no other possibility. I suppose I'll have to build another untangle machine at this location and connect both sites with openvpn.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    Quote Originally Posted by Riven View Post
    Hello, thanks for the answers. I know windows 2003/xp is deprecated, the problem is my customer a program for manufacturing working in that machine, the company that programmed it are out of business and there's no chance to get any support for it, so it's impossible to update it. It's a shame, but there's no other possibility. I suppose I'll have to build another untangle machine at this location and connect both sites with openvpn.
    Yes, and you'll want to isolate the systems too, they cannot be on the same LAN as other Internet accessible systems, or you're a single mistaken click away from doomsday.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    75

    Default

    Quote Originally Posted by sky-knight View Post
    Yes, and you'll want to isolate the systems too, they cannot be on the same LAN as other Internet accessible systems, or you're a single mistaken click away from doomsday.
    Sure. Thanks for the advice!

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    Quote Originally Posted by Riven View Post
    Sure. Thanks for the advice!
    One more thing, Microsoft is scary close to disabling SMB v1.0 entirely, as soon as they do that via security update all the file and print sharing into and out of XP/2003 is toast too.

    So even isolation won't matter at some point in the very near future, you need to find a replacement for that software yesterday. Beyond that, I wish you luck!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,878

    Default

    Quote Originally Posted by Riven View Post
    I know windows 2003/xp is deprecated
    If it were only "deprecated", that would be okay. I'll work with "deprecated". Deprecated just means "retiring soon", so don't put out anything new using it. In that sense, Windows 7 and Vista are already deprecated, and I still support about 60 Windows 7 systems on campus (thankfully, the numbers are shrinking weekly).

    To know when an OS is "deprecated" for an environment, look up the OS end of life and subtract the expected system life cycle. If the system life should outlast the OS end-of-life, the OS is deprecated for that environment, and you shouldn't use it for new installations anymore.

    XP is way beyond just deprecated now, to the point where aggressively rooting it out of your environment needs to be a priority.

    But I understand where you're coming from. I have a few systems like this I must support, because there is no upgrade path. For example, I have a system connecting to a 25 year old mass spectrometer in our chemistry lab that could cost $30,000 to replace, and I can only get XP to talk to it. I even have one instance of Windows 98 still active... but this machine is not on our network.

    In each case like this, I either run the system completely disconnected from the network (where support must be in person... not even over VPN) or I setup a modern, supported OS, and run the XP station in a hyper-visor. If I use a hypervisor, I configure the hyper-visor so the XP VM either has no direct connection to the internet or an extra layer of NAT in the hyper-visor where the machine doesn't even really have access to the host; the link is just a tunnel to the internet. Then I can also take VM-level snapshots of the guest for quick recovery to fix the inevitable compromises.

    Even this much is last resort. I've gone as far as editing registry keys, modifying folder permissions, and manually registering old *.ocx components so that supposedly non-compatible software could still run in Windows 7. Pretty soon I'm gonna have to repeat some of this work for Windows 10, and I wish I'd taken or preserved better notes At least the VMs can usually just move whole-sale to a new host.

    What really scares me right now is Server 2008 R2. That goes end-of-life in January, and I have 3 instances here that aren't on target for upgrade until the following summer, including a domain controller
    Last edited by jcoehoorn; 02-18-2019 at 11:50 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2