Unable to sustain RDP connection over VPN

[sinodave]

Don't know how to properly express my gratitude that you are working on this project! I really want to be able to remote into my work environment via my RPi4, but netExtender is obviously not working for me and I've run out of other solutions. That said...no luck connecting so far. My office uses a self-signed certificate and non-standard port, but I created a config file to house all of that info, and that seems to be working, but here is the output every time I try to connect:

---

INFO Logging in... INFO Starting session... WARNING Unexpected line in session start message: '}' INFO Duplicated srv_options value ClientIPHigh = "192.168.168.200"; INFO Dialing up tunnel... ERROR TLS/SSL connection has been closed (EOF) (_ssl.c:1829) Traceback (most recent call last): File "/opt/nxBender/nxbender/ppp.py", line 71, in run stop = self._pump() File "/opt/nxBender/nxbender/ppp.py", line 116, in _pump stop = self.tunsock.write_from(self.pty) File "/opt/nxBender/nxbender/sslconn.py", line 79, in write_from self.write(data) File "/opt/nxBender/nxbender/sslconn.py", line 103, in write self.write_pump() File "/opt/nxBender/nxbender/sslconn.py", line 113, in write_pump self.s.sendall(buf) File "/usr/lib/python2.7/ssl.py", line 741, in sendall v = self.send(data[count:]) File "/usr/lib/python2.7/ssl.py", line 707, in send v = self._sslobj.write(data) SSLZeroReturnError: TLS/SSL connection has been closed (EOF) (_ssl.c:1829) INFO Shutting down...

Really hoping this makes sense to someone...please let me know if there's anything else I could provide to help troubleshoot!

Thanks, David

[abrasive]

Hi David! Thanks for the report. There seem to be two major versions of the server out there which are incompatible, and I only have access to one to test with. Can you try adding the --use-swap commandline option?

[sinodave]

Thanks for the fast reply! Getting closer...it connects successfully, but a couple of things are off:

1. After connecting, I'm unable to connect to any DNS apparently...if I try to ping www.google.com it just says "ping: www.google.com: Temporary failure in name resolution" but works again if I disconnect nxBender
2. More importantly, the Remmina connection to my remote computer connects, but then almost immediately (maybe 5-10 seconds later) nxBender disconnects after displaying one of the following errors:

ERROR Connection reset by peer ERROR pppd exited with code 16 ERROR Broken pipe <--this one is the most common

Here is the entire output:

---

INFO Logging in... INFO Starting session... WARNING Unexpected line in session start message: '}' INFO Duplicated srv_options value ClientIPHigh = "192.168.168.200"; INFO Dialing up tunnel... INFO Remote routing configured, VPN is up ERROR Broken pipe INFO Shutting down...

Here's what ifconfig outputs related the ppp connection when the VPN is "up" in case that is helpful: ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 192.168.168.100 netmask 255.255.255.255 destination 192.0.2.1 ppp txqueuelen 3 (Point-to-Point Protocol) RX packets 8 bytes 176 (176.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 45 bytes 4034 (3.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

When I run ifconfig from another computer with a working netExtender configuration, the only difference in the ppp0 output is that it says mtu=1280. inet, netmask, and broadcast values are all identical. It does give the following output upon connection, though:

---

You now have access to the following 4 remote networks: 192.168.1.0/255.255.255.0 10.1.10.0/255.255.255.0 10.0.0.0/255.255.255.0 10.3.0.0/255.255.255.0

This does not interfere with my ability to connect to other networks (it does mess up my local network sometimes, though...my LAN is also 192.168.1.* ...could that be causing these issues? That would be pretty embarrassing...

Thanks in advance! David

[sinodave]

Well...look at all the egg on my face!

I routed the RPi through my phone's mobile hotspot to rule out LAN interference issues, and it seemed to work just fine for as long as I left it connected. Looks like I may just need to change the subnet for my LAN...something tells me I'm not going to get my company to change theirs! Probably a full day's worth of troubleshooting to follow that, tracking down every place I ever saved the old subnet, but...

I guess you could kinda sorta call this a bug (?) since I can't be the only person in the world with a subnet clash issue and netExtender and the SonicWall Global VPN client software do not suffer from the same issue, but this may be the right time to close this report... :-D

Thanks for pointing me in the right direction with the --use-swap option; that definitely would not have crossed my mind! I'll update if the subnet change doesn't do the trick.

All the best! David

[abrasive]

Thanks for the test report! So you're saying that --use-swap resolved the fundamental issue with connection? That's great - because it means that I know how to talk to that version of the NX server. Now I just need to make detecting it automatic, do you reckon you could help me out with that? If you can run with --debug as well and post the output - but please make sure to remove personal information from the dump first :)

The subnet thing must be annoying. The person who set up my employer's network initially decided to use pretty much all the popular consumer subnets >:(

[sinodave]

Spoke too soon I guess...I changed my local subnet to 192.168.69.*, and that seems to have solved the DNS issue (I can ping outside the network and access the web), but the nxBender connection still drops after a few seconds of my Remmina connection. Here's the debug without --use-swap:

--BEGIN-- INFO Logging in... DEBUG Starting new HTTPS connection (1): [server:port] send: 'POST /cgi-bin/userLogin HTTP/1.1\r\nHost: [server:port]\r\nAccept-Encoding: identity\r\nUser-Agent: Dell SonicWALL NetExtender for Linux 8.1.789\r\nX-NE-SESSIONPROMPT: true\r\nContent-Length: 60\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nusername=[username]&domain=[domain]&password=[password]&login=true' reply: 'HTTP/1.0 200 OK\r\n' header: Server: SonicWALL SSLVPN Web Server header: X-NE-tfresult: 0 header: MC-bookmarks: 1 header: Set-Cookie: swap=M2JmMTQ4ZTBrYXdyaWNyaQ==; path=/; header: Connection: close header: Content-Type: text/html; charset=UTF-8 DEBUG https://[server:port] "POST /cgi-bin/userLogin HTTP/1.1" 200 None INFO Starting session... DEBUG Resetting dropped connection: [server] send: 'GET /cgi-bin/sslvpnclient?launchplatform=mac&neProto=3&supportipv6=no HTTP/1.1\r\nHost: [server:port]\r\nAccept-Encoding: identity\r\nUser-Agent: Dell SonicWALL NetExtender for Linux 8.1.789\r\nCookie: swap=M2JmMTQ4ZTBrYXdyaWNyaQ==\r\n\r\n' reply: 'HTTP/1.0 200 OK\r\n' header: Server: SonicWALL SSLVPN Web Server header: Set-Cookie: swap=3bf148e0kawricri; path=/; header: Connection: close header: Content-Type: text/html; charset=UTF-8 DEBUG https://[server:port] "GET /cgi-bin/sslvpnclient?launchplatform=mac&neProto=3&supportipv6=no HTTP/1.1" 200 None DEBUG srv_option 'NELaunchX1.userName' = '"[username]";' DEBUG srv_option 'NELaunchX1.domainName' = '"LocalDomain";' DEBUG srv_option 'SessionId' = 'QkMO6MFoLUdjNiCNLyakRw==;' DEBUG srv_option 'Route' = '192.168.1.0/255.255.255.0' DEBUG srv_option 'Route' = '10.1.10.0/255.255.255.0' DEBUG srv_option 'Route' = '10.0.0.0/255.255.255.0' DEBUG srv_option 'Route' = '10.3.0.0/255.255.255.0' DEBUG srv_option 'dns1' = '192.168.1.7' DEBUG srv_option 'dns2' = '8.8.8.8' DEBUG srv_option 'ipv6Support' = 'no' DEBUG srv_option 'pppFrameEncoded' = '0;' DEBUG srv_option 'PppPref' = 'async' DEBUG srv_option 'TunnelAllMode' = '0;' DEBUG srv_option 'ExitAfterDisconnect' = '0;' DEBUG srv_option 'UninstallAfterExit' = '0;' DEBUG srv_option 'NoProfileCreate' = '0;' DEBUG srv_option 'AllowSavePassword' = '0;' DEBUG srv_option 'AllowSaveUser' = '0;' DEBUG srv_option 'AllowSavePasswordInKeychain' = '0' DEBUG srv_option 'AllowSavePasswordInKeystore' = '0' DEBUG srv_option 'ClientIPLower' = '"192.168.168.100";' DEBUG srv_option 'ClientIPHigh' = '"192.168.168.200";' WARNING Unexpected line in session start message: '}' INFO Duplicated srv_options value ClientIPHigh = "192.168.168.200"; DEBUG srv_option 'ClientIPHigh' = '"192.168.168.200";' INFO Dialing up tunnel... ERROR TLS/SSL connection has been closed (EOF) (_ssl.c:1829) Traceback (most recent call last): File "/opt/nxBender/nxbender/ppp.py", line 71, in run stop = self._pump() File "/opt/nxBender/nxbender/ppp.py", line 116, in _pump stop = self.tunsock.write_from(self.pty) File "/opt/nxBender/nxbender/sslconn.py", line 79, in write_from self.write(data) File "/opt/nxBender/nxbender/sslconn.py", line 103, in write self.write_pump() File "/opt/nxBender/nxbender/sslconn.py", line 113, in write_pump self.s.sendall(buf) File "/usr/lib/python2.7/ssl.py", line 741, in sendall v = self.send(data[count:]) File "/usr/lib/python2.7/ssl.py", line 707, in send v = self._sslobj.write(data) SSLZeroReturnError: TLS/SSL connection has been closed (EOF) (_ssl.c:1829) INFO Shutting down... DEBUG Resetting dropped connection: [server] send: 'GET /cgi-bin/userLogout HTTP/1.1\r\nHost: [server:port]\r\nAccept-Encoding: identity\r\nUser-Agent: Dell SonicWALL NetExtender for Linux 8.1.789\r\nCookie: swap=3bf148e0kawricri\r\n\r\n' reply: '' --END--

Here's the output with --use-swap enabled:

--BEGIN-- INFO Logging in... DEBUG Starting new HTTPS connection (1): [server]:[port] send: 'POST /cgi-bin/userLogin HTTP/1.1\r\nHost: [server]:[port]\r\nAccept-Encoding: identity\r\nUser-Agent: Dell SonicWALL NetExtender for Linux 8.1.789\r\nX-NE-SESSIONPROMPT: true\r\nContent-Length: 60\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nusername=[username]&domain=[domain]&password=[password]&login=true' reply: 'HTTP/1.0 200 OK\r\n' header: Server: SonicWALL SSLVPN Web Server header: X-NE-tfresult: 0 header: MC-bookmarks: 1 header: Set-Cookie: swap=M2JmMjU3MDhzd2Vwcmlkcg==; path=/; header: Connection: close header: Content-Type: text/html; charset=UTF-8 DEBUG https://[server]:[port] "POST /cgi-bin/userLogin HTTP/1.1" 200 None INFO Starting session... DEBUG Resetting dropped connection: [server] send: 'GET /cgi-bin/sslvpnclient?launchplatform=mac&neProto=3&supportipv6=no HTTP/1.1\r\nHost: [server]:[port]\r\nAccept-Encoding: identity\r\nUser-Agent: Dell SonicWALL NetExtender for Linux 8.1.789\r\nCookie: swap=M2JmMjU3MDhzd2Vwcmlkcg==\r\n\r\n' reply: 'HTTP/1.0 200 OK\r\n' header: Server: SonicWALL SSLVPN Web Server header: Set-Cookie: swap=3bf25708swepridr; path=/; header: Connection: close header: Content-Type: text/html; charset=UTF-8 DEBUG https://[server]:[port] "GET /cgi-bin/sslvpnclient?launchplatform=mac&neProto=3&supportipv6=no HTTP/1.1" 200 None DEBUG srv_option 'NELaunchX1.userName' = '"[username]";' DEBUG srv_option 'NELaunchX1.domainName' = '"LocalDomain";' DEBUG srv_option 'SessionId' = 'QkMO6MFoLUdjNiCNLyakRw==;' DEBUG srv_option 'Route' = '192.168.1.0/255.255.255.0' DEBUG srv_option 'Route' = '10.1.10.0/255.255.255.0' DEBUG srv_option 'Route' = '10.0.0.0/255.255.255.0' DEBUG srv_option 'Route' = '10.3.0.0/255.255.255.0' DEBUG srv_option 'dns1' = '192.168.1.7' DEBUG srv_option 'dns2' = '8.8.8.8' DEBUG srv_option 'ipv6Support' = 'no' DEBUG srv_option 'pppFrameEncoded' = '0;' DEBUG srv_option 'PppPref' = 'async' DEBUG srv_option 'TunnelAllMode' = '0;' DEBUG srv_option 'ExitAfterDisconnect' = '0;' DEBUG srv_option 'UninstallAfterExit' = '0;' DEBUG srv_option 'NoProfileCreate' = '0;' DEBUG srv_option 'AllowSavePassword' = '0;' DEBUG srv_option 'AllowSaveUser' = '0;' DEBUG srv_option 'AllowSavePasswordInKeychain' = '0' DEBUG srv_option 'AllowSavePasswordInKeystore' = '0' DEBUG srv_option 'ClientIPLower' = '"192.168.168.100";' DEBUG srv_option 'ClientIPHigh' = '"192.168.168.200";' WARNING Unexpected line in session start message: '}' INFO Duplicated srv_options value ClientIPHigh = "192.168.168.200"; DEBUG srv_option 'ClientIPHigh' = '"192.168.168.200";' INFO Dialing up tunnel... INFO Remote routing configured, VPN is up ERROR Broken pipe INFO Shutting down... DEBUG Resetting dropped connection: [server] send: 'GET /cgi-bin/userLogout HTTP/1.1\r\nHost: [server]:[port]\r\nAccept-Encoding: identity\r\nUser-Agent: Dell SonicWALL NetExtender for Linux 8.1.789\r\nCookie: swap=3bf25708swepridr\r\n\r\n' reply: '' --END--

Doesn't seem like a whole lot to go on, but, hoping you can figure something out...

Thanks! David

[sinodave]

Interestingly...it doesn't seem to have much to do with the length of the connection, but rather the volume of the data moving across. If I connect and leave it idle, it may stay connected for minutes at a time, but as soon as I click around and the connection has to re-draw the screen a bit, the vpn will drop out with one of the messages I pasted above (Broken pipe, Connection reset by peer, etc.).

Other things I've tried without success: -manually set mtu to 1280 via ifconfig -added persist option to /etc/ppp/options file <--this was a bad idea...still get broken pipe errors, but with the persist option enabled nxBender got stuck at "Shutting down..." and I had to Ctrl-C to break -tried installing on a fresh 64-bit Ubuntu Server install w/gdm3 & Gnome...same result -routed RPi4 Wifi through mobile hotspot on my phone to rule out LAN or subnet configuration issues

[sinodave]

Aw geez...ok, so you're awesome and I officially suck.

I finally figured out the problem, and it has nothing to do with the vpn at all...I had the color mode set as GFX-something or other in Remmina (an option that is not even available on my Chromebook/NetExtender setup), and when I changed that setting to TrueColor 32bpp it automagically started working and didn't drop once during a 20 minute session where I put it through its paces with video, 2D, and 3D rendering.

I'm truly sorry to have wasted any of your time...so happy that this works now! Please continue the fabulous work!

Let me know if there is some way I can help you with that automatic switching problem you were looking into.

All the best, David

[abrasive]

What a weird bug! Well, I'm glad you got it figured out ^_^

I've just pushed a new version to master which should detect and work with your server's version of the protocol, would you mind trying it out? Thanks!

[sinodave]

Hey, sorry to disappear...I just realized that I never replied to your last comment. I can confirm that nxBender connects to my office's version of the SonicWall device without the need for the --use-swap option now. Unfortunately it still refuses to hold a connection reliably, so I have figured out another solution (using another computer as a gateway running netExtender and routing my ARM device traffic for that subnet through that computer). I'm still willing to try out new builds of nxBender to see if it gets cleared up...maybe with auto-reconnect it will be better. I'm convinced at this point that there is some kind of configuration/stability problem with my company's device, but of course I have no access to that. Thanks again for all your hard work on this project!