Cannot RDP into Local Endpoint from Virtual Server

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Wed Jul 13, 2022 9:23 pm

Hello all!

I have been looking through the past threads and found some issues similar to mine, but no real concrete answers. I am hoping someone can help me here.

The Windows Server 2019 that I am running is a VM hosted on MS Azure. I use this virtual server as the SoftEther server and to act as a virtual hub. I can successfully RDP into the Windows Server 2019 while VPN on any local endpoint. However, while VPN and connected to the virtual server, I cannot RDP to anything outside of the Windows Server 2019 VM. I have made sure that I have two separate hubs (example: Hub 1 is for server access only Hub 2 is for a site from virtual server to local end point).

I have made sure that virtual DHCP is enabled on both hubs as well as Local Bridge for both instances.

Please tell me what I am doing wrong?


Operating system name and the type of CPU-bits
Azure VM: Windows 10 Server 2019 (SoftEther Server)
Local Endpoint: Windows 11 Pro (Stand alone end point (For testing purposes))
==============================================================
Azure VM IP Information:

Code: Select all

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.1.0.4
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.0.1
   
Windows IP Configuration

   Host Name . . . . . . . . . . . . : Local Host Name
   Primary Dns Suffix  . . . . . . . : Company Domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Company Domain.com

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-0D-3A-A5-99-A4
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.0.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.0.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
    2 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.1.0.4
                           [02]: Mellanox ConnectX-4 Lx Virtual Ethernet Adapter
                                 Connection Name: Ethernet 6
                                 DHCP Enabled:    No
                                 IP address(es)
Local Endpoint IP Infomration:

Code: Select all

Unknown adapter VPN - VPN Client:

   Connection-specific DNS Suffix  . : Company Domain Name.com (Virtual Server Domain Name)
   Link-local IPv6 Address . . . . . : fe80::3f:a61e:3424:8646%16
   IPv4 Address. . . . . . . . . . . : 172.168.40.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.168.40.1
Note: 172.168.40.x is the Virtual DHCP provided by SoftEther

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : ISP Provider.com
   Link-local IPv6 Address . . . . . : fe80::c5d0:28c2:8d25:aea6%7
   IPv4 Address. . . . . . . . . . . : 192.168.1.118
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
Note: 192.168.1.x is the private internal IP at our office.

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Network Card(s):           4 NIC(s) Installed.
                           [01]: Realtek PCIe GbE Family Controller
                                 Connection Name: Ethernet
                                 Status:          Media disconnected
                           [02]: Realtek RTL8821CE 802.11ac PCIe Adapter
                                 Connection Name: Wi-Fi
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.1.1
                                 IP address(es)
                                 [01]: 192.168.1.118
                                 [02]: fe80::c5d0:28c2:8d25:aea6
                           [03]: Bluetooth Device (Personal Area Network)
                                 Connection Name: Bluetooth Network Connection
                                 Status:          Media disconnected
                           [04]: VPN Client Adapter - VPN
                                 Connection Name: VPN - VPN Client
                                 DHCP Enabled:    Yes
                                 DHCP Server:     172.168.40.1
                                 IP address(es)
                                 [01]: 172.168.40.10
                                 [02]: fe80::3f:a61e:3424:8646
==============================================================
The build number of SoftEther VPN

Build 9772

TCP ports 443, 992, 1194, 5555 are open. However, I will most likely tweak this and disable the ones with well known vulnerabilities...

Are you using SecureNAT?

Not sure? I am using Local Bridge within the SoftEther app.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by solo » Thu Jul 14, 2022 12:38 am

VPNme wrote:
Wed Jul 13, 2022 9:23 pm

I have made sure that virtual DHCP is enabled on both hubs as well as Local Bridge for both instances.

Please tell me what I am doing wrong?

Note: 172.168.40.x is the Virtual DHCP provided by SoftEther

Are you using SecureNAT? Not sure? I am using Local Bridge within the SoftEther app.
Hi, let's clarify the above first.

- vDHCP may be used on a bridged hub but only if the LAN has no DHCP server already

- 172.168.40.x is not from SoftEther...
inetnum: 172.160.0.0 - 172.191.255.255
netname: UK-MICROSOFT-20000324
country: GB

- SecureNAT in default configuration and a Local Bridge do not work together

Please revise and update your post.

VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Thu Jul 14, 2022 2:20 pm

- 172.168.40.x is not from SoftEther...
inetnum: 172.160.0.0 - 172.191.255.255
netname: UK-MICROSOFT-20000324
country: GB
I static assigned the DHCP to that 172.168.40.x just to give it a random IP address oppose to the default 192.168.30.x
I deleted the Local Bridge for the second Hub site. I did leave SecureNAT on because the VM Server that I am hosting the SoftEther Server application does not have a DHCP.

I am still unable to RDP into a remote end point from the VM Server. I can still remote into the VM Server from an endpoint, I just cannot RDP into any machine while logged into the VM Server (that runs SoftEther Server app).

I delete the bridge and turned on SecureNAT, still unable to remote connect into an endpoint from VM server...

VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Thu Jul 14, 2022 7:00 pm

Bump

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by solo » Thu Jul 14, 2022 10:50 pm

VPNme wrote:
Thu Jul 14, 2022 2:20 pm
I did leave SecureNAT on because the VM Server that I am hosting the SoftEther Server application does not have a DHCP.
Well, you could use a bridge with Open DHCP Server but if you prefer SecureNAT, one-hub solution, then proceed as follows:

- in SecureNAT disable vNAT and remove default gateway from vDHCP
- on the VM server install also SoftEther VPN client and use "localhost" as connection address
- ...that's it, RDP everywhere now with preferably static IPs of the vHUB

(assuming those "RDP Local Endpoints" can actually be RDP-ed and firewalls and other obstacles like "Allow connections only from computers running Remote Desktop with Network Level Authentication" are taken care of already :-)

VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Fri Jul 15, 2022 8:03 pm

- in SecureNAT disable vNAT and remove default gateway from vDHCP
When I do this, I cannot RDP into the VM Server from a local endpoint. However, when I enable vNAT/vDHCP I can RDP from local endpoint into VM Server
on the VM server install also SoftEther VPN client and use "localhost" as connection address
I installed it. I assign the SoftEther VPN client to the Virtual Hub (SoftEther VPN Server app), correct? Is there any other function I need to perform?
- ...that's it, RDP everywhere now with preferably static IPs of the vHUB
Also, I made sure that proper firewall settings and RDP is enabled on the local endpoints.

I am still unable to RDP into a local endpoint from the virtual VM server ...? I can only ping/RDP from local endpoint into VM Server. I need to be able to RDP from VM Server into remote local endpoints.

Thank you again for your help :)

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by solo » Fri Jul 15, 2022 10:06 pm

VPNme wrote:
Fri Jul 15, 2022 8:03 pm
Also, I made sure that proper firewall settings and RDP is enabled on the local endpoints.
Have you tested them directly on a LAN, not VPN, and seen RDP working? Enable incoming ping in their firewalls and verify pinging via LAN.
remove default gateway from vDHCP
...When I do this, I cannot RDP into the VM Server
No worries, the following amends just that...
I assign the SoftEther VPN client to the Virtual Hub (SoftEther VPN Server app), correct?
Yes, then you will be able to RDP into the VM Server from a local endpoint with an address like 192.168.30.x

Now, try pinging the remote clients with 192.168.30.x addresses, disable firewalls if unsuccessful.

VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Fri Jul 15, 2022 11:36 pm

Have you tested them directly on a LAN, not VPN, and seen RDP working? Enable incoming ping in their firewalls and verify pinging via LAN.
Sort of. I installed 3rd party RDP applications on two other test environments and they all were able to go through. I made sure my firewall rules were correct and allowed access. Also, I turned off the firewall on the virtual server too.
Yes, then you will be able to RDP into the VM Server from a local endpoint with an address like 192.168.30.x

Now, try pinging the remote clients with 192.168.30.x addresses, disable firewalls if unsuccessful.
Still unsuccessful :-\ .... I tried pining its still not reachable from within the VM server smh.

https://imgur.com/IbiVt1p

The top CMD is the server and the bottom one is the local end point CMD

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by solo » Fri Jul 15, 2022 11:45 pm

I can't see any image(s) you refer to. Let's put aside RDP for now and focus on pings. Please post formatted as code logs from both the server and client PCs when connected to VPN:
  • netstat -r
  • ipconfig /all

VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Fri Jul 15, 2022 11:59 pm

solo wrote:
Fri Jul 15, 2022 11:45 pm
I can't see any image(s) you refer to. Let's put aside RDP for now and focus on pings. Please post formatted as code logs from both the server and client PCs when connected to VPN:
  • netstat -r
  • ipconfig /all
I fixed the image URL. The forum did not convert the image from URL format. Instead, I posted the direct link.

Here is the VM Server:

Code: Select all

===========================================================================
Interface List
 18...5e cc 77 09 e1 c3 ......VPN Client Adapter - VPN2
 11...00 0d 3a a5 99 a4 ......Microsoft Hyper-V Network Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.0.1         10.1.0.4    266
         10.1.0.0    255.255.255.0         On-link          10.1.0.4    266
         10.1.0.4  255.255.255.255         On-link          10.1.0.4    266
       10.1.0.255  255.255.255.255         On-link          10.1.0.4    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     130.158.6.69  255.255.255.255         10.1.0.1         10.1.0.4    266
     192.168.30.0    255.255.255.0         On-link     192.168.30.11    257
    192.168.30.11  255.255.255.255         On-link     192.168.30.11    257
   192.168.30.255  255.255.255.255         On-link     192.168.30.11    257
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.30.11    257
        224.0.0.0        240.0.0.0         On-link          10.1.0.4    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.30.11    257
  255.255.255.255  255.255.255.255         On-link          10.1.0.4    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0         10.1.0.1  Default 
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 18    291 fe80::/64                On-link
 18    291 fe80::ed7e:1043:ec2b:89d2/128
                                    On-link
  1    331 ff00::/8                 On-link
 18    291 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
  
 
   Host Name . . . . . . . . . . . . : Domain Name
   Primary Dns Suffix  . . . . . . . : DomainName.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : DomainName.com

Unknown adapter VPN2 - VPN Client:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VPN Client Adapter - VPN2
   Physical Address. . . . . . . . . : 5E-CC-77-09-E1-C3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ed7e:1043:ec2b:89d2%18(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.30.11(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, July 15, 2022 6:21:45 PM
   Lease Expires . . . . . . . . . . : Friday, July 15, 2022 8:21:45 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.30.1
   DHCPv6 IAID . . . . . . . . . . . : 503360915
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-44-EC-CD-00-0D-3A-A5-99-A4
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-0D-3A-A5-99-A4
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.0.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.0.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Here is the local endpoint information:

Code: Select all

===========================================================================
Interface List
 28...5e ec cf 4f 88 43 ......VPN Client Adapter - VPN
 16...00 ff 8c 32 5b 28 ......TAP-Windows Adapter V9 for OpenVPN Connect
 14...........................Wintun Userspace Tunnel
  3...00 ff 15 63 0f f7 ......TAP-Windows Adapter V9
 13...f4 26 79 b9 d2 8d ......Microsoft Wi-Fi Direct Virtual Adapter
  8...f6 26 79 b9 d2 8c ......Microsoft Wi-Fi Direct Virtual Adapter #2
 24...f4 26 79 b9 d2 8c ......Intel(R) Wi-Fi 6 AX201 160MHz
  1...........................Software Loopback Interface 1
 31...00 15 5d 01 59 00 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.89     35
    52.173.X.X     255.255.255.255    192.168.1.254     192.168.1.89     35
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
    130.158.6.104  255.255.255.255    192.168.1.254     192.168.1.89     35
    130.158.6.112  255.255.255.255    192.168.1.254     192.168.1.89     35
       172.27.0.0    255.255.240.0         On-link        172.27.0.1   5256
       172.27.0.1  255.255.255.255         On-link        172.27.0.1   5256
    172.27.15.255  255.255.255.255         On-link        172.27.0.1   5256
      192.168.1.0    255.255.255.0         On-link      192.168.1.89    291
     192.168.1.89  255.255.255.255         On-link      192.168.1.89    291
    192.168.1.255  255.255.255.255         On-link      192.168.1.89    291
     192.168.30.0    255.255.255.0         On-link     192.168.30.10    257
    192.168.30.10  255.255.255.255         On-link     192.168.30.10    257
   192.168.30.255  255.255.255.255         On-link     192.168.30.10    257
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.30.10    257
        224.0.0.0        240.0.0.0         On-link      192.168.1.89    291
        224.0.0.0        240.0.0.0         On-link        172.27.0.1   5256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.30.10    257
  255.255.255.255  255.255.255.255         On-link      192.168.1.89    291
  255.255.255.255  255.255.255.255         On-link        172.27.0.1   5256
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 24    291 ::/0                     fe80::2694:cbff:fe79:9180
  1    331 ::1/128                  On-link
 24     51 2600:1700:1d56:77b0::/60 fe80::2694:cbff:fe79:9180
 24    291 2600:1700:1d56:77b0::/64 On-link
 24    291 2600:1700:1d56:77b0::20/128
                                    On-link
 24    291 2600:1700:1d56:77b0:64f4:2ada:56f1:a4b2/128
                                    On-link
 24    291 2600:1700:1d56:77b0:94ea:d556:411c:fc9/128
                                    On-link
 28    291 fe80::/64                On-link
 24    291 fe80::/64                On-link
 31   5256 fe80::/64                On-link
 24    291 fe80::94ea:d556:411c:fc9/128
                                    On-link
 28    291 fe80::9d73:29cb:4f1b:77d/128
                                    On-link
 31   5256 fe80::c9e9:3208:1126:9192/128
                                    On-link
  1    331 ff00::/8                 On-link
 28    291 ff00::/8                 On-link
 24    291 ff00::/8                 On-link
 31   5256 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
Unknown adapter VPN - VPN Client:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::9d73:29cb:4f1b:77d%28
   IPv4 Address. . . . . . . . . . . : 192.168.30.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Unknown adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Unknown adapter OpenVPN Wintun:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Unknown adapter OpenVPN TAP-Windows6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Local Area Connection* 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Local Area Connection* 10:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : ISP provided
   IPv6 Address. . . . . . . . . . . : 2600:1700:1d56:77b0::20
   IPv6 Address. . . . . . . . . . . : 2600:1700:1d56:77b0:94ea:d556:411c:fc9
   Temporary IPv6 Address. . . . . . : 2600:1700:1d56:77b0:64f4:2ada:56f1:a4b2
   Link-local IPv6 Address . . . . . : fe80::94ea:d556:411c:fc9%24
   IPv4 Address. . . . . . . . . . . : 192.168.1.89
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::2694:cbff:fe79:9180%24
                                       192.168.1.254

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::c9e9:3208:1126:9192%31
   IPv4 Address. . . . . . . . . . . : 172.27.0.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :
Note: 172.27.0.1 is an inactive VPN unrelated to this post.

Thank you again! :)

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by solo » Sat Jul 16, 2022 12:30 am

It's perfect.
From the server's VM do: ping 192.168.30.10
From the VPN client do: ping 192.168.30.11
If "Destination Host Unreachable", bring down the firewalls.

VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Sat Jul 16, 2022 12:51 am

From local endpoint:

Code: Select all

Pinging 192.168.30.11 with 32 bytes of data:
Reply from 192.168.30.11: bytes=32 time=20ms TTL=128
Reply from 192.168.30.11: bytes=32 time=219ms TTL=128
Reply from 192.168.30.11: bytes=32 time=20ms TTL=128
Reply from 192.168.30.11: bytes=32 time=22ms TTL=128

Ping statistics for 192.168.30.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 20ms, Maximum = 219ms, Average = 70ms
 
From VM Server

Code: Select all

ping 192.168.30.10

Pinging 192.168.30.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.30.10:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Note: Firewall is off on the VM server. All firewall settings on my local endpoint should allow RDP sessions. The same result applies for other local endpoints I have tried earlier in the day.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by solo » Sat Jul 16, 2022 12:58 am

VPNme wrote:
Sat Jul 16, 2022 12:51 am
All firewall settings on my local endpoint should allow RDP sessions.
Pings first. Either turn it off completely or in the fw defender's inbound rules enable public/private:
File and Printer Sharing (Echo Request – ICMPv4-In)

...and retest ping 192.168.30.10

VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Sat Jul 16, 2022 2:02 am

okay okay -- we are getting somewhere now!!!! :)
Reply from 192.168.30.10: bytes=32 time=19ms TTL=128
Reply from 192.168.30.10: bytes=32 time=20ms TTL=128
Reply from 192.168.30.10: bytes=32 time=21ms TTL=128
Reply from 192.168.30.10: bytes=32 time=24ms TTL=128
This is after I turned off my firewall on the local endpoint...

I guess it turns out its the local endpoint firewall? Is there a certain rule that I need to enable this? I would need to know this because when I roll out my live systems (endpoints) I cannot obviously have the firewall turned off.

Thank you again for being patient with me :)

VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Sat Jul 16, 2022 2:02 am

okay okay -- we are getting somewhere now!!!! :)
Reply from 192.168.30.10: bytes=32 time=19ms TTL=128
Reply from 192.168.30.10: bytes=32 time=20ms TTL=128
Reply from 192.168.30.10: bytes=32 time=21ms TTL=128
Reply from 192.168.30.10: bytes=32 time=24ms TTL=128
This is after I turned off my firewall on the local endpoint...

I guess it turns out its the local endpoint firewall? Is there a certain rule that I need to enable this? I would need to know this because when I roll out my live systems (endpoints) I cannot obviously have the firewall turned off.

Thank you again for being patient with me :)

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by solo » Sat Jul 16, 2022 3:18 am

VPNme wrote:
Sat Jul 16, 2022 2:02 am
Is there a certain rule that I need to enable this?
For ping, in the defender firewall's inbound rules enable public/private:
"File and Printer Sharing (Echo Request – ICMPv4-In)"

But before you re-enable the firewall, check out RDP, it must work now ;-)

VPNme
Posts: 10
Joined: Wed Jul 13, 2022 8:24 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by VPNme » Tue Jul 19, 2022 1:37 pm

Update:

I am successfully able to RDP from Azure Virtual Server to any endpoint that has a SoftEther VPN connection.

Big thank you again Solo for guiding me through it.

If anyone else is having this issue as well, please perform the follow:

1. Make sure your remote endpoint has RDP enabled.
2. Make sure that the firewall settings allow RDP. If it does, turn off all firewall settings and pick one by one.
3. Make sure that the VPN client is running within the VPN server
4. Follow best practices when securing your VPN connections for security reasons.

Anything else pop's up, I will open a new thread.

Analitik
Posts: 2
Joined: Wed Jul 20, 2022 3:18 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by Analitik » Mon Jul 25, 2022 12:32 pm

Greetings! I am a new Softether VPN user. My task is to provide access for remote users to a terminal Windows Server 2012 R2, namely to its shared folders and to remote desktops via RDP. For experiments, I chose Windows 10 Prof on VirtualBox. I have read many instructions for installing and configuring this program, but none of them helped to achieve the desired result. When I try to use even the simplest option, I have 1) no access to the shared folders of the server 2) connection to it via RDP does not work. What I am dooing wrong?

What I've done:
1) installed a VPN client on my PC (192.168.1.3)
2) launched a virtual W10 on my PC (the network interface works in bridge mode, promiscuous traffic is allowed, IP 192.168.126, RDP works at this address, shared folders are available)
3) installed Softether VPN server on the virtual machine
4) disabled Softether DDNS and Azure Cloud VPN Service
5) created a localhost VPN server, did not change the listening ports by default
6) created a virtual hub
7) created a user with the same name and password as the administrator of the virtual W10, with password access to the VPN
8) forwarded port 5555 from the router to the VM (the router has a static white public IP)
9) created a VPN connection on my PC in Softether VPN Client Manager via this IP and port 5555
The connection is established, and this is where all the achievements end, since such a VPN connection does not give us anything - the virtual machine is not visible through it.

Then I enabled SecureNAT, assigned IP 192.168.5.1 to the virtual network interface of the host, enabled the virtual DHCP server with the address range 192.168.5.2 - 192.168.5.10; virtual NAT did not turn on, because I still do not understand what it is. Now, when a VPN connection is established, the virtual network adapter on my PC receives the address 192.168.5.2, DHCP 192.168.5.1, the virtual network interface of the VPN server pings, but the folders shared on it are not visible, and the RDP connection is not established (computer 192.168.5.1 not found).

It is very important for me to put Softether VPN into operation, since brute force attacks on RDP are becoming more and more massive every month. But I can't do it without your help! Thanks in advance.

The same in Russian:

Приветствую! Я новый пользователь Softether VPN. Моя задача состоит в том, чтобы обеспечить доступ территориально удалённых пользователей к серверу терминалов под управлением Windows Server 2012 R2, а именно к его расшаренным папкам и к удалённым рабочим столам по RDP. Для экспериментов я выбрал Windows 10 Prof on VirtualBox. Я перечитал множество инструкций по установке и настройке этой программы, но ни одна из них не помогла достичь нужного результата. При попытке использования даже самого простого варианта у меня 1) нет доступа к расшаренным папкам сервера 2) не работает подключение к нему по RDP.

Что я сделал:
1) установил VPN-клиент на свой ПК (192.168.1.3)
2) запустил на своём ПК виртуальную W10 (сетевой интерфейс работает в режиме моста, неразборчивый трафик разрешён, IP 192.168.126, RDP по этому адресу работает, расшаренные папки доступны)
3) установил на виртуальной машине Softether VPN сервер
4) отключил Softether DDNS и Azure Cloud VPN Service
5) создал VPN-сервер localhost, прослушиваемые порты по умолчанию не изменял
6) создал виртуальный хаб
7) создал пользователя, совпадающего по имени и паролю с администратором виртуальной W10, с парольным доступом к VPN
8) перенаправил порт 5555 с роутера на ВМ (роутер имеет статический белый публичный IP)
9) создал на своём ПК в Softether VPN Client Manager VPN-подключение через этот IP и порт 5555
Подключение устанавливается, и на этом все достижения заканчиваются, так как такое VPN-подключение не даёт нам ничего - виртуальная машина через него не видна.

Тогда я включил SecureNAT, назначил виртуальному сетевому интерфейсу хоста IP 192.168.5.1, включил виртуальный DHCP сервер с диапазоном адресов 192.168.5.2 - 192.168.5.10; виртуальный NAT не включал, так как пока не понимаю, что это такое. Теперь при установке VPN-подключения виртуальный сетевой адаптер на моём ПК получает адрес 192.168.5.2, DHCP 192.168.5.1, виртуальный сетевой интерфейс VPN-сервера пингуется, но расшаренные на нём папки не видны, и RDP-подключение не устанавливается (компьютер 192.168.5.1 не найден).

Мне очень важно запустить Softether VPN в эксплуатацию, поскольку брутфорс-атаки на RDP c каждым месяцем становятся всё более массовыми. Но без вашей помощи я не справлюсь! Заранее спасибо.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by solo » Mon Jul 25, 2022 1:30 pm

There are several ways to RDP with SoftEther. Since you have posted in this thread, on one of SecureNAT's methods, then let's repeat:

- in SecureNAT disable vNAT and remove default gateway from vDHCP
- on the VM server install also SoftEther VPN client and use "localhost" as connection address
- ...that's it, RDP everywhere now with preferably static IPs of the vHUB

Incidentally, your remote RDP test SE client should be on a separate WAN/PC, not on the VB-bridged LAN.

Analitik
Posts: 2
Joined: Wed Jul 20, 2022 3:18 pm

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by Analitik » Tue Jul 26, 2022 1:47 pm

>in SecureNAT disable vNAT and remove default gateway from vDHCP
I didn't turn them on.
>on the VM server install also SoftEther VPN client and use "localhost" as connection address
Done.
>...that's it, RDP everywhere now
How??? It did not receive any internal IP address visible through the VPN connection and did not give neither it nor DDNS name to anyone - the virtual network adapter on the client received only an "autoconfiguration" IP address 169.254.159.205 and no DHCP address. At what address should I access the server on the virtual machine (or the physical machine, located on the local network behind NAT) from the outside??? What connection address should I tell employees?

I have changed the mode of operation of the network interface of the virtual machine with the SE server from "bridge" to "NAT" in order to completely exclude access to it from local network and thus from my client computer. The previously configured connection to the public white IP address by redirecting port 5555 from it to the VM, of course, stopped working.

Could you explain more clearly for dummies like me? Or at least give a links to the documentation, which shows real, not theoretically working ways to solve my problem and many other?

The same in Russian:
Каким образом??? Какого-либо внутреннего IP-адреса, видимого через VPN-соединение, он сам у себя не получил и никому его не отдал – виртуальный сетевой адаптер на клиенте получил только IP-адрес автонастройки вида 169.254.159.205. По какому адресу я должен обращаться снаружи к серверу на виртуальной машине (либо к находящемуся в локальной сети за NAT)??? Какой адрес для подключения я должен сообщить сотрудникам?

Изменил режим работы сетевого интерфейса виртуальной машины с сервером с "моста" на "NAT", чтобы полностью исключить доступ к ней из локальной сети и со своего компьютера-клиента. Ранее настроенное подключение по публичному белому IP-адресу и с помощью перенаправления с него на ВМ порта 5555, естественно, работать перестало.

Не могли бы Вы объяснять более понятно для таких чайников, как я? Или хотя бы дать ссылки на документацию, в которой показаны реально, а не теоретически работающие способы решить мою задачу и многие другие?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot RDP into Local Endpoint from Virtual Server

Post by solo » Tue Jul 26, 2022 2:38 pm

Analitik wrote:
Tue Jul 26, 2022 1:47 pm
give a links to the documentation, which shows real, not theoretically working ways
There is nothing theoretical about the way - just read above your first post. But you may like something "official" better. Here it is...
if you only want to access shared files on a single computer from a remote location, or make a remote desktop connection... You can simply install VPN Client to the computer you installed VPN Server to and have it stay connected to itself (localhost).
https://www.softether.org/4-docs/1-manu ... l_Bridging

Post Reply