Enable RDP - trying to get incoming IP address

[Zolt]

Hi there.
I have an ASUS RT-AC66U_B1 router with Asuswrt-Merlin.
First of all, thanks for that wonderfull firmware! It is so stable and has so many bells and whistles, and on top, it's allowed from ASUS! That is so fantastic!

Background info:
I have a working setup already - I can connect through RDP from my work office to a specific computer on my LAN. For this, I've enabled Virtual Port forwarding for a specific IP that I've been given by one of the sys admins at work, to my specific computer at work.

Now, I need to do the same for another computer connected over a VPN, but I don't know the right IP of that particular PC. I tried "showmyip.com", but that only shows the proxy address, not the real IP trying to connect to my RPD session.

Could someone show/explain how I'd go about enabling the proper logging on the router so I can see "failled attemps" to connect to this RPD port?

Please let me know if the above info isn't enough, or if you have any other questions.

Thanks!

 

[ColinTaylor]

Now, I need to do the same for another computer connected over a VPN, but I don't know the right IP of that particular PC. I tried "showmyip.com", but that only shows the proxy address, not the real IP trying to connect to my RPD session.

Where is the computer you are connecting from? At work or at home.
Where is the remote computer?
What device is running the VPN client?
What device is running the VPN server?

 

[Zolt]

Hi @ColinTaylor
Sorry - I do understand that was a bit of a confusing question. I'll try my best to give proper details.


What is working :
- Source computer is on the work network
- Destination is on my home lan
For that, I have a redirection based on source IP/port combination to only allow specific address to go through.

What doesn't work :
- Source computer is on a VPN (still from work, but that is besides the point)
- Destination is on my home lan
For this, I'm trying to figure out the IP of the Source to be able to do the redirection as in the example above.

VPN server is from work - I don't know what it is.
VPN client is CISCO AnyConnect - there are rules that are enforced by the work network policies, so I can't change things like routing.

Don't hesitate to let me know if my explanations are not complete yet.

Cheers! (and stay safe!!!)

 

[ColinTaylor]

Let me take a guess at this...

The PC you're using is at a remote location (coffee shop, hotel, etc.).
This PC is running the AnyConnect VPN client and connecting to the company's VPN server.
You want to go via this VPN connection (PC -> company LAN) and back out across the internet to your home router (which has RDP forwarded to the LAN PC).

Is that close?

 

[Zolt]

It's close.
The PC I'm using (work laptop) is in my home-lan, but connected to the Work VPN through my ASUS router.
Policies pushed by the work network prevent local routing - that is fully understandable.
I want to connect via this (main) VPN connection (PC -> lan router -> Company VPN) and back across the internet to my home router (which has RDP forwarded to the LAN PC for specific IP address).

A bit more info.
At work, we have multiple VPNs. There is the main VPN (what I want to use), and we have others that allow us to connect to different parts of the nework (DEV / STG / PROD).
If I am to connect through our STG VPN - for which I have the outbound IP address - I can use my lan RDP because I can set a specific port forwarding for that particular IP.
However, I can't while connected to the main VPN.

So coming back to my original question (which was poorly written!!!)...
This is why I'm trying to see the rejected IP from some log file on my router to be able to add a port forwarding rule, and thus allow RDP for that particular IP.

...rereading my descriptions, it sounds so confusing....hope it is clear enough.
All that "work from home" adds the extra complexity

Thanks for your help!

 

[ColinTaylor]

So coming back to my original question (which was poorly written!!!)...
This is why I'm trying to see the rejected IP from some log file on my router to be able to add a port forwarding rule, and thus allow RDP for that particular IP.

The simple approach would be to temporarily remove the source IP restriction in your port forwarding rule. Then attempt the RDP connection via the desired VPN.

If that is successful then you could look at things like log files or the router's active connections (System Log - Active Connections) to determine the source address.

However, if you cannot connect then you will know that this will not work without the company IT department making changes to their network (e.g routing, firewall, etc.).

 

[Zolt]

OK makes sense - should have tried this before indeed.
Thanks! Will go this route.

...but, the question about logging still exists as I don't know where to look for these logs. Would you happen where I can see these?
Again, I do have ssh access to the box. I'm just not a Unix expert and don't know where to look for.

Many thanks for your help!

 

[ColinTaylor]

...but, the question about logging still exists as I don't know where to look for these logs. Would you happen where I can see these?

If you can log into the router's GUI you can look from the incoming connection at System Log > Active Connections.

Again, I do have ssh access to the box. I'm just not a Unix expert and don't know where to look for.

If you can SSH to the router while the RDP connection up you can see the connection by using this command:

netstat-nat -n -D

 

[Zolt]

Oh well. Looks like VPN is blocking the RDP port.

Hey @ColinTaylor ! I wanted to give you a GREAT thank for your help and patience.
This helped me a great lot!

 

[Phil Outram]

What type of vpn client is being used? You state that policy is blocking local routing however if this is a vpn natively configured in Windows then you could perhaps enable a split tunnel vpn by unchecking 'use remote gateway' in the vpn connection properties under ipv4 advanced settings. With this option deselected only traffic destined for the remote vpn subnet will be tunnelled down the vpn with everything else going straight out including the local subnet.

 

[Klueless]

The PC you're using is at a remote location (coffee shop, hotel, etc.)

I'm probably way off base here. When you're home you can VPN to work. When you're at work you can RDP to your favorite home computer.

But now you're at a 3rd site? You can VPN to work but while you're "virtually" at work you cannot RDP to your special computer at home? If you don't need the "synergy" why not VPN to your home network and then run RDP to that special computer?

I know I'm going to get teased but PPTP tunneling is the easiest to set up. It's been awhile but, last I looked, PPTP is built-in / already included with Windows. You then set your Asus Router to be a PPTP VPN Server. You then set a range of IP addresses that you hand out to your tunnel clients (namely yourself at the corner pub). These addresses would be in the same subnet range that your Asus lives in but not any of the addresses in your Asus DHCP pool.

(For example: Asus router is 192.168.1.1 and its current DHCP pool is, say, 192.168.1.50 to 192.168.1.150 so you could let your PPTP server hand out addresses at, say, 192.168.1.200 to 192.168.1.210)​

Now your VPN client appears to be on the same subnet as your home Asus router and that special home computer of yours and RDP should "just work"?

Might not be quite what you want as you would VPN to work, disconnect and then VPN to home to visit with that special computer. But, it would give you that secure, point to point encryption that I believe you're looking for?

And, no, I don't know how to read log files either.

 

[ColinTaylor]

I'm probably way off base here...

Yes, that's not his setup. My guess in post #4 was wrong. He explained it in post #5.

The issue (which can only be resolved by the company IT department) is that when he's at work (either physically or via remote VPN) he chooses which internal VPN network* he wants to work on. It is these internal VPNs that are the issue. His IT department has made the necessary changes that allows him out through the firewall when he's connected to the internal STG network, but now he wants the same change to be made to the internal "main" network.

I think many readers of this forum will not be familiar with this kind a setup unless they have worked in software development.

EDIT: I think the dual use of the word "VPN" makes this confusing. For the internal company network a "VPN" is a separate network that is isolated from the other networks (more so than just a VLAN). This is different from our normal use of VPN which is to connect to a private network from across the internet.

 

[Zolt]

@PhilOutram, we use the CISCO AnyConnect, provided/installed/configured by the company's network team. It is also managed by network policies pushed down to our workstations, and the settings are closed to us - I cannot change these type of configurations. However, thanks for the idea!

Thanks to both of you @Klueless and @ColinTaylor for the extra added info.

Just to make explanatin simpler (trying to...), my situation is weird as I am now home (on my work LapTop), connected through a real VPN to the work network, but want to go back out to join my home server through RDP.

[Home] -> {vpn} -> [Work] ->--+
^ |
| |
+--------------<<<----------+
(sorry - above didn't come out as clear as I wanted - but it's a circular path)
It's kind of a weird situation. I know that the above description might be a bit simplified.

So, again, following @ColinTaylor suggestion, I've removed all the rules regarding RDP on the port forwarding page on the router, and created a new one that doesn't specify the source IP. this way, if the connection was successful, I could see the source IP and update the rule so I only allowed that IP. Unfortunately, the connection wasn't successful, so this means the VPN I'm connected to blocks this port.

In the above, {vpn} seems to be the where the port is blocked.

Again, thanks to all who tipped in - even though I can't RDP to my home machine, I understand better all the situation
Sometimes, explaining to others make you realize things you didn't think about before...

 

[Klueless]

Sometimes, explaining to others make you realize things you didn't think about before...

How true! Years ago I was cleaning out the basement and found an old Howdy Doody puppet. I brought him into work and set him on a far corner of my desk. When I was working through a (work related) problem I would sometimes take a timeout and explain my dilemma to Howdy. Often, in the middle of explaining things to Howdy, light bulbs would light and I'd suddenly see the solution. Luckily, I was usually alone. (Or, perhaps, that's why I was alone?)

 

[ColinTaylor]

@Zolt If you put your diagram inside a CODE block it will preserve the spacing:

[Home] -> {vpn} -> [Work] ->--+
  ^                           |
  |                           |
  +--------------<<<----------+

In the above, {vpn} seems to be the where the port is blocked.

I don't believe that's where it's being blocked. It's being blocked by the company's firewall on the outgoing connection. This is a common situation. Companies will block all outgoing connections by default and then make individual exceptions in the firewall where necessary.

[Home]--{vpn client} ----> [Work]--{vpn server}--{main LAN}--+-----+-----+
  ^                                      |            |      |     |     |
  |                                      |            |    {DEV} {STG} {PROD}
  |                                      |            |      |     |     |
  |                                   ---+------------+------+-----+-----+----
  |                                  |   x            x      x     |     x    | <-- Firewall (outbound)
  |                                   -----------------------------+----------
  |                                                                |
  +------------------------------<<<-------------------------------+

NB: There's also a firewall on the incoming connection between the internet and the work VPN server that I haven't drawn.

 

[Phil Outram]

Since you are using Cisco Anyconnect I have another idea for you. Do a route print in command prompt and take note of all the routes before connecting the vpn. Then connect it and do another route print. The cisco anyconnect client is likely just changing these settings.

If so it should be possible to write a script to add the routes back in using route add. This assumes that you have local administrative rights on the laptop.

 

[Zolt]

@ColinTaylor - thanks for the info and drawing - better skills than mine

@Phil Outram - thanks for the suggestion!
I'll surely give it a try - I'll let you know if I succeed!