Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
BCM
User Panel

Site Notices
Posted: 4/16/2024 7:59:06 PM EDT
I have a somewhat different situation. I have a work-supplied desktop that is kept within my home network. That desktop machine has GlobalProtect installed on it so I can access the corporate VPN.

When I am at home, I RDP into that desktop from my MacBook and can do everything I need to do on the desktop, including connecting to the corporate VPN.

I set up OpenVPN on my router (built in on my Netgear router) so that I can travel with my MacBook and work from other locations (this is authorized by my employer). I simply connect to OpenVPN from wherever I'm at and RDP to the desktop machine at home, no problem.

The only hangup is GlobalProtect. When I try to open a VPN connection from the desktop to the corporate network while I'm RDP'd to the desktop over OpenVPN, the connection starts to happen, then I lose connection to the desktop and am asked to log in again. When the RDP session resumes after login, the GlobalProtect VPN connection has dropped.

Again, I can do this with no issue when I'm actually on my home network, but it doesn't work when I'm connected to my home network via VPN.

Any ideas what the issue could be? I know this could potentially be an issue with either OpenVPN or GlobalProtect. I'm curious if there could be a setting I'm missing in OpenVPN that would make it look like I'm REALLY on my home network?
Link Posted: 4/16/2024 9:17:02 PM EDT
[#1]
Actually, I think I might have stumbled across a potential issue.

My IP address of my laptop (connected to the OpenVPN) is 192.168.2.2, and shows up as an OpenVPN device in my router's connected devices as having the same value.

My work computer has a static IP of 192.168.1.15, and my router's gateway is 192.168.1.1.

Would adding a static route to my work Windows machine possibly help?
Link Posted: 4/16/2024 9:20:14 PM EDT
[#2]
Your company likely doesn't permit split tunneling when their VPN is connected.  This is preventing you from routing back over your openvpn connection.  Not much you can do about it unless they will grant you a policy exception.
Link Posted: 4/16/2024 9:22:33 PM EDT
[#3]
Discussion ForumsJump to Quoted PostQuote History
Quoted:
Your company likely doesn't permit split tunneling when their VPN is connected.  This is preventing you from routing back over your openvpn connection.  Not much you can do about it unless they will grant you a policy exception.
View Quote


Is there a way to configure OpenVPN to do full tunnel?
Link Posted: 4/16/2024 9:53:07 PM EDT
[#4]
Not likely, the restriction is on the corporate vpn side.
Link Posted: 4/16/2024 10:11:48 PM EDT
[#5]
Discussion ForumsJump to Quoted PostQuote History
Quoted:
Not likely, the restriction is on the corporate vpn side.
View Quote


Hmm, I don't know, I was discussing it with the head of network security today and we were coming up with different things to try, but with no luck.
Link Posted: 4/16/2024 10:21:38 PM EDT
[#6]
Discussion ForumsJump to Quoted PostQuote History
Quoted:
Your company likely doesn't permit split tunneling when their VPN is connected.  This is preventing you from routing back over your openvpn connection.  Not much you can do about it unless they will grant you a policy exception.
View Quote



This is correct.
Link Posted: 4/16/2024 10:26:55 PM EDT
[#7]
What's happening is a routing problem on the work desktop. It knows what the local home network because it's a local network. The work VPN is routing all other subnets down it's VPN tunnel. Since your openvpn is a different subnet handled by the default gateway the work computer is routing upir openvpn packets to your work VPN as it takes the default gateway position.

You need to add a static route on the work computer to say 192.168.2.0/24 goes to 192.168.1.1 and hope the work VPN doesn't override it.

Alternatively, and maybe a better idea if you can do it, is to tell your router to NAT your openvpn traffic into your internal network. Then the connection to the desktop would look lik its coming from the router (192.168.1.1) and no routing changes to the desktop are required.
Link Posted: 4/27/2024 3:03:31 PM EDT
[#8]
Discussion ForumsJump to Quoted PostQuote History
Quoted:
What's happening is a routing problem on the work desktop. It knows what the local home network because it's a local network. The work VPN is routing all other subnets down it's VPN tunnel. Since your openvpn is a different subnet handled by the default gateway the work computer is routing upir openvpn packets to your work VPN as it takes the default gateway position.

You need to add a static route on the work computer to say 192.168.2.0/24 goes to 192.168.1.1 and hope the work VPN doesn't override it.

Alternatively, and maybe a better idea if you can do it, is to tell your router to NAT your openvpn traffic into your internal network. Then the connection to the desktop would look lik its coming from the router (192.168.1.1) and no routing changes to the desktop are required.
View Quote


@Foxxz

NAT is accomplished using the "static route" configuration in my router, correct?

I'm home now and can experiment with this without affecting my work. I've changed my internal IP addresses in my router so I'm not likely to have conflicting IPs with any remote network I may be on.

My new home LAN IPs are 192.168.87.*, and my gateway is 192.168.87.1.

My VPN, when I connect from another network, now assigns my laptop an IP address of 192.168.88.*.

Since my router is acting as my OpenVPN "server," I really can't configure the VPN server in any meaningful way.

I am able to add static routes on my router, the screen is asking for Destination IP Address, IP Subnet Mask, Gateway IP Address, and Metric.

Is this likely to help? If so, what values would I be entering there?
Link Posted: 4/27/2024 5:33:37 PM EDT
[#9]
Discussion ForumsJump to Quoted PostQuote History
Quoted:


@Foxxz

NAT is accomplished using the "static route" configuration in my router, correct?
No unfortunately not. Static routes are a manual way to tell the router where to send traffic for particular networks. Since your router is handling the OpenVPN connection it already knows how to route it. If your router has an option to NAT the VPN traffic that would be ideal but I'm going to guess it doesn't or theres not an easy button to accomplish that.

I'm home now and can experiment with this without affecting my work. I've changed my internal IP addresses in my router so I'm not likely to have conflicting IPs with any remote network I may be on.

My new home LAN IPs are 192.168.87.*, and my gateway is 192.168.87.1.

My VPN, when I connect from another network, now assigns my laptop an IP address of 192.168.88.*.

Since my router is acting as my OpenVPN "server," I really can't configure the VPN server in any meaningful way.

I am able to add static routes on my router, the screen is asking for Destination IP Address, IP Subnet Mask, Gateway IP Address, and Metric.

Is this likely to help? If so, what values would I be entering there?
View Quote


See reply in blue above.

Does the OpenVPN configuration have an option for bridging the VPN to the home network? Sometimes this is also called a "Layer 2" VPN. That would also be a good option.


Otherwise you would need to add a static route onto your work machine. You would tell it the destination IP is "192.168.88.0", the subnet mask is "255.255.255.0" (or a CIDR mask of 24), and the gateway is "192.168.87.1", and the metric can be left to a default value (or 10 if it really needs it). Entering this into your router would have no effect, or worst case, really confuse it and break your VPN.

Even if you add a static route to your work machine theres still a chance it wouldn't work as many workstation VPNs overwrite existing routes.

You can google for how to add static routes for your particular flavor of windows.
Close Join Our Mail List to Stay Up To Date! Win a FREE Membership!

Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!

You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.


By signing up you agree to our User Agreement. *Must have a registered ARFCOM account to win.
Top Top