I have had multiple tickets escalated to me this week for users working from home not being able to connect to thier VPNs
90% of the time testing the VPN on a hotspot works fine and the issue comes down to some ports that need to be opened on thier routers or there’s some other router issues that needs be addressed by thier ISP
These users are completely computer illiterate. To what mile do you give support to them? Do you call the ISP Yourself? Ask them to call the ISP and then ask for a technician to call you when they attend the persons home?
What are you using for VPN? Can you change the port you’re using for VPN to 443? Having to modify home routers to get the VPN to work is what I’d consider a bridge too far and would look at the VPN solution/configuration.
Otherwise, I find it best to have a few tools handy to “prove” that the issue is with the home network and send them on their way to call the ISP. Users are more receptive when you can provide facts/data. MTR and a script to output the Wi-Fi signal strength are good starters.
For my small userbase, I’ve moved to Tailscale. Easy to manage, doesn’t seem nearly as sensitive to home ISP fuckery, client pushed out via Intune, trivial to set up SSO via AAD or Google. Yeah it’s another subscription but it has greatly reduced the amount of support requests related to VPN.
move everything humanly possible to not need vpn:
This means leveraging more of the M365 stack, and using RD Gateway as only real access method where possible.
give critical/sensitive users Meraki Z3s - hardware vpn that they never jack with, give them 5 ips each, and it handles a lot of the ISP quality monitoring, they get wired poets and a wifi that you control, with multiple ssids available.
“IF YOUR SETUP AT HOME IS NOT WORKING, THE OFFICE IS OPEN AND AVAILABLE”
We do not support users home networks. Conversely you shouldn’t be getting multiple tickets for this kind of stuff. A decent VPN solution should work with an OOB ISP router.
For home internet users I found the following three issues during Covid: 1) they had the cheapest connection or they shared it with someone, 2) they were on Wi-Fi and not plugged in in a crowded area, and 3) they actually weren’t having issues they just didn’t want to work.
My solution- we don’t support home networks. The VPN worked when tested via hotspot, if you can’t connect you’ll need to come into the office.
We also switched our VPN to Sophia XG and OpenVPN.
Working from home has been the best and absolute worst at the same time. The amount of issues we have had to try and solve because people were working on horrible internet combined with even shittier WiFi is stupendous.
I have wanted to pull people through the phone more times than I can count. “But I have no issues streaming Netflix/Disney/Prime, it just gets that buffering thing every now and then”. Honest to god I have had people complaining that we should fix the internet because everything feels so slow. No shit Sherlock, you are using a single WiFi point that is built into your shitty ISP router, which was fitted 2 floors down next to the entrance of your house. “Yeah but you guys are in charge of keeping everything up and running”, no you fuck knuckle I cannot and will not unfuck your home network.
Usually we let users deal with their equipment and ISP. There are sometimes cases when it goes to higher management and we have to be more involved. There was a case when user was not able to reach Citrix on VPN from home. It worked for another teammate. We asked that teammate to go to first user’s home and try. She got the same problem. That was the kicker for that user to finally stop bugging multiple teams and go to ISP. Found out that their ISP downgraded their plan and also blocked lots of ports for some reason. After ports were opened Citrix started working fine.
On my last job we had one hopeless case and user was very stressed, so i even had a few calls with their ISP trying to explain situation (VPN was disconnecting every 5 minutes or so). At some point user said that they have replaced her router a few weeks ago. I told her to ask them to bring old router for a test. And of course, it was working fine with old one. As i left soon enough after that i am not sure if she is still using old router or they were able to figure out what they have configured badly.
And finally one anecdotal story. One financier was complaining that finance app is opening very slow at home. When i asked her to do speedtest it gave some modem times speeds of few kilobits or something. She couldn’t even browse normally, but was expecting to work with a heavy on prem app via VPN
Firstly I test if the problem is the VPN or their home internet.
If confirmed VPN, I troubleshoot for them as its in my scope and I support the VPN software for my company.
If confirmed the VPN isn’t the issue, I might do some troubleshooting on the internet adapter for the laptop if it is a company laptop.
If it isn’t a company laptop I might continue troubleshooting but generally won’t as its unadvisable to troubleshoot personal property.
If its confirmed to be their home internet that is the problem, I advise them to restart their router. If that doesn’t fix the issues I refer them to their ISP for support as anything more is out of my scope.
After meeting after meeting and an act of god, my company started telling users that IT can’t help with their home equipment.
If you want to work from home, you should be tech literate enough to connect your laptop to your network and diagnose any resulting issues.
If your issue is actually with your work laptop, we help. But if it’s “my work laptop won’t connect to my home wifi”? Lol, nice. Maybe come into your office.
Ran into an issue with split DNS not working, turns out windows splits ipv4 pretty well but preferences ipv6 over 4. So our split DNS issue was fine, as long as they didn’t have ipv6 Lan. Easy to test
Other than that, hope you’re not still using pptp, it’s not supported on Apple hotspot.
Edit, using Fortinet sslvpn, only offering ipv4 via tunnel.
In order to be eligible for WFH, our users have to submit a passing test result against our internal speed test server. If they can’t do that, they can’t work from home until they fix/improve their home Internet.
We use GlobalProtect, which is pretty resilient even with poor network conditions.
Aside from all of the other correct responses here. A solution that the organisation can provide is 4g modems with a carrier that has been tested and works with the VPN. Obviously, this can incur a substantial cost but that’s a decision for the higher-ups. Otherwise, it’s not an IT issue. We can’t be responsible for systems we have no visibility or control over.
