Results 1 to 8 of 8
  1. #1
    Master Untangler
    Join Date
    Jul 2009
    Location
    Arcata, CA
    Posts
    153

    Default Redeployed OpenVPN and cannot ping or RDP into the internal network

    Hello,
    I nuked, reinstalled, redeployed the client and am able to successfully connect to OpenVPN, however I cannot ping or RDP into the internal network like I was prior.

    https://forums.untangle.com/openvpn/...tml#post240446

    I disabled compress on server and client, redeployed and the problem persists. All of the testing is on a Win10 machine. I agree that it "just works" and when I figure out why I can't RDP I know it will be a facepalm moment. I've rebooted the Untangle box but have not been able to reboot any routers as I'm remote and we have unmanaged routers.

    It is in bridge mode behind a Meraki firewall. I have completely disabled the Firewall and entered an Bypass Rule and no change in being able to access the internal network.

    WAN > ISP modem > Meraki firewall > UT bridge mode > Internal (SBS).

    I use RDP because it's easy and allows dual screen. There is a domain involved and I have not added the OpenVPN address pool to the list of IP addresses in Sites and Services? I've not done that before and it still worked. There is a DHCP reservation for the UT box in the range excluded from distribution and DNS records.

    Appreciate any input.

    Thanks!

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,542

    Default

    This is probably already covered but is the Windows firewall disabled on the target PC?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler
    Join Date
    Jul 2009
    Location
    Arcata, CA
    Posts
    153

    Default

    It hasn't been covered, but it never crossed my mind to disable the Windows firewall on a domain controller, a domain joined server or PC. That seems like an inherently bad idea! Again, the firewall never had to be disabled before. Exact same setup (took screenshots before just to confirm), but the only difference is the reconfigured OpenVPN server with SHA512.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    A nuke and pave of OpenVPN changes the OpenVPN address pool range, this can, depending on configuration, result in connectivity issues. Windows Firewall will NOT tolerate, unknown IP ranges in the mix in the reserved class C ranges. Which is why I always put the OpenVPN address pool IP range into Sites and Services, then should that range be visible to the lan in anyway, it's trusted by the domain profile by default.

    But if your Meraki doesn't have a static route for that IP range, all of this is moot anyway. And by default the traffic is NAT'd, so the network should see Untangle's IP instead of the VPN client's... but you can change that... And if you did... well stuff will break.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    Edit post, double check the simple!

    OpenVPN -> Settings -> Server Tab -> Exported Networks Subtab

    Do you have a network listed there? If you don't... that's a huge problem. That's the list of things VPN users can see and use! It builds the routing tables for the VPN clients. So if you forgot to export a network, that'll explain the behavior of connect and can't go anywhere.

    Oh, and test with IP addresses please... DNS resolution is an entirely separate thing to troubleshoot.
    Last edited by sky-knight; 04-05-2020 at 05:25 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Master Untangler
    Join Date
    Jul 2009
    Location
    Arcata, CA
    Posts
    153

    Default

    I do not have a network listed in the Exported Networks Subtab! I will admit I didn't take a screenshot of that before the nuke and repave. What settings do I need to put in place there to build the routing table? I have been testing with IP addresses as well as hostnames, realizing DNS resolution is a completely seperate thing to troubleshoot.

    If you have a suggestion on how to enter into Sites and Services, I'm open to that as a viable option. I looked in AD Sites and Services and wasn't sure where to enter.

    I don't follow you about the Meraki. I looked over all the firewall rules and there is nothing that is prohibiting the traffic from flowing.

  7. #7
    Master Untangler
    Join Date
    Jul 2009
    Location
    Arcata, CA
    Posts
    153

    Default

    Edit post... Exported Networks Subtab was the ticket!!! Thank you, sky-night. Brilliant suggestion. I added the network in CIDR notation, reconnected the OpenVPN client and voila! Many thanks good sir!

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    Great!

    Your Meraki isn't blocking anything, but routing is routing. Right now you have road warrior connections working because Untangle is NAT'ing them. Should you ever use Untangle for non-NAT supporting VPN work... such as a site-to-site tunnel, or a more integrated road warrior VPN you'll need the routes I mentioned earlier... but you'll also need to configure the firewall via group policy or Sites and Services and a whole host of other stuff.

    I do all that junk when I deploy because I don't want to think about it later, but I also heavily integrate Untangle's DNS to the domains so I can operate fully domain connected remotely with no NAT. I like having logs on my servers nice and clean with specific endpoints in them.

    But that's not just working, that's singing... so how far down the rabbit hole do you wish to go? Untangle lets you determine that... Meraki... not so much. But you have both so there you are.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2