Can't connect to VPN from internal network

[mlevans]

Hi

I am currently having an issue connecting to the VPN server when using devices on the same network. The VPN server (version 4.20) is installed on an Ubuntu server (version 16.04) and I am trying to connect with Windows 10, Android, iPhone/Pad and unable to do so (192.168.0.2).

The Ubuntu server is running as a VM using Local Bridge and the VPN is configured to use Virtual NAT/DHCP (default settings).

Event viewer logs the error as 'The user SYSTEM dialed a connection named server which has failed. The error code returned on failure is 789.'

I have successfully connected to the VPN from external devices (Windows 10 and Android) but just not from the same network.

If the Android device is connected via WiFi it doesn't connect, if I turn WiFi off and then retry it connects.

I can also connect using the Softether VPN Client on Windows 10.

Thanks in advance

[moatazelmasry]

If you turn off the wifi on your android. How are you connected to the internet?

Maybe your router or server does not allow internal communication. In OpenWRT for example, you need to specifically enable it.

Also maybe you need to port forward the needed ports for your vpn to work

[mlevans]

Thanks for the reply.

The android device is a phone, when the WiFi is turned off our switches to 4g.

Everything works externally the ports are all forwarded and the softether VPN client connects, I just can't connect with the Windows/Android clients.

I can connect to an external VPN from the Windows PC, the same PC that I can't connect internally from.

[moatazelmasry]

Hmm. I suspect this is a network issue instead of a VPN issue.
Can you ping the vpn server machine internally at all? Say PC1 and PC2 are on the same subnet (192.168.0.1).
Assume SE server is installed on PC1. Can you reach port 500/udp On PC1 from PC2?
Try netcat or so

[mlevans]

Thanks for the reply.

I can ping the VPN server on 192.168.0.2 from the Windows PC and that works fine but when I try 'nc 192.168.0.2 -u 500' I don't get a response.

If I do a netstat -plun I can see the udp port there but the status is empty and not listening, how can I make them listen and why would they work externally?

[moatazelmasry]

On your SE server, assuming that it is a Ubuntu/Debian etc.., can you run or make sure that you have the following:


# for ISAKMP (handling of security associations)
iptables -A INPUT -p udp --dport 500 --j ACCEPT
# for NAT-T (handling of IPsec between natted devices)
iptables -A INPUT -p udp --dport 4500 --j ACCEPT
# for L2TP
iptables -A INPUT -p udp --dport 1701 --j ACCEPT
# for ESP payload (the encrypted data packets)
iptables -A INPUT -p esp -j ACCEPT
# for the routing of packets on the server
iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+
Replace %SERVERIP% with the external IP of your VPS. If your external interface is not named ethX (+ is a wildcard) then rename appropriately.

# Enable ipv4 forwarding
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf

#Set these settings for other network interfaces:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done

#Apply them:
sysctl -p

But please don't just copy/paste these commands and execute them, instead check whether they are already there, then first execute them

[mlevans]

Thanks for the reply.

I have been through each of those and the only rules that were missing were

iptables -A INPUT -p udp --dport 1701 --j ACCEPT

and

iptables -t nat -A POSTROUTING -j SNAT --to-source %SERVERIP% -o eth+

So I added them but still no joy.

[moatazelmasry]

ok. Try tail the log file of the SE server. and see whether something happened when you initiate a connection
And if so, please paste the output here

[mlevans]

Thanks for your reply and continued support.

Could you let me know which log file I need to follow please?

I've checked the server_log/vpn_20170104.log and when connecting internally there's no activity, but when connecting externally you can see the connection establish successfully as expected.

[moatazelmasry]

Yes this was the file I was asking about.
So now we know for sure that nothing is arriving to SE server.

Let's try and see if there's anything arriving to the machine at all, could you please log the dropped packets by iptables. Try this tutorial:
http://www.thegeekstuff.com/2012/08/ipt ... g-packets/

Log the dropped packets only of ports 500 and 4500 UDP (assuming you are using L2TP)

If nothing is being dropped, then we know that nothing is reaching this machine at all.

BTW, do you have multiple network cards?
Also, are you using SecureNAT or a bridge?

If no packets are reaching the machine, then the next step is to check the router

[mlevans]

Hi

I have enabled the logging and if I've done it right nothing is being logged so presumably nothing is hitting the server, although as you suspect. Not sure why this would be as I am SSHing into it fine (locally).

To answer your question the server is running as a VM on Virtual Box on the Windows 10 PC using a Bridged Ethernet adapter (only one virtual but the PC has two).

Cheers

[moatazelmasry]

I know this sounds paranoid, but please have the SE server installed on an actual separate machine. Even if you think they (server/client) are using two separate network interfaces, maybe they are not, and in this case you can NOT create a VPN connection.

The thing is when debugging such problems, you really need to isolate all possible error sources, to actually concentrate on the real problem. So give your setup the optimal environment

If you don't have an old machine, laying around to use as SE server, then try creating an AWS account. You get many computing hours for free.

Cheers,

[mlevans]

OK thanks for the advice, I've ordered a Pi to act as the server - hopefully there won't be an issue with that setup.

Thanks again for your assistance.

[mlevans]

Hi

Just a quick message to let you know that I managed to get it working, I've not idea what I did but everything is working as required.

Thanks again for your help.

[moatazelmasry]

Glad to hear that.

Cheers,
Moataz