Remote Client can't access anything on the VeeamPN network (RDP Server, any other local ressources)

[pducharme]

Hi,

I'm trying to get VeeamPN working to have access for Remote Workers being able to access our on-premise RDP Session Host server. I did install the VeeamPN on a Ubuntu Mini 18.04 LTS using the Install Script, running on Hyper-V. All other VMs (including the RDP server) are on the same Hyper-V host. They are all in this IP range : 192.168.123.0/24.

I created a user and got the .ovpn file that I imported on a laptop (connected at another site) and I can connect to the VPN without issue, but I can't access anything on the on-premise site.

Did I miss something ?? I thought the idea was to be able the local resources on premise ?

[HannesK]

Hello,
well, with VPNs there are many things that you might have missed.

The most common mistake I did in the past was forgetting about about routing into the VPN. As the VPN gateway is probably not the default gateway of your VMs, they will receive the RDP request and send the answer back to their default gateway. There it goes into nirvana.

The next common thing is the Windows firewall that might only allow connections from the local subnet.

If that does not help, then wireshark and tcpdump became my friend. Just checking where the packet gets lost.

Best regards,
Hannes

[pducharme]

Hi HannesK,

What I found out is that I need to check the "route all traffic thru the VPN" in the user I created. The issue is that all the remote user Internet traffic goes thru the VPN. I also did tried the OpenVPN-AS appliance and I don't have this issue, the Remote user can access all the HQ ressources even if all traffic doesn't have to go through the VPN (I think they call this feature "Split Tunnel" ?).

Is there a way to accomplish the same with VeeamPN ? Since it is using the same OpenVPN under the hood for the remote users, I don't see why it wouldn't be possible ??

[HannesK]

thanks for the "route all traffic thru the VPN" hint... I installed VeeamPN now and can reproduce it.

That does not look correct for me. If you do a "route print", you see that your 192.168.123.0/24 subnet is not in the routing table.

Please give me some time to check

[pducharme]

@HannesK Thank you. I think it defeat the purpose as it is right now . Hope they can have a fix, so that I can use VeeamPN

[HannesK]

ok, I got it working with the Azure appliance. In my local lab I cannot really simulate proper internet.

I had to add a hub site. In your case, that would be 192.168.123.0/24

[pducharme]

@HannesK It is working, but now, my remote user doesn't have Internet anymore (DNS not resolving). I still have to check the "route all traffic" to get internet working, but I'm back to square one, all the Internet traffic goes thru the VPN.

[joelwj]

I would also like to know if split tunneling is possible

[AVasilyev]

Could you please show output of ipconfig /all command on the client when it is connected to the VPN, but "Use HUB server as default gateway' option is not selected?

I suspect the client has incorrect DNS settings.

[lauberth]

recently i installed VeeamPN on an Hyper-V server (2012R2) as a virtual machine with Ubuntu 18.04 LTS
i did the install of VeeamPN via the script.
after that i had to make several changes
i added the VeeamPN server to my local DNS
i added following three lines to the File "EndpointOVPN.cfg"
- push "dhcp-option DNS ip-of-my-local-DNS" e.g: push "dhcp-option DNS mydns.local"
- push "dhcp-option DOMAIN my-local-Domain-Name" e.g: push "dhcp-option DOMAIN example.local"
- push "route local-ip-net local-ip-mask" eg: push "route 192.168.1.0 255.255.255.0"

i am running the server in my local net behind a firewall with NAT.
the server has a local IP with a local netmask, the Remote IP (Hub) is the WAN IP of the firewall.

the port for the openVPN-Client is routed through the firewall to the veeamPN Server.
After reboot and exporting the configurationfiles my clients worked like a charm.
After the client connected, the local tools like ping,nslookup was working like a local connection.



Perhaps this helps
Greetings from Austria
Thomas

[frankive]

These 3 lines should be an option to include before creating the configuration file is my opinion