Block access Windows Traffic

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Alex987
OpenVpn Newbie
Posts: 11
Joined: Tue Mar 07, 2017 4:08 pm

Block access Windows Traffic

Post by Alex987 » Fri Jun 16, 2017 9:32 am

Hello everyone,

I use OpenVPN client 2.4.2 on windows 7 and OpenVPN server 2.4.1 on CentOS.
The IP range of my LAN is 192.168.X.0/24.
There are some Windows shares on the LAN, that must be reachable for VPN users.

I block local traffic with "push "redirect-gateway def1 block-local"".

But, with Wireshark I see that SMB and NBNS traffics go locally and not through the VPN tunnel.
With a traceroute, the next hop for 192.168.X.Y is the VPN server, like expected.

My purpose is to force all traffics go through the VPN tunnel.

Any idea to resolve this problem ?

Comment : for my test, my windows computer is on the LAN 192.168.X.0/24 and so has an IP on this IP range.

My server configuration :
Server file
mode server

port 1196
proto udp
dev tun
tun-mtu 1500
mssfix 1300

ca cert-prod/ca.crt
cert cert-prod/server-prod.crt
key prive-prod/server-prod.key # This file should be kept secret
dh prive-prod/dh3072.pem

server 10.8.0.0 255.255.252.0
topology subnet
push "ip-win32 dynamic 0 86400"
push "redirect-gateway def1 block-local"
push "dhcp-option DNS 10.100.0.X"
push "block-outside-dns"

duplicate-cn

keepalive 10 30
push "inactive 600s"

tls-auth prive-prod/ta.key 0
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
tls-version-min 1.2

cipher AES-256-CBC

auth SHA256

comp-lzo

user openvpn
group openvpn

chroot /etc/openvpn/jail-prod

persist-key

reneg-sec 14400

status openvpn-status.log

log-append /var/log/openvpn.log

verb 4

script-security 1

tmp-dir /tmp
My client file :
client file
client

dev tun
proto udp
tun-mtu 1500
mssfix 1300

remote myvpn.example.com 1196

port 1196

remote-cert-tls server

tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

cipher AES-256-CBC
auth SHA256

comp-lzo

persist-key
persist-tun

reneg-sec 0

verb 3
log-append /var/log/openvpn-client-dev.log

auth-user-pass
auth-nocache

<ca>
-----BEGIN CERTIFICATE-----
ca cert
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
private key
-----END PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
static key
</tls-auth>

Alex987
OpenVpn Newbie
Posts: 11
Joined: Tue Mar 07, 2017 4:08 pm

Re: Block access Windows Traffic

Post by Alex987 » Fri Jun 16, 2017 10:14 am

This behavior is due to the option server : push "block-outside-dns"
When I comment this option, the NBNS and SMB traffics go through the VPN tunnel !

But, this option is necessary for Windows 10 client in order to avoid DNS leak...

Other people with the same behavior ?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Block access Windows Traffic

Post by TinCanTech » Fri Jun 16, 2017 1:34 pm

Alex987 wrote:There are some Windows shares on the LAN, that must be reachable for VPN users.
Which LAN .. server or client ?

Alex987
OpenVpn Newbie
Posts: 11
Joined: Tue Mar 07, 2017 4:08 pm

Re: Block access Windows Traffic

Post by Alex987 » Wed Jun 21, 2017 12:09 pm

Sorry for the latency, I was in vacation...
Which LAN .. server or client ?
Server LAN...
More exactly, the OpenVPN server is on the DMZ of my company, and the Windows shares are on the company LAN.
The client computers are outside the company LAN.

Post Reply