RDP to work laptop connected to home network, and VPNed to work network



  • It looks like I can see it with RDP, connect to it, and log in, but when RDP takes the session, Juniper (the VPN client) disconnects and I lose the ability to RDP, and it hangs.

    I'm not sure why the VPN has to be connected for the RDP to work.

    But I can't attempt to RDP again until I log in on the work laptop and let Juniper reconnect.

    My first guess is that it needs access to the DC to allow the RDP, but then why did it allow me to log in at all?


  • Notification Spam Recipient

    I splatted an answer on superuser, but I think it might be deeper than merely losing connection to the DC post login.

    If you can connect using a pre-UDP client (like the Windows XP version), it might be the tunneling adapter's fault for sucking up all that traffic improperly.

    Another thing that just occured to me is to check your firewall settings for the Domain network and Home network. Sometimes Remote Desktop ports are only enabled for the Domain network (and not others), and maybe Windows is getting confused which network type it's in during connection?



  • Do the VPN logs show the VPN is constantly bouncing down within 1-2 minutes of establishing the Phase 2 tunnel? A lot of times, that sort of behavior is caused by an improper default gateway push to the VPN client, which causes the VPN client to route ALL traffic (including the traffic to form the VPN) through the VPN tunnel. Which, of course, breaks the ever living hell out of the VPN tunnel, which then breaks the everything for the computer, and it basically has no network access until the VPN tunnel drops.

    In that sort of case, I would expect the symptoms you're seeing, but it's not so much because RDP only works across the VPN but more because the home network computer has no network access at all except for the brief window while the VPN is establishing / just freshly established.

    If that's what's happening, the usual fix is to change the routes you're pushing to the VPN client - instead of pushing 0.0.0.0/0 via VPN (or some similar broad networks), only push specific internal networks you want accessible across the VPN.

    Also, if the home network and the office network have the same private network -- e.g. both are 192.168.1.0/24 networks -- this can happen too. Usually the only fix there is to re-number one of the networks -- which will almost certainly mean the home network. Until you do, once the VPN comes up, your computer can't talk to the local -- home -- router any more, because 192.168.1.1 (or whatever the router's IP is) is now a VPN destination, and it can't talk to the VPN because that traffic has to get to the default gateway to go out to the VPN's public IP.



  • @Tsaukpaetra said:

    Another thing that just occured to me is to check your firewall settings for the Domain network and Home network. Sometimes Remote Desktop ports are only enabled for the Domain network (and not others), and maybe Windows is getting confused which network type it's in during connection?

    Windows should never detect that it's on the Domain network on a VPN - the detection is based on Gateway IP, Gateway MAC, and DNS server settings -- the Gateway IP and Gateway MAC won't change as a result of the VPN connection, so it should stay with detecting your home network in terms of its Network Location.



  • @Tsaukpaetra said:

    Another thing that just occured to me is to check your firewall settings for the Domain network and Home network.

    Checked that, the setting is shared for public and domain.


  • Notification Spam Recipient

    Well the more you know...

    Actually, I remember a little of that WTF-ery when dabbling with the VPN. At one time I had a bridge bridging a bridge to the tunnel inside the same subnet that it came from and forwarding DHCP requests into the bridged tunnel to itself, which gave IP addresses outside the subnet of the tunnel. And this after reading a few "easy set up" guides. :wambulance:


  • FoxDev

    @xaade said:

    Juniper VPN

    ugh. that thing....

    causes me no end of trouble.

    I eventually gave up and just installed teamviewer and set it up for remote access. that seemed to resolve the issue by virtue of sidestepping it entirely.

    IT found out about that setup last year and after explaining my issue and telling them that either they couls show me what was wrong with my router/home setup so i could VPN properly or i'd use teamviewer to get my work done.

    took them almost two months of trying off and on to get the VPN working for me before they gave up and told me "uninstall teamviewer as it's not authorized software, but if you decide to ignore that just be aware, if we get a data breach and you're running teamviewer you will be thrown under the bus."

    that was the last i heard of that, i think they forgot about that threat as they had a minor data breach and i wasn't bussed. Either that or they decided they couldn't pin that on me because the breach was in the web datacentre where i don't have any access anyway.



  • @izzion said:

    Also, if the home network and the office network have the same private network -- e.g. both are 192.168.1.0/24 networks

    My home network is 10.0.0.X based.

    @izzion said:

    Do the VPN logs show the VPN is constantly bouncing down within 1-2 minutes of establishing the Phase 2 tunnel?

    Yeah, I have no control over that.

    So, my problem is tunneling based... I bet.

    There goes this idea.

    But then, why can I see the PC and connect to it at all?



  • @accalia said:

    I eventually gave up and just installed teamviewer and set it up for remote access.

    Yeah, that stuff is slow as hell though.

    It's funny because my work laptop is RDPing to a VM in Canada, and that's faster than TeamViewer.



  • @xaade said:

    So, my problem is tunneling based... I bet.

    The way to science that would be to confirm (via sitting at the computer) that the home computer has working Internet and office net access when connected to the VPN. If one of my theories are correct, then the computer should be quite non-functional for Internet and/or office net traffic when you're sitting at the keyboard as well.

    And/or - given that the home computer is configured to respond to pings and you know what VPN IP it's being assigned - do you see pings from the office net to the VPN connected home computer staying constantly open, or are they cutting in and out in 1-2 minute intervals?


  • FoxDev

    @xaade said:

    Yeah, that stuff is slow as hell though.

    never had an issue with speed myself...

    i did change the quality setting on teamviewer to "Optimize Speed" so the colour depth is often shite, but that's okay as most of my work is text so very few colours involved, and the lag is often barely noticable.

    still if it's not a workable solution for you then it's not a workable solution for you.



  • I think you misunderstand.

    Let me draw a picture.



  • Oh. Yeah. I definitely misunderstood the problem context there.

    And the work box VPN works hunky dory when you're not RDPing to it (aka when you're at the console session)?



  • @izzion said:

    And the work box VPN works hunky dory when you're not RDPing to it (aka when you're at the console session)?

    Yep.

    As soon as my work laptop hands over the session (I see it go to the user switch screen), the RDP hangs.

    So the RDP can see the work, connect to the work, and then fails to take the session.



  • I lot of VPN clients are configured to shut off all other network ports when connected to the VPN. This prevents the case where your laptop gets pwnd and you have your VPN credentials saved.

    When I had this scenario, I set up a virtual machine and put the VPN client on that. RDP to laptop, run VM, connect VPN on VM to work, do whatever.



  • What happens if you start a clean RDP session to the work laptop, without the VPN connected? Can you RDP and do things on the laptop (you know, play solitare/minesweeper, surf wtdwtf, important work tasks)? Can you initiate the VPN from within the RDP session?



  • Last I checked, if the VPN is down, the work laptop refuses the connection.

    It's like the work laptop needs to see the work network in order to allow RDPs.

    I noticed RDP has "RD Gateway Server" settings.

    Is the work network providing the RD?



  • And there's no firewall software on the laptop other than Windows Firewall (and/or your answer to @Tsaukpaetra above is accurate for all firewall softwares active on the work laptop)?

    Can you post the output of the following command prompt commands from the work laptop, both with and without the VPN active?

    ipconfig /all
    route PRINT
    


  • ipconfigVPN.txt (10.9 KB) ipconfig.txt (10.2 KB)

    route.txt (5.0 KB) routeVPN.txt (5.5 KB)


  • Grade A Premium Asshole

    @xaade said:

    I noticed RDP has "RD Gateway Server" settings.

    Is the work network providing the RD?

    Can you open up the RDP file in a text editor, redact whatever is necessary and post that?



  • Maybe this is my problem?



  • @Polygeekery said:

    RDP file

    ???


  • Grade A Premium Asshole

    I think I misunderstood? So you do not have the RDP session settings saved to a file? You just open a previous, manually configured, session?

    Or, due to extreme fatigue I don't understand anything, and I can just be ignored? 😄



  • I just open RDP program, and enter in the local network ip of the laptop.


  • Grade A Premium Asshole

    How much configuration are you allowed access to on the VPN side of things? In Windows VPN client (if that is what you are using?), if you select the VPN, right-click and go to properties, TCP/IP, Properties, Advanced and then uncheck the box that says "Use default gateway on remote network", it may solve your problem?



  • Yeah, the problem is that your VPN is not set up for "split tunnel"

    If you look at the route print output (snipped below for relevance):
    On VPN:

    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0         On-link     10.173.71.225      1
       198.202.137.90  255.255.255.255         10.0.0.1        10.0.0.12     26
    

    Off VPN:

    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0         10.0.0.1        10.0.0.12     25
    

    Basically, the VPN adapter is set up to make itself the default gateway for all traffic on the system. So it writes a new route to make sure the external VPN IP will still route through your main gateway and then re-routes all other traffic to the other end of the VPN tunnel.

    "But wait, @izzion, the route for 10.0.0.0/255.255.255.0 is still there on the VPN" -- yes, but it's quite likely that the VPN program is doing active capture that basically re-writes all outbound traffic from the computer to look like it's coming from the VPN's IP, so you can make the initial RDP connection because you connect to 10.0.0.12 but then the VPN captures the traffic and rewrites it to come from 10.173.64.45 and everything goes sploosh.

    I think the solution is going to come down to persuading the network guy at work to enable Split Tunnels (sometimes known as Split Horizon). Which some network guys will not want to do for security reasons, and some may want to avoid due to the extra work required to make more than one subnet work on the VPN. If they can't/won't set the VPN up for Split Tunnels, I think you're probably boned1.

    1 Or yeah, +1 to @Jamie's solution
    @Jaime said:

    When I had this scenario, I set up a virtual machine and put the VPN client on that. RDP to laptop, run VM, connect VPN on VM to work, do whatever.



  • I suspected as much. Based on that diagram, if the VPN client doesn't allow local network traffic, your RDP connection won't work while the VPN client is connected. I ran into a similar issue with exactly the same arrangement of devices. I run Synergy between the two laptops. As soon as the VPN client connected on the work laptop, my Synergy connection dropped.

    There's probably an option to configure whether your VPN client will allow local network traffic while it's connected. If local traffic isn't allowed, when the laptop is connected to the VPN it will only be able to communicate with other devices on the work network through the VPN. Anything on your local network - printers, other computers - will be unreachable.

    For "security", your VPN can set a policy that requires this option to be set. It probably can't tell whether your VPN client actually enforces this policy, though, so if your VPN client won't let you change the setting, a different VPN client might help...


  • ♿ (Parody)

    @Jaime said:

    When I had this scenario, I set up a virtual machine and put the VPN client on that. RDP to laptop, run VM, connect VPN on VM to work, do whatever.

    Yep, I do this sort of thing all the time. Like @xaade, I'm stuck with Juniper.



  • Then that's it.

    It won't work.

    Ironic that I can circumvent this all with an internet based RDP.

    "Network Security" indeed.



  • They won't let me VPN without a valid network account.

    So, I'm not sure if I can VPN through a VM.


  • ♿ (Parody)

    What's a "valid network account?" Like...logged into Windows via their Active Domain?



  • I think it's doing that.

    Because if I use my personal laptop, and try to connect to VPN, it won't allow it, even though I'm using my work network credentials.



  • The Internet based RDP works because it's public IP based. And that's also why it's sooooo much slower.

    With Teamviewer, the network flow becomes:

    @xaade's work PC <--> home public Internet gateway <--> work VPN gateway <--> work public Internet gateway <--> Teamviewer servers <--> home public Internet gateway <--> @xaade's home PC

    So your work PC goes out, gets on the VPN, and then using the Internet available at your workplace, through the VPN tunnel connects to Teamviewer's servers, so that you can remote control it from your home PC. So not only do you not have LAN speed connections to it, your traffic is actually being encrypted twice (once by the VPN and once by Teamviewer) and hairpinning through your work's Internet twice (once inbound on the VPN and once outbound to Teamviewer).

    INB4: TRWTF is we're not all using IPv6 and thus have all this NAT bullshit



  • edit: you're using Juniper... it looks like the option is called "Allow access to local subnet", but it probably isn't changeable from the VPN client. You might have luck with Shrew Soft, though.



  • You miiiiiiiight be able to circumvent the restrictions and get the VPN client to work on your personal laptop as follows1:

    • Set up a command line script / batch job to execute the following command
    %windir%\system32\runas.exe /netonly /user:[your corporate username in DOMAIN\user format] "[path.to.VPN.client]"
    
    • Create a shortcut to your batch job, and right-click + "Run as administrator" to launch the command prompt
    • You should be prompted for your corporate password when you run the script

    1All advice guaranteed wrong or your money back. I don't have personal experience with doing exactly this, but one of my coworkers was experimenting with something similar to the above to get Visual Studio running under a domain account from a workgroup computer, and the above worked but was somewhat annoying for him and the client they were doing this for gave up and went back to domain computers for the contractors


  • FoxDev

    @izzion said:

    The Internet based RDP works because it's public IP based. And that's also why it's sooooo much slower.

    With Teamviewer, the network flow becomes:

    @xaade's work PC <--> home public Internet gateway <--> work VPN gateway <--> work public Internet gateway <--> Teamviewer servers <--> home public Internet gateway <--> @xaade's home PC

    :headdesk:
    that's why @xaade was complaining that teamviewer was slower!

    i don't know why i was under the impression that his work laptop was still at the office....

    teamviewer has no visible difference to me because i always use it when i'd have to go through the VPN tunnel to get to the machine, not when the machine i'm connecting to is just across the room from me, connected to a VPN

    :headdesk::headdesk::headdesk::headdesk::headdesk::headdesk:


Log in to reply