Update: this is what I ended up with. Route based VPN using this guide as a template. Master site: 1x ER 12 + 1x ER 4 Sites A, B, C & D :1x ER4 each location Colo: 1x ER4 & 1x pfSense (SM x10SDV-TLN4F+)

@Pete-S said in ZeroTier vs VPN: @Kelly said in ZeroTier vs VPN: In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model. I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface. With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place. I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case. You do have to install it on every machine. It is easier in the sense that to achieve the same level of lockdown paired with user specific access you would need to do a fair bit of work on your edge and keep it maintained. Deploying software to clients should be pretty straightforward if you're using quality tools: https://chocolatey.org/packages/zerotier-one.

@manxam said in USG to EdgeRouter VPN: Interesting. The last time that I looked at the GUI (as we typically use CLI for VPN), it didn't give the option of DH group like so : Wonder in what version this changed? It has had it for as long as I recall. At least 1.5. The CLI has had it 100% of the time since release at version 1.2.0

@Pete-S said in Packet loss when connected to L2TP/IPsec VPn: @Romo said in Packet loss when connected to L2TP/IPsec VPn: This same issue is happening today once again, VPN is connecting properly but I can't properly reach anything properly on the local lan or the internet. You should just buy a new edge router to exclude any hardware issues. Valid option. The cost is minimal compared to the time you are spending.

@dafyre My small addition in french : https://www.canaletto.fr/post/zerotier-site-to-site

The problem is this: On the Meraki side, let's say you have 5 (this can be any number greater than 1) firewalls. In Meraki speak, if all 5 are in the same "organization", S2S is a few clicks & AutoVPN takes over. No pre-shared secret, no keys. You turn on VPN, say yes to whatever subnets you want in the vpn & save. On the ER side, I have to create 5 peers to connect to the Meraki side. Meraki will only expose one connection for a 3rd party S2S & therein lies the problem. Not all the tunnels connect & there's no good way to fix it.

@DustinB3403 said in Openvpn HELPPP!!: @abdel-hakim-abousrea to start, if you have access to the internet, you have a public IP, it could be a statically assigned IP or one that could change randomly. Having a static public IP to use for this would be ideal. Set up a FQDN for your system, even if it is a static IP. Either via some type of dynamic DNS or a manual records in your public DNS.

@JaredBusch said in Alternatives to OpenVPN for FreePBX on cell phone...: @scottalanmiller said in Alternatives to OpenVPN for FreePBX on cell phone...: @JaredBusch said in Alternatives to OpenVPN for FreePBX on cell phone...: There has never been a promise or timeline made for the mobile apps. Anyone expecting anything on that front is operating in their own little fantasy. That's the main use case of softphones, though. Like 95% I would guess. Softphones for the desktop are way more niche. I totally disagree. Softphone on the desktop is by far the largest user base thanks to call centers. Softphone on mobile is a far second to that. Maybe overall, but for FreePBX? FreePBX is pretty rare in call centers, AFAIK.

@scottalanmiller said in Untangle Site to Site VPN Not Connecting: @dbeato said in Untangle Site to Site VPN Not Connecting: @scottalanmiller said in Untangle Site to Site VPN Not Connecting: We DID find last night that one machine had updated to a different version than the other. But the other is months behind but refuses to recognize that an update exists. Untangle claims updates are delayed to reduce server load and there is no option to control versions (basically... this is in no way a business product.) There is always a way to force the updates, I bet this are actual old workstations or servers with Untangle, otherwise they would have been in version 14.1... This is not way configured the same for updates on both devices.. Don't think so, looking at the hardware they looked like store bought Untangle commercial devices. Weird all around, but I understand

@bbigford I'll second that

@emad-r said in Proxies as VPN?: @emad-r They are using reverse proxy squid on a PFsense router as VPN. or to access company resources. For example, I think they made LAN 7.7.7.* and put company resource like http://web/company and only 7.7.7.* can access it in the config on PFsense. It does not work 100% of course. As you can bypass it if you do http://web/company?32141 and access it from WAN That works only if the resources are web only. In which case, a VPN was never appropriate in the first place. So in this case, a VPN would actually allow you to access unpublished web resources. But the reverse proxy will publish them. Now the presumed difference to most people is that the VPN will add a layer or protection in the form of authentication, and the proxy will not. This is not correct, however, because you can add that to the proxy, too. So, in reality, you are correct, in this specific case, the reverse proxy is actually making a VPN for just those specific web resources. It's a special case VPN, assuming you are using it as an SSL point.

@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1: A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL. FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!! As reminder for anyone that could encounter a similar issue: DNAT rules are evaluated before firewall rules. Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.

@gjacobse said in Help troubleshooting L2TP over IPSEC VPN connections.: jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,... @JaredBusch @scottalanmiller Can a cron be set to restart the ipsec every 24 hours? Yes.

I've been dreaming of creating my own RD gateway authentication plugin - but I doubt I will ever find the time.

@scottalanmiller posted here too https://mangolassi.it/topic/16567/dell-machines-unable-to-vpn-due-to-smartbyte-bloatware

@dbeato said in Dell Machines Unable to VPN Due to SmartByte Bloatware: @scottalanmiller said in Dell Machines Unable to VPN Due to SmartByte Bloatware: SmartByte, a bit of bloatware or possibly malware - certainly closer to malware than not, is shipping by default on some Dell laptops and desktops. If you are doing a clean OS install as is best practice, this bloatware will be unknown to you. But if you keep the random stuff that ships with your machine, you may run into networking problems. SmartByte has been found by Cisco (and us, now that we know about it with clients) to break network connections and specifically has been found to cause VPNs to fail to connect. You'll need to disable, or better remove, or best do a proper, clean OS install, to get your machine able to network reliably. None of my Dell Devices has ever come with this. Not even laptops bought through Amazon. In the past Dell and HP have had the Cisco AnnyConnect client but that is found more on home and retailers like Best Buy, Staples or such. Then again I don’t buy Dell Inspiron (Which are the ones with SmartByte for sure) I never run into it because I would never run a machine without doing a proper OS install, you never know what is on there. But we ran into this (and I've been ranting about how people got into the process of not doing a clean install - dealing with that separately) just now because someone had a machine that didn't get installed and, of course, terrible bloatware problems.

Did you use the Libreswan or Strongswan setting in your previous post?

@jaredbusch said in Small Restaurant Network Redesign: @scottalanmiller said in Small Restaurant Network Redesign: Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable. I detest NetGear switches. They generally work, but everytime I try to use one for something even half specific, they puke. Sites this small can use the EdgeSwitch 8 https://www.ubnt.com/edgemax/edgeswitch-8-150w/ And it will report into UNMS along with the routers. Plus it's actually a switch, hardware- and software-wise. Not a breadbox which jumps over the table because you "accidentally" attached a cable to it. (yeah, I know, some NetGears also feature a metal case but it's not the same).

@dafyre it's a good one.

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite: @dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite: @dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite: @eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite: Thanks to @Dashrender for the assist. It looks like the problem was authentication. I authenticated to the VPN using domain\username rather than using the User Principal Name. Doing the latter allowed me to reach DFS shares. Woops, that's crazy but definitely there is an issue with DNS huh? If the user cannot login with UPN there is an issue with DNS.... As you should be able to use domain.com. User can login with UPN. They were using the old domain\username method rather than UPN, which apparently caused problems with accessing stuff via the DFS namespace.

@dashrender said in PORT - Rant about unsupported OS connecting to company VPN: @dustinb3403 said in PORT - Rant about unsupported OS connecting to company VPN: Why did it take 30+ calls to find out that the doctors personal equipment is running Ubuntu? It took 30 calls and a 6 hour round trip to discover it was running Ubuntu - because their remote access solution wouldn't work either - likely because local kid didn't want them to know it Ubuntu - he was likely saying - aww, those idiots at the hospital, they don't know anything, Ubuntu will run anything.. LOL Even if the application that the hospital is using, was built for Windows 2000, has no bearing on the matter of the VPN dropping the client. Why the vpn server didn't have logging to say it was dropped because it was a blacklisted OS or anything else is the part that is insane. Even Cisco has this functionality. . (lol.. . )

@ambarishrh Thanks. I just sent him that link to check it out.

@scottalanmiller said in What Exactly Is a VPN, Is HTTPS a VPN SAMIT Video: A lot of them get posted on SW first as a response post because someone will do something that warrants a video so I make it and post as a response, but then dole them out on an even pace over here with a spot to discuss them. How do you know you're an idiot? SAM replies to you with a video

And the actually question here is.....

@syko24 free... and useless: Limitations of the free license: The free license is limited to five locks per day which means the free edition defends your system against five unique attacks per day. [...] The free license does not contain reporting (like the PRO edition does). Also, no official support for Windows Server 2016. https://cyberarms.net/download-pricing/installation-configuration.aspx

Doing a bit of reverse name matching... I may have it now.