[SOLVED] VPN Basics

F1ComputerServices

F1ComputerServices

New Member
Reaction score
6
Location
Canada

Overview​

I need to access a shared folder on a remote computer (Server2021) using VPN across WAN from a local computer Laptop-016
I can connect to the remote ROUTER using VPN but cannot see or connect to the remote Server2021

I expected to see in the explorer of Laptop-016 all the resources and shares on its local LAN AND the resources and shares on the remote LAN – including Server2021.

I can connect from Windows to the Remote VPN router. The Remote router shows I am connected. I check my IPCONFIG and it shows I am connected to the remote router.

I do an IP Scan (angryIP) on both subnets from Laptop-016 and Laptop-016 appears

I am missing something! I think there has to be some more adjustment in the remote router to connect the Remote LAN to the VPN.

I have called TP-Link support – but they are going down the wrong rabbit hole.

Thank you for filling in the blanks in my knowledge here.

Rob
1640365363293.png

Server2021 Settings​

1640365429211.png

Remote Router confirmation​

1640365439927.png
1640365853481.png
From Laptop-016;
1640366005069.png

Proof of problem.​

Scan of Remote IPs from local Laptop-016
1640366105574.png

Scan of Remote IPs from Remote Server2021
1640366119850.png
 
I’m on my phone and can’t take in all the details right now, not that I’m the one who could answer it anyway. But I will say, what I do is just cheat and access the server by IP. \\192.168.1.26\Company\Docs for example. Your local network is a different subnet than the remote I presume.
 
timeshifter said:
I’m on my phone and can’t take in all the details right now, not that I’m the one who could answer it anyway. But I will say, what I do is just cheat and access the server by IP. \\192.168.1.26\Company\Docs for example. Your local network is a different subnet than the remote I presume.
Click to expand...
I never tried that!!
Alas, no it didn't work
1640376460220.png
 
timeshifter said:
I’m on my phone and can’t take in all the details right now, not that I’m the one who could answer it anyway. But I will say, what I do is just cheat and access the server by IP. \\192.168.1.26\Company\Docs for example. Your local network is a different subnet than the remote I presume.
Click to expand...
OH!!! and Thanks :)
 
PPTP is extremely insecure. Looks like the device supports OpenVPN so you should do that. Or L2TP IPSEC. The first diagram shows you have RDP enabled. Explorer is not RDP. Assuming laptop W10 is it Pro? Home doesn't have Remote Desktop. Lastly I'm not a big fan of TP link for routers.
 
Markverhyden said:
PPTP is extremely insecure. Looks like the device supports OpenVPN so you should do that. Or L2TP IPSEC. The first diagram shows you have RDP enabled. Explorer is not RDP. Assuming laptop W10 is it Pro? Home doesn't have Remote Desktop. Lastly I'm not a big fan of TP link for routers.
Click to expand...
Thanks for your thoughts. I will consider different versions of VPN once I get ANY version to work LOL. Ya, I know RDP isn't explorer - I tried to remove as much extraneous information that may muddy the waters of the problem at hand - I missed removing that.
 
check your server firewall and make sure you’re allowing connections for smb from your vpn ip pool

Also, your router could be allowing ping on the inside interface while still blocking connections to the inside network past the router. So I’d check that firewall aswell.
 
I haven't done VPNs in a while for this stuff (365 just makes it so easy...Teams/Sharepoint.
But some things to remember....
*Name resolution. What is the remote clients PC using for DNS in the VPN dial up adapter? Without the DC's IP for DNS, it's probably getting either the router, or the ISPs DNS servers. The router may have a customizable internal DNS service(or not). And of course the ISPs DNS servers know nothing about the hosts internal network. So sometimes you have to customize the routers internal DNS server service if it has one, and/or customize the DNS server(s) being handed out to VPN clients. Old school approach..."poor mans WINS'...the old lmhosts file
*Windows Firewall rules. The servers firewall probably set for its own subnet, but it's locked up tighter than a bull arse for any other subnet. Add the subnet the VPN server service hands out to the firewall rules for allowing SMB. Same for the remote client.
 
I would double check by trying to ping something w/o a firewall like a printer. If that doesnt respond I would look at the router/firewall ACLs to make sure that traffic is allowed from the VPN zone/network to the LAN zone/network and vice versa.
 
putz said:
I would double check by trying to ping something w/o a firewall like a printer.
Click to expand...
This is what I do when trouble shooting networking problem. Try to use some network device first to test traffic flow. Things like networked printers and NAS always have a web landing page.
 
Tech Savvy said:
check your server firewall and make sure you’re allowing connections for smb from your vpn ip pool

Also, your router could be allowing ping on the inside interface while still blocking connections to the inside network past the router. So I’d check that firewall aswell.
Click to expand...
Hmm - this sounds interesting - What is the " vpn ip pool"?

The router and Laptop-16 is pingable from Laptop-16 with the connected VPN (see Angry Ip Scan)
 
Markverhyden said:
This is what I do when trouble shooting networking problem. Try to use some network device first to test traffic flow. Things like networked printers and NAS always have a web landing page.
Click to expand...
I did ping the whole VPN range using AngryIp Scanner - just the router and the Laptop-016 showed. But if I scan from within the LAN I see everything.
 
YeOldeStonecat said:
I haven't done VPNs in a while for this stuff (365 just makes it so easy...Teams/Sharepoint.
But some things to remember....
*Name resolution. What is the remote clients PC using for DNS in the VPN dial up adapter? Without the DC's IP for DNS, it's probably getting either the router, or the ISPs DNS servers. The router may have a customizable internal DNS service(or not). And of course the ISPs DNS servers know nothing about the hosts internal network. So sometimes you have to customize the routers internal DNS server service if it has one, and/or customize the DNS server(s) being handed out to VPN clients. Old school approach..."poor mans WINS'...the old lmhosts file
*Windows Firewall rules. The servers firewall probably set for its own subnet, but it's locked up tighter than a bull arse for any other subnet. Add the subnet the VPN server service hands out to the firewall rules for allowing SMB. Same for the remote client.
Click to expand...
Hey Cat,

Your answer gave me the clue I needed - I did not know that the remote server (server2021) must also be connected to the VPN. I assumed since it is on the LAN that it didn't need to be connected. Once i connected the server to the VPN - poof it works.
1640801185107.png
1640801241560.png
 
F1ComputerServices said:
Hey Cat,

Your answer gave me the clue I needed - I did not know that the remote server (server2021) must also be connected to the VPN. I assumed since it is on the LAN that it didn't need to be connected. Once i connected the server to the VPN - poof it works.
Click to expand...

Should not have to connect the server to the VPN also...so that's telling you it's a firewall and subnet thing.
Next, try not connecting the server to the VPN, but drop its firewall entirely..as a test, and then VPN in from a remote client, and see what happens. Access server via IP, like..if the servers LAN IP is 192.168.10.10, from the remote client that is VPN'd in...bring up \\192.168.10.10 and see if you can browse shares.
 
F1ComputerServices said:
Hmm - this sounds interesting - What is the " vpn ip pool"?

The router and Laptop-16 is pingable from Laptop-16 with the connected VPN (see Angry Ip Scan)
Click to expand...
vpn ip pool is the scope being handed out by the VPN Server. In this case it appears to be 10.0.7.0/24 since the ppp adapter on lt-016 is 10.0.7.0.11. There is no need to connect anything to the VPN server at the destination. The VPN server takes care of NAT. So, as @YeOldeStonecat indicated, it's some type of networking issue at the destination. First thing I'd do is drop the firewall on the server and see if the remote can.
 
Markverhyden and Markverhyden,
First - thank you so much for your help. 🙏
Second - Yes, turning off the firewall allowed access to Server2021 without connecting Server2021 to the VPN. I'm ok with that for now.

Now, this raises a second problem the IP ranges- The remote server is on the range 192.168.0.xxx - what if the person who logs on has conflicting IPs? BTW I have three NICs in my server if that helps 🤷🤷🤷
 
You're welcome. With VPN and IP's no two locations can have the same IP scheme, period. Since I don't want to add to my support woes by dealing with consumer setups I always setup business LAN's with IP schemes that have not been seen as default by ISP's. For the 3rd octet in 192.168 I'll start with 253. If I need more I'll just go down in numerical sequence. For 10.x.x.x I'll usually go with 10.10.253.x. Personally I'd go ahead and change the IP scheme in the subject location. Far better to do it now, when you are in control, than in the future when some crisis might be looming on the horizon. If you have three nics I suppose you could just change one to 10.0.7.1 and turn the firewall back on. Personally I'd not do that, rather properly setup the firewall by adding an incoming scope of 10.0.7.0/24 to be allowed.
 
F1ComputerServices said:
Markverhyden and Markverhyden,
First - thank you so much for your help. 🙏
Second - Yes, turning off the firewall allowed access to Server2021 without connecting Server2021 to the VPN. I'm ok with that for now.

Now, this raises a second problem the IP ranges- The remote server is on the range 192.168.0.xxx - what if the person who logs on has conflicting IPs? BTW I have three NICs in my server if that helps 🤷🤷🤷
Click to expand...

Yup, totally good question.

So with many (not all) types of VPNs...you cannot have the same IP range on both sides of the wall.
So, this is why we avoid making businesses follow the common class C subnets, like..we avoid 192.168.0.1/24 and 192.168.1.1/wr, and we avoid 10.1.1.1/24. Because, chances are good that "remote" users from home..will have those same IP ranges with consumer grade routers, or ISP provided routers.

Instead, I'll usually do 192.168.10.1/24, or 192.168.50.1/24, or 10.50.1.1/24, stuff like that.
 
YeOldeStonecat said:
Yup, totally good question.

So with many (not all) types of VPNs...you cannot have the same IP range on both sides of the wall.
So, this is why we avoid making businesses follow the common class C subnets, like..we avoid 192.168.0.1/24 and 192.168.1.1/wr, and we avoid 10.1.1.1/24. Because, chances are good that "remote" users from home..will have those same IP ranges with consumer grade routers, or ISP provided routers.

Instead, I'll usually do 192.168.10.1/24, or 192.168.50.1/24, or 10.50.1.1/24, stuff like that.
Click to expand...
Very interesting. Well in the future I will use non-common IP ranges but now I have a business with a pretty standard IP range of 192.168.0.xxx. I have many ports forwarded to static IPs etc.
I'm going to try the one NIC manually assigned IP to see if that works.
 
You must log in or register to reply here.

Similar threads

Big Jim
site to site vpn with draytek routers
Replies
6
Views
277
YeOldeStonecat
YeOldeStonecat
tek9
[SOLVED] IPsec VPN and FreePBX provisioning
Replies
4
Views
504
tek9
tek9
HCHTech
Automating certificate deployment for RDP over VPN
Replies
10
Views
537
YeOldeStonecat
YeOldeStonecat
frase
Surgery Day
Replies
17
Views
471
frase
frase
mmerry
Dream Machine Pro
Replies
7
Views
677
YeOldeStonecat
YeOldeStonecat
Back
Top