1
Virtual private networks / OpenVPN: connectivity problems when hiding site behind vpn
« on: November 29, 2023, 02:28:38 pm »
I need some help from the network experts. I'm trying to create this scenario:
- 2 OPNsense installations (site1 and site2)
- both connected to the internet
- clients on site2 LAN should use the internet connection of site1 for all traffic, not only HTTP(S)
- the servers to which the clients connect should not be able to detect that site2 even exists
This is what I've done so far:
- create a site2site tunnel using this guide: https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html
- set "Redirect gateway" to "default" on site1 vpn config
- create "IN: allow any to any" firewall rules on site1 OpenVPN, site2 OpenVPN and site2 LAN
- create "OUT: block any destination except site1 public IP" rule on site2 WAN (to prevent accidently revealing site2 public IP)
- enable outbound NAT (hybrid mode) for any source on site1 WAN
Result:
- clients can access most web pages
- ifconfig.me shows public IP of site1
Problem:
- cannot log into Microsoft account
- login form shows up during first try
- when trying to submit the username, the connection drops
- the whole domain login.live.com is no longer accessible, including the login form that was successfully loaded before
- other domains are still accessible
- restarting all systems does not solve the problem (login form still not accessible)
- resetting the browser or using a private window makes the login form accessible again
=> looks like a ban from Microsoft side
Additional note:
- using the web proxy of site1 allows clients to successfully log into the Microsoft account using site1 public IP
Questions:
- How can Microsoft still detect the VPN configuration?
- How can I further debug the problem?
- 2 OPNsense installations (site1 and site2)
- both connected to the internet
- clients on site2 LAN should use the internet connection of site1 for all traffic, not only HTTP(S)
- the servers to which the clients connect should not be able to detect that site2 even exists
This is what I've done so far:
- create a site2site tunnel using this guide: https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html
- set "Redirect gateway" to "default" on site1 vpn config
- create "IN: allow any to any" firewall rules on site1 OpenVPN, site2 OpenVPN and site2 LAN
- create "OUT: block any destination except site1 public IP" rule on site2 WAN (to prevent accidently revealing site2 public IP)
- enable outbound NAT (hybrid mode) for any source on site1 WAN
Result:
- clients can access most web pages
- ifconfig.me shows public IP of site1
Problem:
- cannot log into Microsoft account
- login form shows up during first try
- when trying to submit the username, the connection drops
- the whole domain login.live.com is no longer accessible, including the login form that was successfully loaded before
- other domains are still accessible
- restarting all systems does not solve the problem (login form still not accessible)
- resetting the browser or using a private window makes the login form accessible again
=> looks like a ban from Microsoft side
Additional note:
- using the web proxy of site1 allows clients to successfully log into the Microsoft account using site1 public IP
Questions:
- How can Microsoft still detect the VPN configuration?
- How can I further debug the problem?