Not connecting to RDP via VPN

[bitmonster]

I have a PC I can RDP in to when on the home network but can't when on the OpenVPN connection. It's on the same /24 subnet and I can access the router webpage (via VPN) but no connection to the PC via RDP except when on the network directly (not via VPN).

It started when I had to re-setup my router after a power outage. The router moved itself to the 1.x instead of the 2.x subnet when setting it back up again but I didn't think about it at the time. I don't know if that's related.

Any ideas how I can start diagnosing the issue?

Using OpenVPN with TAP enabled.

 

[ColinTaylor]

What do you mean by "It's on the same /24 subnet"? Is your VPN connection TUN or TAP?

EDIT: What VPN client are you using?

 

[bitmonster]

What do you mean by "It's on the same /24 subnet"? Is your VPN connection TUN or TAP?

EDIT: What VPN client are you using?

OpenVPN via TAP, and VPN assigned address is on the same 192.168.1.x network as the router and PC. It worked via myp revious implementation (even with TAP) although I cannot recall if I had to do something to get it working.

I also notice that neither my phone or remote laptop are showing in the network list although it is connected via TAP.

OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{}.tap
Successful ARP Flush on interface [11] {}
Initialization Sequence Completed

And my Android device won't connect either (uses the paid OpenVPN Client with TAP emulator).

So maybe there's something odd about the devices not showing in the network list.

OpenVPN exported config:
client
dev tap
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.
;dev-node MyTap
proto udp
remote <remote>
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
auth SHA512
compress lz4-v2
keepalive 15 60
auth-user-pass
remote-cert-tls server

 

[ColinTaylor]

Try temporarily turning off the firewall on the target PC to determine if that's the problem.

 

[bitmonster]

Try temporarily turning off the firewall on the target PC to determine if that's the problem.

Will do, although in theory it shouldn't distinguish a VPN from a LAN connection (?)

 

[ColinTaylor]

Will do, although in theory it shouldn't distinguish a VPN from a LAN connection (?)

In theory that's correct. But in theory what you already have should work. Just trying to narrow down the areas to look at.

EDIT: Can you ping the PC?

 

[dave14305]

If your router subnet used to be 192.168.2.0/24, and it worked, what is the local (non-vpn) subnet of the machine you’re connecting from? Any chance it’s also 192.168.1.0/24? Maybe there was a good reason to use 192.168.2.0/24 to avoid routing issues.

Just taking a stab in the dark.

 

[bitmonster]

Try temporarily turning off the firewall on the target PC to determine if that's the problem.

Yep did that. I can connect to another PC via VPN and from home, and to the PC from home, but not via VPN. Odd... I tried with the firewall disabled too.

 

[ColinTaylor]

What's the output of ipconfig /all on the target PC?

 

[bitmonster]

I also run a VM Linux Mint on the same PC (via it's own bridged network connection, not NAT), and I can connect to that via VPN too.

So this is only effecting this PC, and only via VPN.

Windows IP Configuration

Host Name . . . . . . . . . . . . :
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fexxx Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.x(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 206628169
DHCPv6 Client DUID. . . . . . . . : 00-01-xxx
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

 

[ColinTaylor]

Can you ping the PC?

EDIT: Can you provide a screenshot of your VPN server details.

 

[bitmonster]

Changed to TUN from TAP and it's working, and only an issue for *that* OS (even the Linx Mint VM on the same PC works fine (by it's own IP address).
So it's something to do with TAP. It was assigning from DHCP in the same main 168.1.x range if that means anything.

It was working with TAP before I had to re-set up the modem from scratch so I'm stumped. I would prefer to use TAP if possible.

 

[ColinTaylor]

Was it that OS or the OS on that PC? e.g. could you RDP to the same OS on another PC successfully?

If you provide the information in post #11 it might give us a clue.

 

[elorimer]

It was working with TAP before I had to re-set up the modem from scratch so I'm stumped. I would prefer to use TAP if possible.

Is it possible that the windows pc that you are trying to RDP into still has a static 192.168.2.x address? EDIT: Nevermind. I see above that the target PC pulls an address via DHCP. So, is your RDP client file trying to connect to that new address, whatever it might be, or the old .1.x address instead?

Did you delete the old RDP certificate and import a new one?

Why would you prefer TAP, particularly if you are connecting sometimes by phone? All that overhead.

 

[martinr]

I have a PC I can RDP in to when on the home network but can't when on the OpenVPN connection. It's on the same /24 subnet and I can access the router webpage (via VPN) but no connection to the PC via RDP except when on the network directly (not via VPN).

It started when I had to re-setup my router after a power outage. The router moved itself to the 1.x instead of the 2.x subnet when setting it back up again but I didn't think about it at the time. I don't know if that's related.

Any ideas how I can start diagnosing the issue?

Using OpenVPN with TAP enabled.

Which firmware version?

 

[bitmonster]

The lastest Merlin version 384.11_2. Well I reset both OpenVPN servers to default, jacked up security again, and it seems to work. The only thing I didn't re-enable is compression so I am still keen to see what the issue was if I can isolate it again. It only effected that PC, via the one OpenVPN server, on all client devices (phone or laptop). Both devices now work fine. In fact I could RDP in today remotely and export and share out a large file all via my home PC, which saved tremendous hassle.

Yes I prefer TAP if possible as when I had it working before, my phone showed up as a device so the Traffic Analyser could keep tabs on it which I find interesting. Doesn't seem to be doing that now though.

 

[martinr]

The lastest Merlin version 384.11_2. Well I reset both OpenVPN servers to default, jacked up security again, and it seems to work. The only thing I didn't re-enable is compression so I am still keen to see what the issue was if I can isolate it again. It only effected that PC, via the one OpenVPN server, on all client devices (phone or laptop). Both devices now work fine. In fact I could RDP in today remotely and export and share out a large file all via my home PC, which saved tremendous hassle.

Yes I prefer TAP if possible as when I had it working before, my phone showed up as a device so the Traffic Analyser could keep tabs on it which I find interesting. Doesn't seem to be doing that now though.

Recently (between 384.9 and 384.11_2) the default compression went from LZO Adaptive to disable (for security). It may well be that you need to set up the compression to your liking and then generate a new .vpn file and import it into your clients.

 

[elorimer]

Compression doesn't seem to be worthwhile, particularly for rdp which is already compressed, so no great loss (I think I made a joke there).

TAP has all the extra traffic on its level going all the time, and if your phone is metered why pay for all your home devices to send to your phone all their announcements over the metered connection.

 

[bitmonster]

Compression doesn't seem to be worthwhile, particularly for rdp which is already compressed, so no great loss (I think I made a joke there).

TAP has all the extra traffic on its level going all the time, and if your phone is metered why pay for all your home devices to send to your phone all their announcements over the metered connection.

Really? Wow.. I had no idea. Well it's a 50GB Telstra account and I hadn't noticed anything really chewing it up. Can the traffic get quite high? It would be an issue for battery drain then too if anything so I may switch back to TUN. I am not getting the benefits of TAP anyway such as the device showing in the network list and I believe RDP worked fine via TUN anyway.