Accessing VPN from within another corporate network and virtual machine

[akvilonBrown]

Greetings!

I would like to ask the community about OpenVPN client debugging steps since there are several problems coinciding and I have quite limited access to all parties in creating vpn.
Below is my situation.

I have an account (access to the resources) in an institution where I had a project before and still maintain some activity.
They offer remote access via VPN and with various clients, which are different for Win and Linux.
For Linux, there is OpenVPN, I used it on my laptop.
For Windows, a GlobalProtect client should be used.
Now I work in another institution; they have their own corporate network.
I wanted to have access to the previous site simultaneously with the resources on my work.
My working PC with Windows can connect to the previous site with GlobalProtect, but the internal resources on the new site become inaccessible.
So I have to switch between two networks, but I'm looking for ways to have both networks at once on a single machine.
In VMWare, I created a virtual machine with Linux Mint, installed the OpenVPN client, and downloaded client.opvn, but the tunnel won't establish.
Here is the output:

Code: Select all

osboxes@osboxes:~/Documents/access$ sudo openvpn --config client.ovpn
[sudo] password for osboxes:            
Fri Jan 20 07:14:08 2023 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Fri Jan 20 07:14:08 2023 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Enter Auth Username: iarosl82
Enter Auth Password: ************            
Fri Jan 20 07:14:17 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:17 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:17 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:17 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:17 2023 UDP link local: (not bound)
Fri Jan 20 07:14:17 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:21 2023 Server poll timeout, restarting
Fri Jan 20 07:14:21 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:21 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:21 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:21 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:21 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:21 2023 UDP link local: (not bound)
Fri Jan 20 07:14:21 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:25 2023 Server poll timeout, restarting
Fri Jan 20 07:14:25 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:25 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:25 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:25 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:443
Fri Jan 20 07:14:25 2023 Socket Buffers: R=[131072->131072] S=[16384->16384]
Fri Jan 20 07:14:25 2023 Attempting to establish TCP connection with [AF_INET]193.40.12.54:443 [nonblock]
Fri Jan 20 07:14:26 2023 TCP connection established with [AF_INET]193.40.12.54:443
Fri Jan 20 07:14:26 2023 TCP_CLIENT link local: (not bound)
Fri Jan 20 07:14:26 2023 TCP_CLIENT link remote: [AF_INET]193.40.12.54:443
Fri Jan 20 07:14:26 2023 Connection reset, restarting [-1]
Fri Jan 20 07:14:26 2023 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jan 20 07:14:26 2023 Restart pause, 5 second(s)
Fri Jan 20 07:14:31 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:31 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:31 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:31 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:31 2023 UDP link local: (not bound)
Fri Jan 20 07:14:31 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:35 2023 Server poll timeout, restarting
Fri Jan 20 07:14:35 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:35 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:35 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:35 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:35 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:35 2023 UDP link local: (not bound)
Fri Jan 20 07:14:35 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:40 2023 Server poll timeout, restarting
Fri Jan 20 07:14:40 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:40 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:40 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:40 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:40 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:40 2023 UDP link local: (not bound)
Fri Jan 20 07:14:40 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:44 2023 Server poll timeout, restarting
Fri Jan 20 07:14:44 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:44 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:44 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:44 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:44 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:44 2023 UDP link local: (not bound)
Fri Jan 20 07:14:44 2023 UDP link remote: [AF_INET]193.40.12.54:1194

Normally virtual machine has access to the Internet, I guess there is some basic NAT working, but I cannot access the virtual machine from other computers on my work network.
First, I assumed it was a problem with port forwarding and asked my IT helpdesk to create a bridge with my virtual machine, assigning static IP to my guest OS, so it would become visible to the outer world.
This, however, is not possible, and I started to think that some advanced port forwarding is required involving UDP port 1194
I tried adding settings to my client.ovpn file like

Code: Select all

proto tcp

or

Code: Select all

port xxxx

but it didn't work; the console output was the same.

I also tried to connect to my previous site with OpenVPN from my laptop using wifi of the current corporate network - and I got the same failure output in the console.
With public wifi, there is no problem with the connection.

So first, I think there must be a firewall in a corporate network in my current institution.

I also don't have access to the OpenVPN server logs. This server is running somewhere on a remote site.
Perhaps I can get logs via helpdesk of my previous institution.

I need some algorithms to solve the issue step by step, taking into account that I need to explain my requests to helpdesks from the previous and the current institutions and demand clear and specific actions from them.
Can anybody suggest such steps here?

Code: Select all

[oconf=client.ovpn]
# Automatically generated OpenVPN client config file
# Generated on Tue Nov 29 16:17:07 2022 by tunnel
# Note: this config file contains inline private keys
#       and therefore should be kept confidential!
#       Certificate serial: 21055, certificate common name: iarosl82
#       Expires 2032-11-26 16:17:07
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=iarosl82
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=iarosl82@tunnel.ut.ee
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=tunnel.ut.ee:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----

# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=0
# OVPN_ACCESS_SERVER_ORGANIZATION=VPN service of the University of Tartu
client
server-poll-timeout 4
nobind
proto tcp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 443 tcp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
dev tun
dev-type tun
remote-cert-tls server
tls-version-min 1.2
reneg-sec 604800
auth-user-pass
verb 3
push-peer-info

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----

## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----

## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----

## -----END CERTIFICATE-----

[300000]

You must use GlobalProtect to connect to their network or can you download openvpn client to connect to corporate network ? If yes you can create two openvpn client and connect two corporate network at the same time so you can use them on your windows computer dont need virtual pc anymore

[akvilonBrown]

You must use GlobalProtect to connect to their network or can you download openvpn client to connect to corporate network ? If yes you can create two openvpn client and connect two corporate network at the same time so you can use them on your windows computer dont need virtual pc anymore

The current corporate network administration offers other clients for Win and Linux users who work from home. So I can't use the same client to connect both networks.
I appreciate your suggestion, but even if I start to think in this direction, I'm afraid my network admins will hardly like the idea. With a virtual machine, I would have more control over access to the remote network without meddling with local network settings and I hope it would involve less intervention from local admins.

[300000]

You must use GlobalProtect to connect to their network or can you download openvpn client to connect to corporate network ? If yes you can create two openvpn client and connect two corporate network at the same time so you can use them on your windows computer dont need virtual pc anymore

The current corporate network administration offers other clients for Win and Linux users who work from home. So I can't use the same client to connect both networks.
I appreciate your suggestion, but even if I start to think in this direction, I'm afraid my network admins will hardly like the idea. With a virtual machine, I would have more control over access to the remote network without meddling with local network settings and I hope it would involve less intervention from local admins.

That is why I ask about download openvpn client and just use openvpn connect to both networks.
If you must GlobalProtect to connect so it only one connection at time but if you can install and use openvpn client so you can connect two at the same time. Because your your job involves in corporate network administration so maybe it hard for you to install software in your computer. As computer in corporate network they will ban to install software and need permission from administrator to make it work .

If you free to install openvpn and use config file to connect so I can help you connect both network at the sametime.

[akvilonBrown]

300000, I got the idea, you are talking about Windows OpenVPN client.
Local network doesn't have OpenVPN protocol, they use some proprietary VPN and provide other clients for home office users.

For the remote network I can use GlobalProtect and OpenVPN clients (either configs are compatible, or admins there use several VPN servers ). But for the local network there is no OpenVPN client.