I’m a solo admin at a small non-profit with about 250 employees. We recently went though a network upgrade where we replaced our existing Firewall and switches with some prosumer Ubiquiti gear. This wasn’t my first choice but for the cost it checked every box and I’ve been very impressed with the results. One bonus is that the Security Gateway has a built in VPN client. Our previous vendor had a VPN solution too but required additional licensing and because we have a developed and secure Terminal server there was never really a need. The Ubiquiti gear made it simple to tie VPN to RADIUS and RADIUS was already tied to Azure MFA, so less than an hour of setup later I’ve got a working VPN server. Great.
The problem is, when I test this VPN from home, which I’ve done over the last week, Windows computers disconnect ALL THE DAMN TIME, with sessions often lasting less than 5 minutes, it was un-usable. For the sake of testing I connected using my Mac and had no problems, I connected using a Linux VM and had no problems, I connected using an iPhone and had no problems.
I’m stumped.
The Windows logs for this aren’t particularly helpful
CoId={E4D86C30-8ED5-0004-49CA-DCE4D58ED701}: The user Domain\USER dialed a connection named workVPNtest4 which has terminated. The reason code returned on termination is 829.
The RASMAN log files I have for this are not all that helpful
#Connection
[7584] 08-17 14:11:50:569: RasUpdateVpnLuidCache: Luid: 17000000000000, fAddLuid:0
[7584] 08-17 14:11:50:569: RasUpdateVpnLuidCache: Removed Luid 17000000000000 from cache
[7584] 08-17 14:12:00:583: RasUpdateVpnLuidCache: Luid: 17000000000000, fAddLuid:1
[7584] 08-17 14:12:00:583: RasUpdateVpnLuidCache: Added Luid 17000000000000 to cache
#Disconnection
[7584] 08-17 14:12:00:583: DwAddLegacyKeysForInterface: called for {DE624886-DA3F-46E6-8903-284E413CC433}
[7584] 08-17 14:12:00:583: DwAddLinkageKeysAtStart: Function failed with error 2
[7584] 08-17 14:12:00:583: DwAddSMBKeysForInterface: Failed to add \Device\Tcpip_ Bind key, 0x2
[7584] 08-17 14:12:00:583: DwAddLinkageKeysAtStart: Function failed with error 2
[7584] 08-17 14:12:00:583: DwAddSMBKeysForInterface: Failed to add \Device\Smb_Tcpip_ Export key, 0x2
[7584] 08-17 14:12:00:583: DwAddLinkageKeysAtStart: Function failed with error 2
[7584] 08-17 14:12:00:583: DwAddSMBKeysForInterface: Failed to add \Device\Tcpip6_ Bind key, 0x2
[7584] 08-17 14:12:00:583: DwAddLinkageKeysAtStart: Function failed with error 2
[7584] 08-17 14:12:00:583: DwAddSMBKeysForInterface: Failed to add \Device\Smb_Tcpip6_ Export key, 0x2
[7584] 08-17 14:12:00:584: DwAddLegacyKeysForInterface Exiting ....
[7584] 08-17 14:12:00:584: DwBindServerToAdaper: fBind=1, Protocol=0x800
[7584] 08-17 14:12:00:584: DwBindSErverToAdapter: BindString=\Device\NetBT_Tcpip_{DE624886-DA3F-46E6-8903-284E413CC433}
[7584] 08-17 14:12:00:586: DwBindSErverToAdapter: BindString=\Device\Smb_Tcpip_{DE624886-DA3F-46E6-8903-284E413CC433}
[7584] 08-17 14:12:00:586: DwBindServerToAdapter. 0x0
It’s due to the way Windows 10 does the key exchange. It has nothing to do with your equipment. Many other brand firewalls have the same issues you are having. An near every other Windows 10 update will break it even if you get it fixed.
Sorry I do not have a good solution for you, but below is what we use to create VPN’s in Windows 10. We made something that lets people click a button on the desktop that replaces the old non working connection.
The only way I found to fix it consistently is replacing the old. Older builds of Windows 10 work a lot better with handling VPN’s if you are using the native Windows client.
Quick guess ; linux VPN might redirect all internet traffic over the VPN. Windows VPN might only transport traffic aimed at server IP and the other internet traffic directly without VPN. So windows VPN stops due to lack of traffic. Maybe ping the server though the VPN to keep it open?
Windows’ native VPN client isn’t great at the best of times. Ubiquiti’s VPN support is extremely limited to put it nicely. I helped a friend’s small business last year try to get this running with USG Pro but it was a constant headache. We ended up saying to hell with it and deployed OpenVPN Connect. Everyone was 100x happier. Super fast and stable (we have people connected remotely for weeks at a time). I use it at my day job as well and no complaints.
I like UBNT as much as the next guy for home use and some light business use but the USG in particular is a joke of a product for any real business use. If it were me I’d rip it out and put in a pfSense box (which would also give you lots of VPN options).
I know that’s not necessarily what you want to here but that’s my experience with USGs.
One of the issues I’ve run into with this was caused by the extended packet length for ESP (IP Protocol 50)
What I found is that on quite a lot of residential connections, the ISP was dropping packets with an MTU larger than 1500 causing issues with consistent VPN dropouts.
Reducing the MTU to ensure the original packet plus the ESP payload does not increase past 1500 bytes may prove to resolve the issue.
Another thing to check is DPD timeout, if the connection is dropping out periodically, this can be used to determine how long the tunnel should stay active for in this event.
Also there is the windows registry for running IPsec connections behind a NAT
This may be a better option. I’m not particularly familiar with Open VPN, just looking at the free/paid versions, the open source options doesn’t allow for RADIUS or LDAP? This wouldn’t really work for me since MFA is tied to RADIUS.
Are you running OpenVPN on the USG or as a standalone server?
Since OpenVPN is open source, there’s lots of different variations and implementations of it. Many do support RADIUS and LDAP.
We run ‘OpenVPN Connect’, which is a commercial implementation of OpenVPN. It costs a bit, but it’s well supported. Their version does fully support RADIUS and LDAP (we bind it to AD for auth). It runs on a small linux server in AWS.
For my friend’s business during COVID, we spun up a small linux VM appliance.
It’s worth noting that pfSense has OpenVPN support built in.
If it were me I’d sell the USG on ebay and get a pfsense box. USG’s are barely good enough for home use let alone business/commercial use. It’s easily UBNT’s worst product. Also hasn’t been substantially updated since launch like 7 years ago. It’s so terrible, just get rid of it. Unfi does NOT have business class route/firewall products, despite labelling themselves as an ‘enterprise networking’ company. They are a small-SMB networking company. Most of their products are aimed at home use.
I don’t love Ubiqiti, but their product is great for small business like the one I work for. As a solo admin I’m dividing my time between network, systems, development, and helping out my helpdesk dude. We have a very small budget both of time and money. When I was researching the upgrade we did 4 months ago I had an option that was a mix of PFsense capable box, Microtik switches, and cambium AP’s. It was a little bit cheaper and individually I probably would like all the parts more but that’s 3 different management systems I need to learn, handle, and document. The simplicity Ubiquiti offers is what made it enticing. There were a couple problems, mostly the lack of out of the box support for static IP block assignment. But it’s been rock solid stable the last 3 months and has all the features we wanted. This VPN problem honestly been the only pain point.
I looked at Open VPN Access pricing, and it’s reasonable but to put it in perspective 100 users, ~half our employees, is almost the same cost as our entire Office365 budget. We work on a shoestring budget, I’ve worked places that would drop our monthly operational budget on dinner with clients. If it wasn’t for non-profit and opensource licensing there’s no way we could provide the internal and external services we do.
You can easily deploy an open source version of OpenVPN then. Or heck, even download the community edition of pfSense and forward the ports to it (free).
Don’t get me wrong I like Ubiquti as well (for certain things), but the USG is terrible, straight up. UBNT’s weakest area is definitely route/firewall.