This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

PPTP VPN not allowing traffic past VPN server

Question
0

Sign in to vote

Hi All!

I am not a VPN person at all and need my hands held here. I've followed every guide I can find online to create a PPTP VPN server and have executed them to have only half of a solution. Clients can connect to my server but 1 - Can't access anything past the server and 2 - Can not access remote desktop sessions internally because they can't access anything beyond the VPN server

Here's my setup;

- External gateway has an external address of 1.2.3.4 and an internal address of 192.168.0.1 subnet 255.255.255.0 and is port forwarding 1723 to VPN server

- VPN server has routing and remote access installed and is at 192.168.0.75 subnet 255.255.255.0 running windows server 2016. Has 4 internally connected ethernet cards if needed but am only pushing VPN traffic through the gateway to 1 card. VPN server is set to give VPN clients DHCP addresses

- internal servers - dhcp and dns server - 192.168.0.117

- I am testing with an offsite laptop with and external address of 5.6.7.8 and an internal address of 192.168.1.10 subnet 255.255.255.0 with no firewall turned on

Questions - 1 - do I need static routing setup on the VPN server and if so, how does that look?

2 - Should I have NAT setup on the VPN server and if so, how does that look?

3 - Do I need DHCP relay agent?

4 - Do I need the IGMP?

Thank you very much for any help you can lend and stay safe out there!

Sunday, June 28, 2020 1:43 AM

All replies

0

Sign in to vote
Hi,

Here's some workarounds for VPN connection, please refer and do some troubleshooting.

https://www.equinux.com/us/faq/644/2/The-VPN-seems-connected-but-I-cant-connect-to-my-server-or-transfer-data-What-is-wrong?site=equinux.com&tab=faq

Then refer this article to allow all the flow go through VPN tunnel.

https://www.equinux.com/us/faq/646/2/How-do-I-make-all-traffic-go-through-the-VPN-tunnel?site=equinux.com&tab=faq

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Best regards,

Cherry

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by CherryZhang2020Microsoft contingent staff Thursday, July 9, 2020 2:07 AM
- Proposed as answer by CherryZhang2020Microsoft contingent staff Monday, July 13, 2020 1:41 AM
- Unproposed as answer by kevindjackson Tuesday, July 14, 2020 12:05 PM
Monday, June 29, 2020 6:32 AM
0

Sign in to vote

Hi,

Just want to confirm the current situations.
Please feel free to let us know if you need further assistance.

Best Regards,
Cherry
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Wednesday, July 1, 2020 1:48 AM
0

Sign in to vote

Hey Cherry,

Thanks for the ideas. Just so everyone knows, I'm on vacation now until July 13 and won't be trying anything out until then. Not sure what the time limitations are on this form? Can I keep this running until I'm back to work and can try this stuff out?

I'll let you know how it all works out for my then. Thank you for your ideas!!

Wednesday, July 1, 2020 5:12 PM
0

Sign in to vote

Hi，

As long as you post here, we will reply to you.
Have a nice holiday！

Best regards

Cherry
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Thursday, July 2, 2020 1:21 AM
0

Sign in to vote

Hey Cherry,

I'm back in the office and have checked over the links you've sent. I do believe I may need to setup NAT internally on the VPN server, but how do I do this without crashing my internal network? I've found that if I apply NATing to my VPN server, the server itself becomes not responsive after a time.

A big piece of information I should have shared; I am doing all of this in Microsoft Server 2016 and have followed the online tutorials on how to this up. None of the things I've found have addressed NAT. Do I need NAT to move passed the VPN server?

Thanks again!

Tuesday, July 14, 2020 12:04 PM
0

Sign in to vote
Hi，

Please follow the steps to configure NAT on PPTP VPN:
https://www.nasirhafeez.com/pptp-vpn-nat-on-windows-server-2019/

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

After configuration, if the server becomes not responsive after a time, analyze the configuration under the port.
Check whether there is a "nat enable" rule. This configuration will cause the traffic to be preferentially converted to NAT. Delete this line of configuration. At the same time, the peer interface has the same configuration, and delete it. After deleting, test the remote communication.

This "Network Infrastructure Servers" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

Best regards

Cherry

"Network Infrastructure Servers" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Network Infrastructure Servers" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.
- Edited by CherryZhang2020Microsoft contingent staff Wednesday, July 15, 2020 6:32 AM
Wednesday, July 15, 2020 6:31 AM
0

Sign in to vote

Hi Cherry,

Thanks again for hanging in there with me! Can you expand on this, "Check whether there is a nat enable rule" idea. Where am I analyzing the configuration under the port? Also, you've said, "at the same time, the peer interface has the same configuration". Where is that located as well?

The main problem I have is that after a client establishes the VPN connection, they can't see anything on the local network past the VPN server. Are we right in attacking the NAT side of things still?

Thanks again!!

Kevin

Wednesday, July 15, 2020 12:02 PM
0

Sign in to vote
Hi,

Would you please ping VPN gateway and resource behind the VPN form local client? Although the connection was built, traffic may not pass through VPN.

This "Network Infrastructure Servers" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

Best regards

Cherry

"Network Infrastructure Servers" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Network Infrastructure Servers" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.
- Edited by CherryZhang2020Microsoft contingent staff Thursday, July 16, 2020 2:11 AM
Thursday, July 16, 2020 2:11 AM
0

Sign in to vote
Hi,

Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

This "Network Infrastructure Servers" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

Best regards

Cherry

"Network Infrastructure Servers" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Network Infrastructure Servers" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.
- Edited by CherryZhang2020Microsoft contingent staff Monday, July 20, 2020 1:48 AM
Monday, July 20, 2020 1:48 AM
0

Sign in to vote

Hi Cherry,

Apologies for the late reply. When I ping physically on the local network from a client machine, I can reach everything on it. When I ping from the VPN server to the rest of the network, I have the same response. When I ping from a client who has established a VPN connection to the sever, I can only ping the server, nothing else on the network. Nothing else on the network can ping the VPN client except the VPN server.

Thanks again!

Kevin

Monday, July 20, 2020 1:26 PM
0

Sign in to vote
Hi,

Can you ping the LAN address of the VPN gateway?
The LAN address of the VPN gateway is special in the regard that this address doesn’t need to be routed at all. So if you can ping that address but no other remote address, it is most likely a routing issue at the remote end.

Is your VPN gateway the default gateway (router) of its network?
If the VPN gateway is not the default gateway, you will in many cases need a suitable routing setup in order for responses to reach you. Whenever a device doesn’t know how to reach an IP address directly, it forwards its reply to its default gateway and if that isn’t the VPN gateway, it won’t know what to do with that reply data. In that case its important to configure the default gateway to forward replies to VPN users to the VPN gateway.

This "Network Infrastructure Servers" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

Best regards

Cherry

"Network Infrastructure Servers" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Network Infrastructure Servers" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.
- Edited by CherryZhang2020Microsoft contingent staff Tuesday, July 21, 2020 6:31 AM
Tuesday, July 21, 2020 6:31 AM
0

Sign in to vote

Hi Cherry,

Thanks for that explanation! Yes, that is the issue I am having but I don't know where to fix it. When a client connects to the VPN server from offsite, the default gateway is 0.0.0.0. Where do I change that? Had where do I setup routing for clients to be able to pass through to the internal network? The VPN server is not my DHCP or DNS server. I have DHCP forwarding turned on in the VPN server settings. Do I need to setup static routes on the VPN server? Where do I make changes to allow traffic to be routed to the network?

Thanks again!

Kevin

Tuesday, July 21, 2020 12:29 PM
0

Sign in to vote
Hi，

Was this VPN server and the other VPN client in the same subnet? If so, it's needn't change default route.

If not, there are two ways to handle the default gateway. In the VPN connection properties on the client, Networking tab, IPv4 properties, Advanced, either check the "Use default gateway on remote network," or uncheck it.

When unchecked, all internet traffic uses ISP for internet traffic without being hindered, but can still access all resources on the company network. An ipconfig /all shows a blank gateway settting for the PPP (VPN) properties. And it can ping everything, company resources and internet resources.
When checked, all of internet traffic now is going through the company's gateway and firewall, and is being restricted by the company's firewall and website restrictions, but it can access all company resources. An ipconfig /all shows 0.0.0.0 as the default gateway for the PPP (VPN) properties. And it can ping everything, company resources and internet resources.

This "Network Infrastructure Servers" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

Best regards

Cherry

"Network Infrastructure Servers" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Network Infrastructure Servers" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.
- Edited by CherryZhang2020Microsoft contingent staff Wednesday, July 22, 2020 7:25 AM
Wednesday, July 22, 2020 7:25 AM
0

Sign in to vote
Hi,

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

This "Network Infrastructure Servers" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

Best regards

Cherry

"Network Infrastructure Servers" forum will be migrating to a new home on Microsoft Q&A!

We invite you to post new questions in the "Network Infrastructure Servers" forum's new home on Microsoft Q&A!

For more information, please refer to the sticky post.
- Edited by CherryZhang2020Microsoft contingent staff Friday, July 24, 2020 7:21 AM
Friday, July 24, 2020 7:21 AM
0

Sign in to vote

Hi Cherry,

That's a negative on all that. Yes the client and server are on the same subnet. When the client connects to the server, it does receive a default gateway of 0.0.0.0. I have tried checking and unchecking the box you've suggested here but there is still no communication to the rest of the internal network.

Not sure what else to attack here...

Kevin

Tuesday, July 28, 2020 12:19 PM
0

Sign in to vote

Hi again Cherry,

I've forgot to mention that clients are not pingable from anything else on the internal network other then the VPN server as well. Is this because my VPN server is handling static IP addresses? Is there something that I need to setup to allow my regular DHCP server to hand out IP addresses instead of the VPN server doing that job?

Thank you in advance!

Kevin

Tuesday, July 28, 2020 12:35 PM