Tweet
Hello
I'm new to this forum and a complete novice when it comes to VPNs.
To help explain the problem, I'll unfortunately have to go into a bit of detail.
I run a small domain, hosted directly in my house, and another one whose external and internal names are identical.
For many years, I used Microsoft Forefront TMG as my firewall, which I thought was very good. However, like so many good tools, Microsoft deprecated it about 15 years ago without replacement.
I continued to use the firewall for a long time.
On our travels (and we travel a lot—that's very easy as a retiree), I always logged into the internal servers, such as the web server, SQL server, and development computers, via RDP.
The port forwarding was only known to the firewall and me.
My travel laptop is Windows 10.
For security reasons (and he's right), our foster son replaced the completely outdated Forefront with OPNSense (Linux and the reverse proxy concept are a very foreign world to me)
and he set up OpenVPN for me (even more foreign to me).
I can usually solve minor stumbling blocks myself, and then our foster son helps in disasters, and in some cases (like now), the internet helps.
We operate a domain (the same name externally and internally), and OpenVPN accesses it via the internal web server – it works great. Really, really well.
Our network consists of a big, fat server, and all clients, including the OPNSense firewall, are configured on this server as VMware machines (not ESX or anything like that, but pure VMware Workstations).
For this reason, the large server called "Bigserver" isn't a domain member, but it does have a fixed IP address. It houses an entire domain with Exchange, a domain controller, a database server,
and a web server, as well as some development computers.
But the "Bigserver" is still its Server 2012 R2.
The clients are a very old XP (yes, there's still antivirus for that), some are Windows 7, almost all of which are now Windows 10 or Server 2016 – only the FTP/web server is still a Server 2008 R2.
I always log in to the respective computers via RDP to work, and I start and shut down the machines on the "big server" as needed. Just normal work.
And that's exactly where the problem lies:
Since switching to OPNsense and OpenVPN, I can no longer log in to the "Bigserver" via Remote Desktop over VPN. It only fails when I try to access it via VPN.
At first, there was a DNS problem: since this server isn't a domain member, its IP was resolved to that of our provider. I adjusted the HOSTS file on my travel notebook to counteract this.
Now the name resolution works, but I get a frozen screen snapshot of the "Bigserver" desktop. After about 10 seconds, the RDP connection is lost. Remote Desktop then tries this five more times before giving up.
So I thought I'd help you: I log in to a client via RDP and from there I open an RDP session to the "Bigserver." The result is that the RDP connection to the "Bigserver" is established.
Then the RDP connection to the (actually working) client freezes, and after about 10 seconds, the connection is interrupted.
For further testing, I tested the whole thing again at home. I set up a hotspot on my smartphone and switched from Wi-Fi to the hotspot on my travel laptop.
And then I discovered an astonishing side effect: For the duration of the frozen desktop of the remote desktop from the "Bigserver," the Wi-Fi is completely disrupted (I assume the DNS is messed up).
When the RDP connection is then terminated, the Wi-Fi is working again (we listen to the radio over the internet and immediately notice the disruption in the Wi-Fi).
What's unclear to me:
Is the problem with Windows Server 2012 R2 or because this particular server isn't a member of the domain? As a server, it has a fixed internal IP.
Has anyone had similar experiences?
Or is the combination of Windows 10 LTSC 22H2 with OpenVPN 2.6.6 on a Server 2012 R2 via Remote Desktop incompatible?
What about OpenVPN's DNS resolution?
As I said, there are no problems on the laptop connecting to computers running XP, Windows 7, Server 2008 R2, or Server 2016.
Excerpts from the log:
2025-04-27 11:32:00 UDPv6 link remote: [AF_INET6]64:ff9b::d95b:36b5:1194
2025-04-27 11:32:00 [vpn.XXXXXXXXXXXX] Peer Connection Initiated with [AF_INET6]64:ff9b::d95b:36b5:1194
2025-04-27 11:32:01 open_tun
2025-04-27 11:32:01 tap-windows6 device [OpenVPN TAP-Windows6] opened
2025-04-27 11:32:01 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.200.10/255.255.255.252 on interface {3B4DEF7D-BC49-4871-8F2B-3B0311CE85B1} [DHCP-serv: 192.168.200.9, lease-time: 31536000]
2025-04-27 11:32:01 Successful ARP Flush on interface [9] {3B4DEF7D-BC49-4871-8F2B-3B0311CE85B1}
2025-04-27 11:32:01 IPv4 MTU set to 1500 on interface 9 using service
2025-04-27 11:32:06 Initialization Sequence Completed
2025-04-27 11:32:06 Register_dns request sent to the service
2025-04-27 11:35:37 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:35:37 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:35:37 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:35:37 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
...very much entries like this above
22025-04-27 11:36:28 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:36:29 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:36:29 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:36:30 [vpn.XXXXXXXXXXXX] Inactivity timeout (--ping-restart), restarting
2025-04-27 11:36:30 SIGUSR1[soft,ping-restart] received, process restarting
2025-04-27 11:36:31 TCP/UDP: Preserving recently used remote address: [AF_INET6]64:ff9b::d95b:36b5:1194
2025-04-27 11:36:31 setsockopt(IPV6_V6ONLY=0)
2025-04-27 11:36:31 UDPv6 link local (bound): [AF_INET6][undef]:0
2025-04-27 11:36:31 UDPv6 link remote: [AF_INET6]64:ff9b::d95b:36b5:1194
2025-04-27 11:36:34 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:36:34 Network unreachable, restarting
2025-04-27 11:36:34 SIGUSR1[soft,network-unreachable] received, process restarting
2025-04-27 11:36:35 TCP/UDP: Preserving recently used remote address: [AF_INET]217.91.54.181:1194
2025-04-27 11:36:35 UDPv4 link local (bound): [AF_INET][undef]:0
2025-04-27 11:36:35 UDPv4 link remote: [AF_INET]217.91.54.181:1194
2025-04-27 11:37:35 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-04-27 11:37:35 TLS Error: TLS handshake failed
2025-04-27 11:37:35 SIGUSR1[soft,tls-error] received, process restarting
2025-04-27 11:37:36 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.100.17:1194
2025-04-27 11:37:36 UDPv4 link local (bound): [AF_INET][undef]:0
2025-04-27 11:37:36 UDPv4 link remote: [AF_INET]192.168.100.17:1194
2025-04-27 11:38:36 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-04-27 11:38:36 TLS Error: TLS handshake failed
2025-04-27 11:38:36 SIGUSR1[soft,tls-error] received, process restarting
2025-04-27 11:38:37 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.100.17:1194
2025-04-27 11:38:37 UDPv4 link local (bound): [AF_INET][undef]:0
2025-04-27 11:38:37 UDPv4 link remote: [AF_INET]192.168.100.17:1194
2025-04-27 11:39:37 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-04-27 11:39:37 TLS Error: TLS handshake failed
German text translated by Google Translater
Greetings
Alex
I'm new to this forum and a complete novice when it comes to VPNs.
To help explain the problem, I'll unfortunately have to go into a bit of detail.
I run a small domain, hosted directly in my house, and another one whose external and internal names are identical.
For many years, I used Microsoft Forefront TMG as my firewall, which I thought was very good. However, like so many good tools, Microsoft deprecated it about 15 years ago without replacement.
I continued to use the firewall for a long time.
On our travels (and we travel a lot—that's very easy as a retiree), I always logged into the internal servers, such as the web server, SQL server, and development computers, via RDP.
The port forwarding was only known to the firewall and me.
My travel laptop is Windows 10.
For security reasons (and he's right), our foster son replaced the completely outdated Forefront with OPNSense (Linux and the reverse proxy concept are a very foreign world to me)
and he set up OpenVPN for me (even more foreign to me).
I can usually solve minor stumbling blocks myself, and then our foster son helps in disasters, and in some cases (like now), the internet helps.
We operate a domain (the same name externally and internally), and OpenVPN accesses it via the internal web server – it works great. Really, really well.
Our network consists of a big, fat server, and all clients, including the OPNSense firewall, are configured on this server as VMware machines (not ESX or anything like that, but pure VMware Workstations).
For this reason, the large server called "Bigserver" isn't a domain member, but it does have a fixed IP address. It houses an entire domain with Exchange, a domain controller, a database server,
and a web server, as well as some development computers.
But the "Bigserver" is still its Server 2012 R2.
The clients are a very old XP (yes, there's still antivirus for that), some are Windows 7, almost all of which are now Windows 10 or Server 2016 – only the FTP/web server is still a Server 2008 R2.
I always log in to the respective computers via RDP to work, and I start and shut down the machines on the "big server" as needed. Just normal work.
And that's exactly where the problem lies:
Since switching to OPNsense and OpenVPN, I can no longer log in to the "Bigserver" via Remote Desktop over VPN. It only fails when I try to access it via VPN.
At first, there was a DNS problem: since this server isn't a domain member, its IP was resolved to that of our provider. I adjusted the HOSTS file on my travel notebook to counteract this.
Now the name resolution works, but I get a frozen screen snapshot of the "Bigserver" desktop. After about 10 seconds, the RDP connection is lost. Remote Desktop then tries this five more times before giving up.
So I thought I'd help you: I log in to a client via RDP and from there I open an RDP session to the "Bigserver." The result is that the RDP connection to the "Bigserver" is established.
Then the RDP connection to the (actually working) client freezes, and after about 10 seconds, the connection is interrupted.
For further testing, I tested the whole thing again at home. I set up a hotspot on my smartphone and switched from Wi-Fi to the hotspot on my travel laptop.
And then I discovered an astonishing side effect: For the duration of the frozen desktop of the remote desktop from the "Bigserver," the Wi-Fi is completely disrupted (I assume the DNS is messed up).
When the RDP connection is then terminated, the Wi-Fi is working again (we listen to the radio over the internet and immediately notice the disruption in the Wi-Fi).
What's unclear to me:
Is the problem with Windows Server 2012 R2 or because this particular server isn't a member of the domain? As a server, it has a fixed internal IP.
Has anyone had similar experiences?
Or is the combination of Windows 10 LTSC 22H2 with OpenVPN 2.6.6 on a Server 2012 R2 via Remote Desktop incompatible?
What about OpenVPN's DNS resolution?
As I said, there are no problems on the laptop connecting to computers running XP, Windows 7, Server 2008 R2, or Server 2016.
Excerpts from the log:
2025-04-27 11:32:00 UDPv6 link remote: [AF_INET6]64:ff9b::d95b:36b5:1194
2025-04-27 11:32:00 [vpn.XXXXXXXXXXXX] Peer Connection Initiated with [AF_INET6]64:ff9b::d95b:36b5:1194
2025-04-27 11:32:01 open_tun
2025-04-27 11:32:01 tap-windows6 device [OpenVPN TAP-Windows6] opened
2025-04-27 11:32:01 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.200.10/255.255.255.252 on interface {3B4DEF7D-BC49-4871-8F2B-3B0311CE85B1} [DHCP-serv: 192.168.200.9, lease-time: 31536000]
2025-04-27 11:32:01 Successful ARP Flush on interface [9] {3B4DEF7D-BC49-4871-8F2B-3B0311CE85B1}
2025-04-27 11:32:01 IPv4 MTU set to 1500 on interface 9 using service
2025-04-27 11:32:06 Initialization Sequence Completed
2025-04-27 11:32:06 Register_dns request sent to the service
2025-04-27 11:35:37 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:35:37 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:35:37 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:35:37 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
...very much entries like this above
22025-04-27 11:36:28 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:36:29 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:36:29 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:36:30 [vpn.XXXXXXXXXXXX] Inactivity timeout (--ping-restart), restarting
2025-04-27 11:36:30 SIGUSR1[soft,ping-restart] received, process restarting
2025-04-27 11:36:31 TCP/UDP: Preserving recently used remote address: [AF_INET6]64:ff9b::d95b:36b5:1194
2025-04-27 11:36:31 setsockopt(IPV6_V6ONLY=0)
2025-04-27 11:36:31 UDPv6 link local (bound): [AF_INET6][undef]:0
2025-04-27 11:36:31 UDPv6 link remote: [AF_INET6]64:ff9b::d95b:36b5:1194
2025-04-27 11:36:34 write UDPv6: Network is unreachable (WSAENETUNREACH) (fd=208,code=10051)
2025-04-27 11:36:34 Network unreachable, restarting
2025-04-27 11:36:34 SIGUSR1[soft,network-unreachable] received, process restarting
2025-04-27 11:36:35 TCP/UDP: Preserving recently used remote address: [AF_INET]217.91.54.181:1194
2025-04-27 11:36:35 UDPv4 link local (bound): [AF_INET][undef]:0
2025-04-27 11:36:35 UDPv4 link remote: [AF_INET]217.91.54.181:1194
2025-04-27 11:37:35 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-04-27 11:37:35 TLS Error: TLS handshake failed
2025-04-27 11:37:35 SIGUSR1[soft,tls-error] received, process restarting
2025-04-27 11:37:36 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.100.17:1194
2025-04-27 11:37:36 UDPv4 link local (bound): [AF_INET][undef]:0
2025-04-27 11:37:36 UDPv4 link remote: [AF_INET]192.168.100.17:1194
2025-04-27 11:38:36 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-04-27 11:38:36 TLS Error: TLS handshake failed
2025-04-27 11:38:36 SIGUSR1[soft,tls-error] received, process restarting
2025-04-27 11:38:37 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.100.17:1194
2025-04-27 11:38:37 UDPv4 link local (bound): [AF_INET][undef]:0
2025-04-27 11:38:37 UDPv4 link remote: [AF_INET]192.168.100.17:1194
2025-04-27 11:39:37 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-04-27 11:39:37 TLS Error: TLS handshake failed
German text translated by Google Translater
Greetings
Alex