|10 Nov 2012||#1|
rdp tunneling via vpn - not working
Hello, new to the forum here. I am hoping to get some assistance with an issue that I have been trying to figure out but have been unsuccessful at resolving. Thanks in advance for any assistance provided and input given.
Here is what I would like to accomplish:
I have three computers on my home network (mine - Win7 Pro x64, my wife's Win7 Pro x32, and the family computer for general use and the kids - Ubuntu 12.04 x64), all behind my router. I have given them all static IPs via the routers options. I can remote into all of them from any of them while on my local network. No problem there. No need to open ports in the router or anything. It works perfectly just like it is supposed to.
But, I would like to be able to remote into any of them while outside of my local network. I have opened port 3389 (standard RDP port) in my router and it forwards to my computer no problems. I can remote into my computer from outside of my local network by using my public IP, and it works like it is supposed to. But that defeats the purpose of what I would like to do because it only allows me to remote into one computer and only one plus it doesn't really have the level of security that I would like to have.
So, I would like to create a VPN connection to my computer and then once that VPN connection is established, use RDP to tunnel through the vpn to remote into any of the computers on my local network, all while doing this outside of my local network.
I have created VPNs in the past and used RDP to tunnel through the VPN and it was simple and easy. It was about 4 years ago and I was connecting from a Vista machine to an XP machine. But now, I can't seem to get it to work.
I have created an incoming connection (VPN) on my machine, it was simple enough and pretty straight forward.
Then when I am at, say my parents house or a friend's house, I use their machine (WinXP Pro x32 & Win7 Pro x32), create an outgoing connection (VPN) and connect to my VPN using my public IP. The connection is made, but when I use remote connection and input the local IP address of one of my machines, it won't make the remote connection. I have tried doing it using the computer names instead of the IP address but that won't work. I made sure that my local IP range didn't conflict with the typical range of other routers. So for example, my router gateway is 192.168.2.1. Whereas my parent's router would have been the typical 192.168.1.1. I have tried making the connection from a win7 machine too and no go. I can make the connection with the VPN, and it says that it makes the connection, but then when I try to RDP, that is when I have the issues.
One more thing about the VPN, it seems to act a little different than what I would assume it is supposed to do. When the connection is made, if I check my machine's incoming connections, it says that it has one connection but that there have been 0 (zero) packets sent and 0 (zero) packets received. Yet the machine that made the connection says that it has sent some od piddly small amount of data to the VPN server and received from the VPN server. Also, the IP address and subnet mask of the connection machine aren't in the range of my local network range and subnet mask. If you would like me to post some screen shots of ipconfig /all, jus tle tme know.
Oh and yes, I have set the port forwarding in my router for the VPN. It is port 1723 for PPTP. And that is the only port for VPN that I have forwarded.
So far, I have only tried to RDP into one machine in my network once the VPN connection is established, and it is also consequently the same machine acting as the VPN server accepting incoming connections. Would it being that the VPN server not allow it to also accept RDP connections? I just thought of that as I was writing this .... hmmmmm
I will try and get some screen shots of everything if it will help.
Screen shots of setting up incoming VPN connection.
|My System Specs|
|26 Nov 2012||#5|
Posting what the problem was can help people in the future who are trying to accomplish the same thing. I'm glad you figured out the issue.
Another thing i did want to let you know about is call port redirection. How it works if your router supports it you can redirect one port to another. So lets say you use 55055 for RDP then you point it to 3389 on 192.168.2.2. Then you can do 55054 then point it to 3389 on 192.168.2.3.
Then you could connect to your computers via the 55055 and 55054 ports from the WAN.
|My System Specs|
|04 Dec 2012||#6|
Solved - Instructions
1.) Create an incoming VPN connection on a computer (workstation) located on a home network.
2.) Connect to that computer via the VPN connection from a computer outside of the home network.
3.) Remotely connect via RDP to any computer on the home network once the VPN connection is established.
I wanted to be able to connect to my home network remotely if needs be but I didn't want to just use RDP via port forwarding to the computer for various reasons. It isn't as secure as using a VPN and tunneling through that VPN. I didn't want to have to have different ports for the different machines. Trying to remember which port is for which machine would have been a pain. I wanted to minimize how much I had to do and what I had to do. Also, I looked a purchasing a new router, one that had VPN server functions, not just VPN-passthrough. They were either too much $$$$, more technical than I wanted or cared for, or I was going to have to give up some functions that my current router has that the new one wouldn't. I looked at getting a cheaper new router and flashing it with DD-WRT as they come with built in VPN server functions. But it is based upon OpenVPN, which I personally don't like setting up. I figured that there had to be a better way to do it with what I already had and with what my computer was supposed to do.
I had previously created VPN connections years ago but it was only to one computer, the only one on the network. So I never had any issues. But now when I made this new connection, I couldn’t RDP into any computer on the home network, not even to the VPN Server (previously the workstation). I originally thought that perhaps I was going to have to edit my local host file and add IP tables … YUCK!!! I asked my father, a computer genius, what he thought. He said that he really didn’t have an answer as he doesn't excel in networking (still a genius in my eyes. ). But I figured that if the ability to have an incoming VPN connection was present on a normal non-server machine/workstation, then what would be the point of having that function if one couldn't route to that same computer and/or others on the same network. There had to be a way to get it to work.
The resolution was actually quite simple to implement once I understood it. It kind of came to me as I was examining my network devices. One of the devices is my Vonage VoIP phone box/router. When Vonage gives you the box, they say to connect it directly to the internet and then your network router to it and then your computers/devices to your router. Well, I didn’t conform, hehehehehe. I didn’t want my VoIP box acting as the router of all my traffic. I didn’t like that idea for some reason, so it is attached as a device to my router, and continues to work perfectly fine. But the point is that as I was examining some of the options that the Vonage VoIP box has in its web based settings, I saw something that led me to think about something else which eventually led me to figure out how to get this whole VPN-RDP thing to work.
Ok, so this should work the same on almost all systems, but for simplicity, I am going to list what I used. These aren’t necessarily “requirements” per se, but more along the lines of what I used and what worked for me. Feel free to adapt it to your system/network/machines/etc. so that it works.
· Windows 7 Pro x64 (Workstation #1 à VPN Server; wired network connection)
· Windows 7 Pro x32 (Workstation #2; wireless N network connection)
· Windows 7 Pro x64 (Workstation #3; wired network connection)
· Windows 7 Home Premium x32 (Client #1; wireless network connection)
· Windows XP Pro x32 (Client #2; wireless network connection)
· Network router, preferably with at least as many wired ports as you need for your devices.
· A computer/device outside of your home network to test the VPN & RDP connections.
You need to make the following changes to your router. Each router is going to be different where the settings are located and how you change them, so really all I can do it tell you what needs to be done and hope that you are familiar with your router, gaining access to its admin functions, location of the settings within the admin functions, and how to change them. Please note that I cannot be held responsible for your bricking or making other wise unusable your router. There really aren’t any “life threatening” things that we are going to do to the router but if you are not familiar with it, you could accidently select or input the incorrect option and thus make your router not work properly. If you need help, please refer to your router’s manual. Understood?
Basic terms and references for this tutorial:
· VPN Server – This is the home computer/workstation that is going to be setup to accept incoming VPN connections. In my setup as seen above, workstation #1 became the VPN Server.
· Server Network – The network that the VPN server will be located on. This could be your home network.
· Client Network – The network on which the client machine (the one connecting to the VPN Server) is located, not the same network as the VPN server. This could be a friend’s home network.
· Public IP Address – The external IP address your home network router is assigned by your ISP.
· Home Network Gateway IP Address (HNGIP) – This is the router’s internal IP address. Typically it is by default 192.168.1.1 or 192.168.2.1. It is also typically the same address one types into a web browser to get access to the router’s admin functions.
1.) You need to change one of the Server Network’s HNGIP subnet addresses from the default to something unique. For example: change the default 192.168.1.1 to 192.168.8.1. Always change the second to last subnet address. This has to be changed to be different than the Client Network’s HNGIP address due to routing conflicts if left the same. So change it to something other than the Client Network’s HNGIP address. Take note of what you changed it to. Please note that “subnet address” is completely different than “subnet mask address”!!!! Don’t get these confused.
2.) Most routers have a large IP address pool from which to assign IP addresses to connecting/connected devices. It is usually something like 192.168.1.2 – 100. So basically something like 90+ devices could potentially be connected at once. You could change this if you would like to for security purposes. I changed mine. If you do change it, don’t forget what your terminal address is, i.e. 192.168.1.2 – 15. In this example the terminal address is the “15”. You will need it later. Also, allow a little buffer for devices that connect via the VPN. So if you have lets say 10 devices that normally connect (computers, phones, tablets, media players, printers, etc) to the router to obtain an IP address, I would leave something like 5 extra IP address in the pool for any devices that connect to the VPN server. Even though VPN clients aren’t connecting to the router to obtain an IP address, they are assigned one from the same IP address pool and this is crucial for everything to work.
3.) Via the router’s admin functions, assign static IP addresses to all connected devices. Typically a router has the ability to assign static IP addresses from within its admin functions. Please refer to your router’s manual on how to do this. By assigning static IP address to the devices via the router’s admin functions, you shouldn’t have to assign a static IP address via windows networking options/settings. Please take note of what the static IP address is that you assigned to the VPN Server.
4) Enable port forwarding for port PPTP 1723 to the VPN Server’s internal IP address. I have read online where some sites state that both port pptp 1723 and port gre 47 need to be forwarded, and where some sites only listed port pptp 1723. I only have port pptp 1723 forwarded and it works fine. Your results may vary depending on if you need port gre 47 forwarded too or not. I am not exactly sure why GRE 47 would need to be forwarded or not, sorry.
Dr. Wiki says this about PPTP:
The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
The PPTP specification does not describe encryption or authentication features and relies on the Point-to-Point Protocol being tunneled to implement security functionality. However the most common PPTP implementation, shipping with the Microsoft Windows product families, implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack. The intended use of this protocol is to provide similar levels of security and remote access as typical VPN products.
A specification for PPTP was published as RFC 2637 and was developed by a vendor consortium formed by Microsoft, Ascend Communications (today part of Alcatel-Lucent), 3Com, and others. PPTP has not been proposed nor ratified as a standard by the IETF.
A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer.
The PPTP GRE packet format is non standard, including an additional acknowledgement field replacing the typical routing field in the GRE header. However, like in a normal GRE connection, those modified GRE packets are directly encapsulated into IP packets, and seen as IP protocol number 47.
The GRE tunnel is used to carry encapsulated PPP packets, allowing the tunnelling of any protocols that can be carried within PPP, including IP, NetBEUI and IPX.
In the Microsoft implementation, the tunneled PPP traffic can be authenticated with PAP, CHAP, MS-CHAP v1/v2 or EAP-TLS. The PPP payload is encrypted using Microsoft Point-to-Point Encryption (MPPE) when using MS-CHAPv1/v2 or EAP-TLS. MPPE is described by RFC 3078.
5.) Take note of your external IP address. It is also known as your Public IP address.
VPN Server –
1.) Find your NIC’s properties in Window’s device manger. Locate the IPv4’s properties. Change the IPv4’s properties from DHCP to static. Give it the same static IP address that you gave it in the router’s admin functions. The subnet mask should auto-fill. If it asks for a gateway address, give it the router’s internal IP address (HNGIP), what ever you changed it to. Now the key for everything to work correctly is to give the IPv4 properties a DNS address. This DNS address should be the same as the HNGIP address that you changed. It will ask you for an alternate address. Do not input anything into that address, leave it blank. So you should now have in the IPv4 properties a static IP address, Subnet mask (auto-filled), possibly a gateway address, and 1 DNS address which should be the same as the HNGIP address that you changed in step 1 of the router setup.
2.) Proceed to setup an incoming VPN connection. If you need assistance with how to do this, you can google it. One recommendation is this: Create a separate user account solely to use with VPN connections. I created this user and gave it a name such as VPN or RDP or something that would indicate that it is solely for use with connections. You won’t really ever need to access this user’s desktop. The account is used to just authorize incoming connections. I made it a standard account (non-admin rights). The incoming VPN connection setup asks you to select a user that can connect to the VPN server while outside of the internal network. Allowing only one user helps manages things. Once the VPN connection is established with this user account, you can RDP like normal using any other user account. So if I connect to the VPN server using user account “Home.VPN-1”, once that connection has been established, I can then RDP using my normal account of John.Doe so that I can get access to my desktop. Only downside is that only one VPN connection per account can be made simultaneously. So both John Doe and Jane Doe cannot connect at the same time to the VPN server with the same user account of ”Home.VPN-1”. John Doe could however connect to the VPN with user account “Home.VPN-1” while Jane simultaneously connects to the VPN server using a second user account such as “Home.VPN-2”. Then once connected they could both RDP to the different machines that they need access too.
3.) While setting up the incoming VPN connection, make sure that when you get the opportunity to either select DHCP or assign a static IP address, that you select static IP address. It is going to ask you for a range/IP pool from which to assign the static IP address to the client machine. Make sure that the range you select falls within the range that you previously set in the router’s settings in step 2 of the router setup. For example, if your router’s new HNGIP address is 192.168.8.1 and you set the router’s IP pool range to be 192.168.8.2 – 15, you will want to give the VPN server a range within that 192.168.8.2 – 15, i.e. 192.168.8.11 – 15. Just make sure that you don’t double assign any already used IP address. That is why we assigned static addresses to all connected devices in the router setup step 3. Also, make sure that you have selected the option to allow incoming connections to use/access your local network. Also, don’t allow the client machine to assign/select its own IP address.
4.) Also make sure that you deselect IPv6 from within the Incoming Connection properties. We only want to use IPv4.
5.) Make sure that the “Show Windows Domain” box/option is not selected in the Incoming connection’s settings/properties.
Client Machine –
1.) Setup a new VPN connection. Make sure you select auto-detect the type of VPN protocol. When it asks you for the address of the VPN server, it is going to be the external address your ISP assigns your router located on the Server Network. It is also known as the Public IP Address. Make sure that after you have set everything up that you indicate in the setup wizard that you don’t want to connect right then.
2.) Locate the new connection and initiate it. It will ask you for your login credentials. Provide them. It should negotiate the connection and then connect. Even though I setup my server as a PPTP, once everything is negotiated, it is detected as a SPTP or something like that.
3.) Open a terminal/command prompt and run the command:
You should see your current address on your local network (Client Network) and one for the PPTP connection (it might be called something like mini-wan or something like that but it is the same thing). Check the PPTP address and make sure that it falls within the IP range/pool you previously provided when setting up the Incoming Connection. If it does, then “ping” a device on your Server Network to see if you get a response. Preferably a device that you know the IP address for and the hopefully is currently powered on and not a sleep, hahahaha.
You can “ping” with the following command:
192.168.x.x being the IP address of the device you want to “ping”. If you get a positive response, then great!!
4.) Open an RDP session using windows built in program or something similar. Input the internal IP address (i.e. 192.168.8.7) of the device you want to remote to and you should then have remote access! No need to port forward 3389 to a single computer any more. You can access any and all connected devices, granted that they are setup to allow remote access to them. And it is a secure connection!!!
Cool thing is that the RDP works both ways because the client machine appears to be part of the server network. So let’s say that you have a family member or friend that lives in another state or country or just far away. They can connect to your VPN server and then you can RDP into their machine from your end and service their machine!!! No need to use any third party software. Although I do like and recommend logmein.
Also, just as a note, if Jane is using her computer at home, and you log in remotely to her computer, even through the VPN, it will kick her out. Non-server versions of windows only allow one user connection at a time, whether it is remotely or local. I was able to patch my systems to allow multiple terminal services sessions at a time so that a local user wouldn’t get kicked off if I remote into the same account or computer for that matter. Just google it.
I think that should do it. Let me know if you have any questions or concerns. If it doesn’t work or it is like how it works.
Take care y’all.
|My System Specs|
|Similar help and support threads for2: rdp tunneling via vpn - not working|
|Teredo Tunneling issue||Network & Sharing|
|Teredo tunneling pseudo interface||Network & Sharing|
|Teredo Tunneling||Network & Sharing|
|Preventing VPN from tunneling internet||Network & Sharing|
|teredo tunneling on Sony Vaio||Network & Sharing|
|Teredo tunneling And network sharing?||Network & Sharing|
|Disabling Teredo Tunneling-Interface||Network & Sharing|
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.
© Designer Media Ltd
All times are GMT -5. The time now is 07:50 AM.