@scottalanmiller said in Untangle Site to Site VPN Not Connecting: @dbeato said in Untangle Site to Site VPN Not Connecting: @scottalanmiller said in Untangle Site to Site VPN Not Connecting: We DID find last night that one machine had updated to a different version than the other. But the other is months behind but refuses to recognize that an update exists. Untangle claims updates are delayed to reduce server load and there is no option to control versions (basically... this is in no way a business product.) There is always a way to force the updates, I bet this are actual old workstations or servers with Untangle, otherwise they would have been in version 14.1... This is not way configured the same for updates on both devices.. Don't think so, looking at the hardware they looked like store bought Untangle commercial devices. Weird all around, but I understand

@bbigford I'll second that

@emad-r said in Proxies as VPN?: @emad-r They are using reverse proxy squid on a PFsense router as VPN. or to access company resources. For example, I think they made LAN 7.7.7.* and put company resource like http://web/company and only 7.7.7.* can access it in the config on PFsense. It does not work 100% of course. As you can bypass it if you do http://web/company?32141 and access it from WAN That works only if the resources are web only. In which case, a VPN was never appropriate in the first place. So in this case, a VPN would actually allow you to access unpublished web resources. But the reverse proxy will publish them. Now the presumed difference to most people is that the VPN will add a layer or protection in the form of authentication, and the proxy will not. This is not correct, however, because you can add that to the proxy, too. So, in reality, you are correct, in this specific case, the reverse proxy is actually making a VPN for just those specific web resources. It's a special case VPN, assuming you are using it as an SSL point.

@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1: A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL. FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!! As reminder for anyone that could encounter a similar issue: DNAT rules are evaluated before firewall rules. Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.

@gjacobse said in Help troubleshooting L2TP over IPSEC VPN connections.: jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,... @JaredBusch @scottalanmiller Can a cron be set to restart the ipsec every 24 hours? Yes.

Here is the one thing that will shut the dumbasses up about RDP being "insecure". Multi factor authentication. Microsoft even supplies wonderful application for it. https://azure.microsoft.com/en-us/services/multi-factor-authentication/ Eliminates all the shit password problems, even if its 'password', has a mobile app to just hit a button to approve login, and is pretty easy to set up to boot.

@scottalanmiller posted here too https://mangolassi.it/topic/16567/dell-machines-unable-to-vpn-due-to-smartbyte-bloatware

@dbeato said in Dell Machines Unable to VPN Due to SmartByte Bloatware: @scottalanmiller said in Dell Machines Unable to VPN Due to SmartByte Bloatware: SmartByte, a bit of bloatware or possibly malware - certainly closer to malware than not, is shipping by default on some Dell laptops and desktops. If you are doing a clean OS install as is best practice, this bloatware will be unknown to you. But if you keep the random stuff that ships with your machine, you may run into networking problems. SmartByte has been found by Cisco (and us, now that we know about it with clients) to break network connections and specifically has been found to cause VPNs to fail to connect. You'll need to disable, or better remove, or best do a proper, clean OS install, to get your machine able to network reliably. None of my Dell Devices has ever come with this. Not even laptops bought through Amazon. In the past Dell and HP have had the Cisco AnnyConnect client but that is found more on home and retailers like Best Buy, Staples or such. Then again I don’t buy Dell Inspiron (Which are the ones with SmartByte for sure) I never run into it because I would never run a machine without doing a proper OS install, you never know what is on there. But we ran into this (and I've been ranting about how people got into the process of not doing a clean install - dealing with that separately) just now because someone had a machine that didn't get installed and, of course, terrible bloatware problems.

Did you use the Libreswan or Strongswan setting in your previous post?

@jaredbusch said in Small Restaurant Network Redesign: @scottalanmiller said in Small Restaurant Network Redesign: Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable. I detest NetGear switches. They generally work, but everytime I try to use one for something even half specific, they puke. Sites this small can use the EdgeSwitch 8 https://www.ubnt.com/edgemax/edgeswitch-8-150w/ And it will report into UNMS along with the routers. Plus it's actually a switch, hardware- and software-wise. Not a breadbox which jumps over the table because you "accidentally" attached a cable to it. (yeah, I know, some NetGears also feature a metal case but it's not the same).

@dafyre it's a good one.

@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite: @dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite: @dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite: @eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite: Thanks to @Dashrender for the assist. It looks like the problem was authentication. I authenticated to the VPN using domain\username rather than using the User Principal Name. Doing the latter allowed me to reach DFS shares. Woops, that's crazy but definitely there is an issue with DNS huh? If the user cannot login with UPN there is an issue with DNS.... As you should be able to use domain.com. User can login with UPN. They were using the old domain\username method rather than UPN, which apparently caused problems with accessing stuff via the DFS namespace.

@dashrender said in PORT - Rant about unsupported OS connecting to company VPN: @dustinb3403 said in PORT - Rant about unsupported OS connecting to company VPN: Why did it take 30+ calls to find out that the doctors personal equipment is running Ubuntu? It took 30 calls and a 6 hour round trip to discover it was running Ubuntu - because their remote access solution wouldn't work either - likely because local kid didn't want them to know it Ubuntu - he was likely saying - aww, those idiots at the hospital, they don't know anything, Ubuntu will run anything.. LOL Even if the application that the hospital is using, was built for Windows 2000, has no bearing on the matter of the VPN dropping the client. Why the vpn server didn't have logging to say it was dropped because it was a blacklisted OS or anything else is the part that is insane. Even Cisco has this functionality. . (lol.. . )

We offer a service that has a pretty extensive global network of proxy/vpn servers: WonderProxy. Using a proxy allows a bit more flexibility than taking screenshots.

@scottalanmiller said in What Exactly Is a VPN, Is HTTPS a VPN SAMIT Video: A lot of them get posted on SW first as a response post because someone will do something that warrants a video so I make it and post as a response, but then dole them out on an even pace over here with a spot to discuss them. How do you know you're an idiot? SAM replies to you with a video

And the actually question here is.....

@syko24 free... and useless: Limitations of the free license: The free license is limited to five locks per day which means the free edition defends your system against five unique attacks per day. [...] The free license does not contain reporting (like the PRO edition does). Also, no official support for Windows Server 2016. https://cyberarms.net/download-pricing/installation-configuration.aspx

Doing a bit of reverse name matching... I may have it now.

@Tim_G said in Installing VPN access on Windows Server 2016: I don't remember experiencing or hearing about an MS RRAS server that was compromised or hacked do to the fault of the MS Software directly. It's always been because of dirt poor implementation and security oversights... connecting a Windows server directly to the internet, ..... If you consider exposing the server as a mistake leading to compromise, that's really the point that we were making

Hak5 OpenVPN Series: http://www.youtube.com/playlist?list=PL9Gx4S6DDjBvoIpQZiAhdRFpZ0yztZJms

I've used tor, it's functional, but removes a lot of what most people consider useful from most websites.

Thanks @Mike-Davis That is just want was needed. added it to my other script and works great thus far.

@Dashrender said in Considering a New VPN: @JaredBusch said in Considering a New VPN: @scottalanmiller said in Considering a New VPN: @JaredBusch said in Considering a New VPN: @scottalanmiller said in Considering a New VPN: @JaredBusch said in Considering a New VPN: @scottalanmiller said in Considering a New VPN: @Carnival-Boy said in Considering a New VPN: Yeah, I need hub and spoke really. But that's not too difficult to setup on ZeroTier is it? ZeroTier doesn't offer hub and spoke at all. It's pure SDN / mesh. This is not true, ZeroTier has gateway functionality. https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux I was leaving that out for simplicity as he's not going to build custom Linux systems for this. Why? Because a single VM setup as a gateway means that ZT now meets all needs also. No different than replacing a router, etc. I've not used it, does it require you to change your IP range or can you keep what you have? The biggest recommendation is to make it inclusive of your LAN subnet so make life easier. I've not had the time to set it up on my lab yet. I use ZT in a number of places, but not using the gateway anywhere yet. Right, so being inclusive means that you did follow Scott's recommendation, only that you bent ZT to the current setup, instead of making a whole new IP setup with this in mind. Did that solve all of the Windows DNS issues? I have no idea WTF you are talking about. You are implying and inferring things that are not being discussed here.

@scottalanmiller for the sake of this thread, the link shows both ERL and ERPro

Viscosity is a nice OpenVPN client

@art_of_shred said in Thoughts on a Ubiquiti/Cisco comparo?: This is just a project. What's the line? "Not my circus, not my monkeys"? I think it goes "not my circus, not my Sonicwall".

We use Cisco Any Connect that authenticates against AD, but is not tied to any kind of GPS and it works for us just fine. Except for deployment, I see no need in using GPS. If we use GPS for anything, it's with RADIUS for our wireless network. That works in one location but not the other. And this is only because both locations have different wireless systems and in how each system implements RADIUS and authenticates a laptop against an OU.