All working except RDP - Windows7

[peterlinuxgeek]

Hi All,

I do have OpenVPN working on a bunch of Linux setups & with PFSense.

Today I am tasked with something odd...

OpenVPN server running on a (virtualized) Windows 7 Pro that sits behind a pfSense FW.
The pfSense has 1 NAT rule added to its config
WAN UDP * * x.y.z.w 1194 (OpenVPN) 10.10.22.21 1194 (OpenVPN)


I am connecting to the "server" over the VPN from another Win 7 machine just fine.

A 'shared' file folder on the 'server' can be accessed and changed etc.

The only thing that isn't going for me is RDP...

On the client I get the login/challenge.
The screen goes black, the little blue bar appears up top and after 20-30 seconds an error comes up.

"Your Remote Desktop session has ended." blah blah...

On the 'server' I see in the log file this:

Authenticate/Decrypt packet error: bad packet ID (may be a replay) etc.

After which I have to reconnect from the client - things 'freeze'

I played with the MTU settings but no luck.

server.conf

port 1194
proto udp
dev tun
dev-node Free...
server 10.10.44.0 255.255.255.0
... (cert. stuff)
# Need to make mask smaller
push "route 10.10.22.0 255.255.255.0"
keepalive 10 120
persist-key
persist-tun
verb4


client.conf

client
dev tun
proto udp
remote w.x.y.z 1194

resolv-retry infinite
nobind
persist-tun
persist-key

cipher... (cert stuff)

verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 2


I added and removed

tun-mtu 1400
fragment 1400
mssfix
comp-lzo

on both sides but no luck... (in some cases the file-sharing even stopped working)
I don't see anything on the pfSense fw either and as said I can open a explore window on the client to a shared folder on the server successfully.

Rdesktop works fine without the VPN.

Suggestions?

Thanks

Peter

[janjust]

could be a cipher issue - try it (for debugging purposes) with

Code: Select all

cipher none

You can also consider playing with

Code: Select all

no-replay

although I wouldn't expect it to help.

If you change the MTU setting in openvpn on windows then remember to also decrease the MTU size of the tap-win32 adapter - openvpn cannot do this automatically on all versions of windows. You can change the tap-win32 mtu size using either 'netsh' or by adjusting the advanced TCP/IP properties of the tap-win32 adapter.

[peterlinuxgeek]

Will try the cipher one later (have to leave now)

In the mean time I have set MTU to 1300

I figured out that ping -l 1400 was not going
around 1365 it started to work...
however no luck...

yep I changed the MTU in the driver/config settings for the device.

Changed it all to TCP from UDP
Played again with the MTU settings
NO LUCK...

Very frustrating for a Linux guy...

Bedankt voor het antwoord


Peter

[janjust]

yep I changed the MTU in the driver/config settings for the device.

this is windows: did you reboot after changing the mtu setting?
on windows vista/7 you can also do it using 'netsh' : no reboot is required when you do it that way, but the change is lost upon a reboot.

cheers/groetjes

[peterlinuxgeek]

Have it so that both Client and Server sit on 2 networks inside the FW.

So the NAT on the pfSense box is not involved - Still no luck

Without the VPN up I can connect RDesktop - with the VPN RDP fails

The file sharing (big file) seems to work just fine.

[peterlinuxgeek]

I've put verb to 5 on the server and now see this:

Tue Apr 12 07:52:27 2011 us=30000 matt/w.x.y.z:53447 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2467 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Apr 12 07:52:37 2011 us=576000 matt/w.x.y.z:53447
Tue Apr 12 07:52:43 2011 us=832000 matt/w.x.y.z:53447
Tue Apr 12 07:52:43 2011 us=832000 matt/w.x.y.z:53447 ...

wrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRwrWRRwrWRwrWRwrWRwrWRwrWRwrWrWrWRwRwrWRwrWrWrWRwrWrWRwrWrWRwrWrWRwrWrWRwrWrWRwRwrWrWRwRwrWrWRwRwRwrWrWRwrWRwrWrWrWrWRwRwrWrWRwRwrWrWRRRRwRwrWrWRwrWrWRwrWrWRwrWrWRwrWrWRRwrWRwRwrWrWRwrWrWRwrWrWR...

Where do does W's & R's come from?

Gonna try with VNC as an alternative...

Peter

[janjust]

the W's and R's indicate read and write activity to and from the tap adapter.

hmmm I have no clue why RDP would not work, if all other protocols do work - might be a mickeysoft/win7 thing again...