Home
Join

13 Replies

  • iPhone's running as hotspots will NOT pass PPTP traffic. Many newer routers don't have the hacks to enable GRE as well. You're WAY better off paying for a public SSL certificate and using that with RRAS and SSTP.

    Spice (5) flagReport
    3 found this helpful thumb_up thumb_down
  • PPTP has been broken from a security standpoint for over 20 years. It doesn't run over UDP or TCP, but requires GRE,which is a different protocol that runs over IP.

    SSTP or IPsec or RD Gateway would be better.

    Spice (3) flagReport
    3 found this helpful thumb_up thumb_down
  • We moved from pptp to sstp for precisely this reason many years ago. There are a couple of settings to change ( on the client) & you can use an internally generated certificate with the ms sstp setup. We've since had 0 problems with tunneling out of other places. We did look at IPsec but a good number of places that our users needed to connect from at the time blocked it.
    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • We have sales users that have occasional trouble with hospital WiFi. Hospitals can lock that down and could have been an issue there. I've never used the Windows VPN client. You might want to try a 3rd party VPN, such as OpenVPN, etc. Maybe get a cert for you VPN connection.

    Was this post helpful? thumb_up thumb_down
  • From what you describe, what is the story with your firewall at the office?     
    What about the VPN client software from the vendor of the firewall?   Can you use that?      
    Both Barracuda and Fortigate provide their own VPN client software.   You get a VPN connection with it.   
    They do have their limits - you can only run one instance of a vendor's VPN client connection at a time.    
    I find that the two different vendors' clients create local network troubles (routing and DNS resolving) if you run them at the same time.   
    I do have two separate networks to reach when I am at home- production in the data center and the office.
    I haven't had to deal with either the Apple or Windows VPN support since 2015.    
    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Jim Peters wrote:

    From what you describe, what is the story with your firewall at the office?     
    What about the VPN client software from the vendor of the firewall?   Can you use that?      
    Both Barracuda and Fortigate provide their own VPN client software.   You get a VPN connection with it.   
    They do have their limits - you can only run one instance of a vendor's VPN client connection at a time.    
    I find that the two different vendors' clients create local network troubles (routing and DNS resolving) if you run them at the same time.   
    I do have two separate networks to reach when I am at home- production in the data center and the office.
    I haven't had to deal with either the Apple or Windows VPN support since 2015.    

    I am in the process of upgrading our Gateway from a Vigor 2960 to a Unifi Security Gateway Pro (USG-PRO-4). I could try the VPN on the Uni once I complete that upgrade. I've tried configuring the VPN on the Vigor but can't seem to get it to work. 

    For sure, it is TIME for some major VPN upgrades and going to look at all of these suggestions and see what I can apply and use. Thank you!

    Was this post helpful? thumb_up thumb_down
  • Why is my VPN not connecting on my iPhone?
    VPN is disconnecting when going from a WiFi to LTE Network
    This can cause the VPN to get stuck in an endless loop of trying to reconnect. To fix this issue: Head to Settings > Cellular on your iPhone and turn off the switch next to Cellular Data. Now turn it back on and try reconnecting to your VPN.

    2 found this helpful thumb_up thumb_down
  • PassRusher wrote:

    Jim Peters wrote:

    From what you describe, what is the story with your firewall at the office?     
    What about the VPN client software from the vendor of the firewall?   Can you use that?      
    Both Barracuda and Fortigate provide their own VPN client software.   You get a VPN connection with it.   
    They do have their limits - you can only run one instance of a vendor's VPN client connection at a time.    
    I find that the two different vendors' clients create local network troubles (routing and DNS resolving) if you run them at the same time.   
    I do have two separate networks to reach when I am at home- production in the data center and the office.
    I haven't had to deal with either the Apple or Windows VPN support since 2015.    

    I am in the process of upgrading our Gateway from a Vigor 2960 to a Unifi Security Gateway Pro (USG-PRO-4). I could try the VPN on the Uni once I complete that upgrade. I've tried configuring the VPN on the Vigor but can't seem to get it to work. 

    For sure, it is TIME for some major VPN upgrades and going to look at all of these suggestions and see what I can apply and use. Thank you!

    But you mentioned vpn passthrough earlier - so is the VPN not being provided from a windows server (not the router)?
    So you can just add SSTP to the windows server RRAS and then clients can use that.

    Or on vigor router try SSL or ipsec - they can run in parallel to your pptp. Then when all users moved over turn off pptp.

    What did not work on router? You just enable the vpn type, create a configuration in dial-in users and it works.

    Was this post helpful? thumb_up thumb_down
  • pptp  has not been supported in anything apple related for some time now. you will need to use an alternative like they have suggested.

    Was this post helpful? thumb_up thumb_down
  • m@ttshaw wrote:

    PassRusher wrote:

    Jim Peters wrote:

    From what you describe, what is the story with your firewall at the office?     
    What about the VPN client software from the vendor of the firewall?   Can you use that?      
    Both Barracuda and Fortigate provide their own VPN client software.   You get a VPN connection with it.   
    They do have their limits - you can only run one instance of a vendor's VPN client connection at a time.    
    I find that the two different vendors' clients create local network troubles (routing and DNS resolving) if you run them at the same time.   
    I do have two separate networks to reach when I am at home- production in the data center and the office.
    I haven't had to deal with either the Apple or Windows VPN support since 2015.    

    I am in the process of upgrading our Gateway from a Vigor 2960 to a Unifi Security Gateway Pro (USG-PRO-4). I could try the VPN on the Uni once I complete that upgrade. I've tried configuring the VPN on the Vigor but can't seem to get it to work. 

    For sure, it is TIME for some major VPN upgrades and going to look at all of these suggestions and see what I can apply and use. Thank you!

    But you mentioned vpn passthrough earlier - so is the VPN not being provided from a windows server (not the router)?
    So you can just add SSTP to the windows server RRAS and then clients can use that.

    Or on vigor router try SSL or ipsec - they can run in parallel to your pptp. Then when all users moved over turn off pptp.

    What did not work on router? You just enable the vpn type, create a configuration in dial-in users and it works.

    Yes, it is being provided by Windows Server. So if I want to force SSTP to be used rather than PPTP, how do I set that? I am not really seeing an option for that in the RRAS screen and options...


    So I found and article that appears to show how to set it up...is it this involved? And will it affect those connected right now if I continue? https://supporthost.in/how-to-configure-sstp-vpn-on-windows-server-2019/

    Also, if I wanted to configure the Vigor, I kind of get stuck here on what exactly to put here...does each person need a profile since they are all in their homes in different cities? 


    Was this post helpful? thumb_up thumb_down
  • SSTP on windows - you already have it enabled as it is showing SSTP ports. To use it clients need to be set to use SSTP, they might be on autodetect or set to pptp right now. But you will need a certificate on the server - if you have AD certificate services running on the domain you can create your own, or you need to purchase one. You need an external DNS entry (users must connect to a dns name not IP address). Just follow that link from the certificate section on.
    I would then add a second vpn connection on the user device and test it.

    I will need to check the manual for that model of draytek. I'll get back to you.

    1 found this helpful thumb_up thumb_down
  • if you use your own internally signed cert you will need to do 2 things, 1) make sure it is trusted by the client 2) add a  reg key to disable the revocation checking (unless you publish an internal revocation list publicly) 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters

    Reg D_word: NoCertRevocationCheck = 1

    Finally don't forget you will also have to make sure the machine is accessible over tcp/443  ;-)

    Was this post helpful? thumb_up thumb_down
  • PassRusher wrote:

    For sure, it is TIME for some major VPN upgrades and going to look at all of these suggestions and see what I can apply and use. Thank you!

    Check the Veeam Powered Network. That is the one I usually suggested to people that had hard times while messing with all sorts of VPN servers and configurations during the COVID outbreak in the past. It is exceptionally well documented, easy to set up and run, and free to use.

    https://www.veeam.com/powered-network.html

    https://www.starwindsoftware.com/blog/veeam-powered-network-veeampn


    Was this post helpful? thumb_up thumb_down

Read these next...

  • No Network Access

    No Network Access

    Networking

    Hello,Suddenly, my Windows 2012R server has NO network access through either of its two nic cards; it is a DELL PE T430. It is configured to get IP info from DHCP, and that works ok; both NICs can get an IP just fine, but after I get the IP address,  I am...

  • Understanding VPNs

    Understanding VPNs

    Security

    Hello I'm trying to learn the concept of VPN's and there's some aspect of VPN's I'm not sure about. When I configure a remote access VPN on a Fortigate, I configure the following client range 192.168.3.10-192.168.3.40When the client connects and I do a ro...

  • Snap! Outlook crashes, getting phished, supermoon, CyberOne, DALL·E 2 + SpiceRex

    Snap! Outlook crashes, getting phished, supermoon, CyberOne, DALL·E 2 + SpiceRex

    Spiceworks Originals

    Your daily dose of tech news, in brief. We made it to Friday! Before we consider our weekend plans, let's look back in time. While not the storage we're accustomed to, back on August 12, 1877 (although there appears to be some debate on the actual ...

  • Spark! Pro series – 12th August 2022

    Spark! Pro series – 12th August 2022

    Spiceworks Originals

    I want my… I want my…. Spark!    Just a reminder, if you are reading the Spark!, Spice it up. We like it spicy here! Today in History: The IBM PC Introduced August 12, 1981 IBM introduces its ...

  • Repeated Attacks on my Firewall - What to Do ??

    Repeated Attacks on my Firewall - What to Do ??

    Security

    I've got a UTM Firewall and I'm constantly getting notifications that someone is trying to gain access through an SSL-VPN. The attacking IP address is almost always different, so blocking the IP every time is not a sustainable solution. They haven't got t...