0

I created a split-tunnel VPN connection to a remote server (suppose name is ABC), so I could access both the Internet and resources on the remote network simultaneously from the client.

I can access the Internet fine, but I'm having trouble accessing the ABC server itself. The problem is that if I use the public IP which the VPN is connected to, it doesn't get routed over the VPN so I can't access secure resources. Of course, I can manually run a "route add" command to force traffic for that public IP over the VPN gateway, but I'm tired of doing that every time I connect the VPN.

When I run "route print", it looks like the only addresses it will forward by default over the VPN are in the range 192.168.1.0 - 192.168.1.100.

The question, therefore, is might the VPN server ABC be reachable on an address in that range, or can I set it up to have an address on that range so it is reachable through the VPN? Perhaps I can add some static address translation on the "Internal" VPN interface?

Triynko
  • 3,418
  • 6
  • 31
  • 30
  • 1
    Does the VPN server in fact have an "internal" ip address assigned to it or does it only have a "public" ip address assigned to it? – joeqwerty Jan 02 '13 at 23:38
  • The IPV4 routing shows 3 interfaces: Loopback, LAN 2, and Internal. They all have IP addresses assigned, but the "Internal" IP is very close to the public IP, instead of being on the subnet "192.168.1.0/24". – Triynko Jan 02 '13 at 23:54
  • I had everything working fine, with the ability to type "\\my.domain.com\" into explorer to access file shares, but this only worked when I manually ran a "route add" to ensure traffic to the IP resolved for "my.domain.com" is routed through the VPN gateway. Windows simply can't figure out that traffic to the VPN server should be sent through the VPN gateway. – Triynko Jan 03 '13 at 00:26
  • Seems to be a problem with Windows Server 2008. With the Server's firewall completely off, I still cannot access file shares through the VPN gateway, even though I can connect to remote desktop over it. Meanwhile, if I instead manually add a route to force traffic to the public IP to go over the VPN gateway, then somehow the file sharing works (with the firewall both on and obviously when off). http://social.technet.microsoft.com/Forums/nl/winserverNIS/thread/835347a7-b0c9-4786-9339-5b73cf0e3dcb – Triynko Jan 03 '13 at 01:47
  • Here is proof it's a windows problem. When I run "Advanced Port Scanner" on the server, with absolutely no configuration changes (firewall off too), I get different results if I scan loopback (127.0.0.1) and public IP (not revealing) versus if I scan the VPN interface's IP (192.168.1.200). When scanning 127.0.0.1 or the public IP, it shows 5 open ports including 445, but when I scan 192.168.1.200, port 445 is no longer listed. WTF. – Triynko Jan 03 '13 at 02:04
  • I found a solution involving installing a "Microsoft Loopback Adapter". – Triynko Jan 03 '13 at 15:28

1 Answers1

0

It was definitely a problem with Server 2008.

A workaround is to install a "Microsoft Loopback Adapter".

First of all, check the range of IPs you have assigned to your RRAS VPN Server and the network mask associated with it. For example, I assigned mine the range 192.168.1.0-192.168.1.255, which results in an auto-generated network mask of 255.255.255.0.

The address of the VPN Server itself and all its shares will take on the first valid address in that range, so in this case it becomes 192.168.1.1. Because of this BUG IN SERVER 2008, the ports for file sharing aren't open. Here is where the Loopback Adapter comes in to play. Once installed, you just give it an IP address like 192.168.1.2, and then use that address to access the shares. Although it refers to the same machine as 192.168.1.1, it does not exhibit the bug that blocks the file sharing ports.

When finished, you must make sure your firewall is allowing communication to that IP address on the file sharing ports, because "Local Subnet" won't cut it (it would refer to your public IPs local subnet). You'll have to manually add exceptions for 192.168.1.2 ports 129 and 445. Note that even with the firewall OFF, that BUG prevents any communication with those ports on the VPN servers IP 192.168.1.1, which is why we have to use the loopback adapter to get around it.

To install the Loopback Adapter, go to Device Manager, right click first node which is your computer and choose "Add legacy hardware". Alternatively, open control panel and type "add hardware" in the search box, and you'll see a result under Device Manager for "Install drivers for older devices with Add Hardware Wizard".

Next, choose "Install the hardware that I manually select from a list (Advanced)", then choose "Network Adapters" (next), then choose "Microsoft" as the manufacturer, then "Microsoft Loopback Adapter" from the Network Adapter list.

Once installed, you must configure it. Go to it's IPV4 properties and give it an IP address in the range of local addresses for your RRAS VPN Server, which I mentioned I just used 192.168.1.2 (one number above the VPN server itself). Also, give the loopback adapter a subnet mask that matches your VPN's address range (e.g. 255.255.255.0). Leave the default gateway and DNS servers blank.

That's it. Now you can access file shares on the loopback adapter's address from the remotely connected client.

Triynko
  • 3,418
  • 6
  • 31
  • 30