locked
[VPN] Cannot access computer in the same network, through VPN RRS feed

  • Question

  • I have set up an SSTP VPN server on a Windows Server 2019 machine, which is actually an AWS EC2 instance with private ip in the 10.10.0.0/16 subnet.

    I can connect to it via standard VPN client , the one built-in in my Windows 10 home computer, and when i am connected to the VPN i also have assigned an address in the same subnet: 10.10.0.0/16 

    I have tried connecting via Putty/SSH to a Linux EC2 instance on the same subnet, but the IP was not reachable from my home.

    But i have successfully connected to it via ssh command from the VPN Server.

    Why not from my home PC?

    I am sure i am missing some VPN server configuration.

    Thanks

    Tuesday, July 21, 2020 7:10 PM

All replies

  • Hi,

    Thanks for posting here.

    Before we go further, I would like to confirm the following questions:

    1. Can Windows 10 machine and the Linus EC2 instance ping successfully with each other?

    2. Whether the Windows 10 machine can access to the other Windows machine in subnet 10.10.0.0/16 via VPN?

    3. Is there any error message when run ssh command from Windows 10 side? If yes, please help to provide for further troubleshooting.

    This "Network Infrastructure Servers" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best Regards,

    Sunny


    "Network Infrastructure Servers" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Infrastructure Servers"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Wednesday, July 22, 2020 10:20 AM
  • Hi @Sunny Qi

    1) No. But the VPN server and Linux can ping each other's private address ( 10.10.x.x, 10.10.y.y )

    2) Yes, while in VPN from Windows 10 i can ping the VPN server's IP 10.10.x.x and i can even connect to it via RDP

    3) From Windows 10:

    ssh 10.10.y.y

    ssh: connect to host 10.10.y.y port 22: Connection timed out

    While the same command works from the VPN server to 10.10.y.y

    I want to add that while in VPN, my Wifi connection shows "No Internet" and indeed i cannot browse the Web.

    Also, ipconfig shows that my IPv4 address for the PPP connection is in the 10.10.0.0/16 subnet and the default gateway is 0.0.0.0

    Wednesday, July 22, 2020 12:19 PM
  • I have disabled "Use default gateway" from the PPP connection properties, and i can now browse the web while in VPN, but the Linux host is still not reachable from home.

    I have tried disabling the firewall.

    And i have ticked the "Allow Access" option in the Dial-In tab of the Active Directory user properties.

    But the problem persists.

    I forgot to mention that my VPN server has also the Active Directory Domain Services role activated, so it is a domain controller. I don't know if it is relevant to the problem.

    I have tried removing it but i can't. It gives me: 

    "An error occurred while demoting the Active Directory domain controller: Certificate Server is installed"



    • Edited by Half_Life Thursday, July 23, 2020 1:00 PM
    Thursday, July 23, 2020 12:58 PM
  • Hi,

     

    Thanks for your information.

     

    We are not recommend to either multihome or install any other unnecessary service on domain controller. So we’d better to have a dedicate device to establish VPN tunnel between main and branch site over internet . We can use a multihomed RRAS server or a router device that support VPN connection to do that .

     

    For more information, please refer to the following article.

    Can DC be multihomed in Windows 2008 Server?

     

    Regarding the error while demoting DC "Certificate Server is installed", please reference steps mentioned in article “Reinstall the CA role in Windows Server 2012 Essentials” to un-install CA, then, re-start system and confirm that if you can demote AD DS:

    https://support.microsoft.com/en-us/help/2795825/reinstall-the-ca-role-in-windows-server-2012-essentials

     

    Demoting Domain Controllers and Domains:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains--level-200-

     

    If the error persists, please open PowerShell and type command “get-windowsfeature” to list all installed server roles and features, and make sure that CA relate roles and features are successfully un-installed.

     

    Hope my answer will help you. Thanks!

     

    Best Regards,

    Sunny


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Friday, July 24, 2020 9:26 AM
  • Ok now i don't have neither the Certificate Services nor Domain Services roles.

    Now i am following this tutorial to set up the SSTP VPN: https://www.getanadmin.com/windowsserver/win2019/setup-a-secure-vpn-sstp-on-windows-server-2019/#:~:text=The%20Virtual%20Private%20Network%20installation,SSL%20over%20Http%20port%20443.

    I am at the step

    "Configure Dian-in connection on user object"

    But when i open Active Directory Users and Computers  , i see a warning MessageBox saying "To manage Users and Groups on this computer, use Local Users and Groups. To manage users, groups and computers in a domain, log on as a user with domain administration rights".

    Then in the Active Directory Users and Computers window that appears i don't see any domains in the left pane, and the top-left icon has a red (X) symbol on it. I cannot create any users. Maybe it's because i don't have a domain controller anymore and i need a domain to create users there.

    Alternatively, if i add an user in Computer Management => Local Users and Groups, how can i tell the VPN  to require login with a specific local user's credentials, rather than a domain user? 


    • Edited by Half_Life Sunday, July 26, 2020 5:27 PM
    Sunday, July 26, 2020 5:26 PM
  • I have created a local user on Windows Server, i've set his Dial-In property to Allow Access. I can connect to the VPN with this user from Windows 10.

    But i have the same problem i had with the domain user: i can ping/ssh the Linux instance from Windows Server but not Windows 10.

    From Windows Server i have tried the ping/ssh even as the new user, not only Administrator, and it worked.

    Do i need LAN Routing features in Windows Server to do that through VPN?

    While i am in VPN i see this in Routing and Remote Access: https://imgur.com/YzakzmX

    There is no "VPN" entry in the left pane, is it normal? From the guide i linked i see "VPN" :


    • Edited by Half_Life Sunday, July 26, 2020 8:58 PM
    Sunday, July 26, 2020 8:37 PM