My business was working happily away last Tuesday, then out of nowhere, midafternoon our RRAS stopped accepting connections with the common error of “An existing connection was forcible closed by the remote host.”
Since then, we’ve been madly rerouting folks to OpenVPN to get them access to a proprietary application on-prem. One requirement of the Application is that there must be a LOS to the internal DC and the whatismyip query must = our WAN public IP. I’d love to use split tunneling for performance but this single IP requirement is hard to satisfy.
In a nutshell, RRAS has been out of commission for a week and people are getting frustrated - and so am I.
UPDATE:
Question #1: Do I need an OpenVPN license to use OpenVPN on my Balance?
Remote User Access is all we need.
Question #2: Why is an Untagged VLAN the only option for routing?
No other network is available in the drop menu for Advanced > Remote User Access > Connect to Network. The subnet I am using currently does not have a DHCP zone in my domain DHCP server so the IPs that OpenVPN clients get assigned are issued through the defined IP Range in the OpenVPN network. Ideally, I would have the OpenVPN go through our domain DHCP server. The Full Tunnel OpenVPN is very slow, and people are having a hard time reaching internal resources and mapped drives are not connecting. I think my Firewall Rules are wrong or my OpenVPN DHCP settings are wrong - or both.
Question #3: What is your approach to Inbound traffic - DENY ALL, ACCEPT ALL with DENY rules?
I see a lot of unwanted traffic attempting connections to NAT mappings as soon as I enable them. I assume port scanning or Brute Force attempts, so I have turned them all off. One thing I wonder is if my Advanced > Firewall > Access Rules > Inbound Firewall Rules are permitting too much, and also I have created many DENY rules to attempt to block unwanted traffic and I think that may be causing some conflicts too, so I wonder if I changed the Inbound Default to Any/Any/Any DENY if that would be helpful.
Question #4: Anyone have any configs that use split tunnel but broadcast a dedicated IP vs the client ISP gateway?
This is related to Q#2 but would be applicable if we used a split tunnel - we use a full tunnel now because the on-prem desktop app requires a LOS to our internal domain and must also broadcast our WAN public IP address due to Azure SQL firewall rules that say a user’s IP address must equal our WAN public IP address. I wish we could use a split tunnel and satisfy the IP requirement.