@JaredBusch said in Client VPN - Openswan / Strongswan: @CCWTech said in Client VPN - Openswan / Strongswan: I have a Ubiquiti USG that I have the Remote User VPN setup on (LT2P with PSK). Can Openswan / Strongswan connect to that? I haven't found a walk through on the internet. Background: I am using a Raspberry Pi running Raspbian that I am using to connect to the USG. That is IPSEC. It is different settings, so not with your L2TP. But yes. Awesome, thank you!

@stacksofplates basically you have to update the planet definition and also include the public identity into the fold. Then they find each other and are online. I will bow try to make it work as a cluster. Keep this post updated...

@IRJ This is the screen I get. I deleted everything. Then you re-enter the gateway, and it will ask you for your password.

@Dashrender firewall { all-ping enable broadcast-ping disable group { address-group trusted_IPs { address 1.2.3.4 address 5.6.7.8 address 9.10.11.12 description "for remote GUI access" } } ipv6-name WANv6_IN { default-action drop description "WAN inbound traffic forwarded to LAN" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } ipv6-name WANv6_LOCAL { default-action drop description "WAN inbound traffic to the router" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "remote GUI" destination { port 443 } log disable protocol tcp source { group { address-group trusted_IPs } } } rule 20 { action accept description "Allow established/related" state { established enable related enable } } rule 30 { action accept description ike destination { port 500 } log disable protocol udp state { invalid enable } } rule 40 { action accept description esp log disable protocol esp } rule 50 { action accept description nat-t destination { port 4500 } log disable protocol udp } rule 60 { action accept description l2tp destination { port 1701 } ipsec { match-ipsec } log disable protocol udp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.10.10.10/30 description Internet duplex auto firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } } speed auto } ethernet eth1 { address 10.15.20.254/24 description "LAN 1" duplex auto speed auto } ethernet eth2 { address 192.168.2.254/24 description "LAN 2" duplex auto speed auto } ethernet eth3 { duplex auto speed auto } loopback lo { } } port-forward { auto-firewall enable hairpin-nat disable wan-interface eth0 } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN2 { authoritative enable subnet 192.168.2.0/24 { default-router 192.168.2.254 dns-server 192.168.2.254 lease 86400 start 192.168.2.38 { stop 192.168.2.43 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 10000 listen-on eth1 listen-on eth2 name-server 1.1.1.1 name-server 9.9.9.9 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } unms { connection wss:// } } system { domain-name ubnt gateway-address 10.10.10.1 host-name ER4 login { user ubnt { authentication { encrypted-password ubnt } level admin } } name-server 1.1.1.1 name-server 9.9.9.9 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat disable ipsec disable } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC } vpn { ipsec { allow-access-to-local-interface disable auto-firewall-nat-exclude disable ipsec-interfaces { interface eth0 } } l2tp { remote-access { authentication { local-users { username hello { password 1234 } } mode local } client-ip-pool { start 192.168.100.100 stop 192.168.100.110 } dns-servers { server-1 1.1.1.1 server-2 9.9.9.9 } idle 1800 ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret 1234 } ike-lifetime 3600 lifetime 3600 } mtu 1492 outside-address 10.10.10.10 } } }

I've already used this guide again. LOL, boy this is handy.

@Romo said in Unifi USG VPN from Behind NAT Firewall: Also add the changes to a config.gateway.json file in the controller to changes directly made on the USG don't get deleted on next provision. One reason I hate these units.

@krisleslie said in Anyone figured out how to ZeroTier with AD?: @Dashrender all ubnt They have two models, the unifi USGs and the EdgeRouter series - which are you sporting?

Update: this is what I ended up with. Route based VPN using this guide as a template. Master site: 1x ER 12 + 1x ER 4 Sites A, B, C & D :1x ER4 each location Colo: 1x ER4 & 1x pfSense (SM x10SDV-TLN4F+)

@Pete-S said in ZeroTier vs VPN: @Kelly said in ZeroTier vs VPN: In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model. I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface. With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place. I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case. You do have to install it on every machine. It is easier in the sense that to achieve the same level of lockdown paired with user specific access you would need to do a fair bit of work on your edge and keep it maintained. Deploying software to clients should be pretty straightforward if you're using quality tools: https://chocolatey.org/packages/zerotier-one.

@manxam said in USG to EdgeRouter VPN: Interesting. The last time that I looked at the GUI (as we typically use CLI for VPN), it didn't give the option of DH group like so : Wonder in what version this changed? It has had it for as long as I recall. At least 1.5. The CLI has had it 100% of the time since release at version 1.2.0

@Pete-S said in Packet loss when connected to L2TP/IPsec VPn: @Romo said in Packet loss when connected to L2TP/IPsec VPn: This same issue is happening today once again, VPN is connecting properly but I can't properly reach anything properly on the local lan or the internet. You should just buy a new edge router to exclude any hardware issues. Valid option. The cost is minimal compared to the time you are spending.

@dafyre My small addition in french : https://www.canaletto.fr/post/zerotier-site-to-site

The problem is this: On the Meraki side, let's say you have 5 (this can be any number greater than 1) firewalls. In Meraki speak, if all 5 are in the same "organization", S2S is a few clicks & AutoVPN takes over. No pre-shared secret, no keys. You turn on VPN, say yes to whatever subnets you want in the vpn & save. On the ER side, I have to create 5 peers to connect to the Meraki side. Meraki will only expose one connection for a 3rd party S2S & therein lies the problem. Not all the tunnels connect & there's no good way to fix it.

@DustinB3403 said in Openvpn HELPPP!!: @abdel-hakim-abousrea to start, if you have access to the internet, you have a public IP, it could be a statically assigned IP or one that could change randomly. Having a static public IP to use for this would be ideal. Set up a FQDN for your system, even if it is a static IP. Either via some type of dynamic DNS or a manual records in your public DNS.

@JaredBusch said in Alternatives to OpenVPN for FreePBX on cell phone...: @scottalanmiller said in Alternatives to OpenVPN for FreePBX on cell phone...: @JaredBusch said in Alternatives to OpenVPN for FreePBX on cell phone...: There has never been a promise or timeline made for the mobile apps. Anyone expecting anything on that front is operating in their own little fantasy. That's the main use case of softphones, though. Like 95% I would guess. Softphones for the desktop are way more niche. I totally disagree. Softphone on the desktop is by far the largest user base thanks to call centers. Softphone on mobile is a far second to that. Maybe overall, but for FreePBX? FreePBX is pretty rare in call centers, AFAIK.

@scottalanmiller said in Untangle Site to Site VPN Not Connecting: @dbeato said in Untangle Site to Site VPN Not Connecting: @scottalanmiller said in Untangle Site to Site VPN Not Connecting: We DID find last night that one machine had updated to a different version than the other. But the other is months behind but refuses to recognize that an update exists. Untangle claims updates are delayed to reduce server load and there is no option to control versions (basically... this is in no way a business product.) There is always a way to force the updates, I bet this are actual old workstations or servers with Untangle, otherwise they would have been in version 14.1... This is not way configured the same for updates on both devices.. Don't think so, looking at the hardware they looked like store bought Untangle commercial devices. Weird all around, but I understand

@bbigford I'll second that

@emad-r said in Proxies as VPN?: @emad-r They are using reverse proxy squid on a PFsense router as VPN. or to access company resources. For example, I think they made LAN 7.7.7.* and put company resource like http://web/company and only 7.7.7.* can access it in the config on PFsense. It does not work 100% of course. As you can bypass it if you do http://web/company?32141 and access it from WAN That works only if the resources are web only. In which case, a VPN was never appropriate in the first place. So in this case, a VPN would actually allow you to access unpublished web resources. But the reverse proxy will publish them. Now the presumed difference to most people is that the VPN will add a layer or protection in the form of authentication, and the proxy will not. This is not correct, however, because you can add that to the proxy, too. So, in reality, you are correct, in this specific case, the reverse proxy is actually making a VPN for just those specific web resources. It's a special case VPN, assuming you are using it as an SSL point.

@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1: A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL. FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!! As reminder for anyone that could encounter a similar issue: DNAT rules are evaluated before firewall rules. Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.

@gjacobse said in Help troubleshooting L2TP over IPSEC VPN connections.: jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,... @JaredBusch @scottalanmiller Can a cron be set to restart the ipsec every 24 hours? Yes.

I've been dreaming of creating my own RD gateway authentication plugin - but I doubt I will ever find the time.

@scottalanmiller posted here too https://mangolassi.it/topic/16567/dell-machines-unable-to-vpn-due-to-smartbyte-bloatware

@dbeato said in Dell Machines Unable to VPN Due to SmartByte Bloatware: @scottalanmiller said in Dell Machines Unable to VPN Due to SmartByte Bloatware: SmartByte, a bit of bloatware or possibly malware - certainly closer to malware than not, is shipping by default on some Dell laptops and desktops. If you are doing a clean OS install as is best practice, this bloatware will be unknown to you. But if you keep the random stuff that ships with your machine, you may run into networking problems. SmartByte has been found by Cisco (and us, now that we know about it with clients) to break network connections and specifically has been found to cause VPNs to fail to connect. You'll need to disable, or better remove, or best do a proper, clean OS install, to get your machine able to network reliably. None of my Dell Devices has ever come with this. Not even laptops bought through Amazon. In the past Dell and HP have had the Cisco AnnyConnect client but that is found more on home and retailers like Best Buy, Staples or such. Then again I don’t buy Dell Inspiron (Which are the ones with SmartByte for sure) I never run into it because I would never run a machine without doing a proper OS install, you never know what is on there. But we ran into this (and I've been ranting about how people got into the process of not doing a clean install - dealing with that separately) just now because someone had a machine that didn't get installed and, of course, terrible bloatware problems.

Did you use the Libreswan or Strongswan setting in your previous post?

@jaredbusch said in Small Restaurant Network Redesign: @scottalanmiller said in Small Restaurant Network Redesign: Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable. I detest NetGear switches. They generally work, but everytime I try to use one for something even half specific, they puke. Sites this small can use the EdgeSwitch 8 https://www.ubnt.com/edgemax/edgeswitch-8-150w/ And it will report into UNMS along with the routers. Plus it's actually a switch, hardware- and software-wise. Not a breadbox which jumps over the table because you "accidentally" attached a cable to it. (yeah, I know, some NetGears also feature a metal case but it's not the same).

@dafyre it's a good one.