Unable to RDP over tunnel.
Posted: Sat Jan 29, 2011 8:35 pm
This is going to be a bit lengthy so, apologies in advance.
Background
I recently replaced my edge device (a Netgear WNR834Bv2 Running DDWRT v24 SP2 mini-VPN) with a Juniper SSG-5.
I'm now using the netgear as a glorified WAP and VPN termination point.
Problem
I am unable to establish a remote desktop session across the tunnel on my android phone using Remote RDP Enterprise, in the previous setup this worked flawlessly.
I am able to bring the tunnel up and ping across it to the destination addresses as well as receive DNS responses for the local LAN.
Configuration details
dcwanfw1 - Juniper SSG5 Firewall - 10.168.53.1
Routes
Policy
Trust is 10.168.53.0/24
===========================================================================
dcwap2 - Netgear WNR834Bv2 with DDWRT (OpenVPN Server) - 10.168.53.3
Routes
IPTables
OpenVPN - Server - Config
Troubleshooting
I have a feeling whatever is wrong is wrong on the OpenVPN Box, maybe not necessarily with OpenVPN, but some type of security setting, this might do better over at the DD-WRT forum but I figured lets try my luck here.
Routing seems to be good since i can ping LAN to VPN Client and VPN Client to LAN.
I can also bring up SSH to various servers on the LAN through the tunnel using ConnectBot which satisfies routing.
I've tried the following DD-WRT settings:
Switched to Gateway mode
Switched to Routed Mode
Specified Self (10.168.53.3) as DMZ
Disabled SPI Firewall
Background
I recently replaced my edge device (a Netgear WNR834Bv2 Running DDWRT v24 SP2 mini-VPN) with a Juniper SSG-5.
I'm now using the netgear as a glorified WAP and VPN termination point.
Problem
I am unable to establish a remote desktop session across the tunnel on my android phone using Remote RDP Enterprise, in the previous setup this worked flawlessly.
I am able to bring the tunnel up and ping across it to the destination addresses as well as receive DNS responses for the local LAN.
Configuration details
dcwanfw1 - Juniper SSG5 Firewall - 10.168.53.1
Routes
Code: Select all
IPv4 Dest-Routes for <trust-vr> (12 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 558 0.0.0.0/0 eth0/0 x.x.x.x C 0 1 Root
* 605 0.0.0.0/0 eth0/2 x.x.x.x C 0 1 Root
160 0.0.0.0/0 eth0/2 x.x.x.x S 20 1 Root
* 4 x.x.x.x/32 eth0/2 0.0.0.0 H 0 0 Root
* 65 x.x.x.x/19 eth0/0 0.0.0.0 C 0 0 Root
* 133 172.16.101.0/24 bgroup0 10.168.53.2 S 20 1 Root
* 126 172.16.100.0/24 bgroup0 10.168.53.3 S 20 1 Root
* 5 10.168.53.0/24 bgroup0 0.0.0.0 C 0 0 Root
* 6 10.168.53.1/32 bgroup0 0.0.0.0 H 0 0 Root
* 11 192.168.1.254/32 eth0/2 x.x.x.x S 20 1 Root
* 66 x.x.x.x/32 eth0/0 0.0.0.0 H 0 0 Root
* 3 x.x.x.0/22 eth0/2 0.0.0.0 C 0 0 Root
Code: Select all
dcwanfw1-> get pol
Total regular policies 6, Default deny, Software based policy search, new policy enabled.
ID From To Src-address Dst-address Service Action State ASTLCB
1 Trust TWC Any Any ANY Permit enabled ---X-X
2 Trust AT&T Any Any ANY Permit enabled ---X-X
7 AT&T Trust Any VIP(etherne~ HTTP Permit enabled ---X-X
OpenVPN
6 AT&T Trust Any Any ANY Deny enabled ---X-X
8 TWC Trust Any VIP(etherne~ HTTP Permit enabled ---X-X
OpenVPN
5 TWC Trust Any Any ANY Deny enabled ---X-X
===========================================================================
dcwap2 - Netgear WNR834Bv2 with DDWRT (OpenVPN Server) - 10.168.53.3
Routes
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.100.0 * 255.255.255.0 U 0 0 0 tun0
10.168.53.0 * 255.255.255.0 U 0 0 0 br0
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default dcwanfw1.gaming 0.0.0.0 UG 0 0 0 br0
Code: Select all
iptables -L -v
Chain INPUT (policy ACCEPT 2901 packets, 317K bytes)
pkts bytes target prot opt in out source destination
124 10862 ACCEPT udp -- any any anywhere anywhere udp dpt:1194
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 360 ACCEPT 0 -- tun0 br0 172.16.100.0/24 anywhere
0 0 ACCEPT 0 -- br0 tun0 anywhere 172.16.100.0/24
Code: Select all
server 172.16.100.0 255.255.255.0
dev tun0
mode server
proto udp
port 1194
keepalive 15 60
daemon
verb 3
comp-lzo
client-to-client
tls-server
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
push "route 10.168.53.0 255.255.255.0"
push "dhcp-option WINS 10.168.53.40"
push "dhcp-option DNS 10.168.53.40"
push "dhcp-option DNS 10.168.53.41"
push "dhcp-option DOMAIN gaming.local"
management localhost 5001I have a feeling whatever is wrong is wrong on the OpenVPN Box, maybe not necessarily with OpenVPN, but some type of security setting, this might do better over at the DD-WRT forum but I figured lets try my luck here.
Routing seems to be good since i can ping LAN to VPN Client and VPN Client to LAN.
I can also bring up SSH to various servers on the LAN through the tunnel using ConnectBot which satisfies routing.
I've tried the following DD-WRT settings:
Switched to Gateway mode
Switched to Routed Mode
Specified Self (10.168.53.3) as DMZ
Disabled SPI Firewall