Server bridge VPN between Windows computers - route internet traffic

[diwit]

Hi,

I have a network1 at home and a remote network2. I want to VPN from network2 to network1 (home). In network1 I have a couple of Windows 7 PCs. In network2 I have a couple of Windows 10 PCs. Network details are:

network1 (home) = 192.168.2.0/24, gateway = 192.168.2.1, public IP = 79.X.X.X
network2 (remote) = 192.168.43.0/24, gateway = 192.168.43.1, public IP = 95.X.X.X

These are my server and client .ovpn files:

View Originalclient

client
dev tap
dev-node TAPadapter
proto udp
remote [network1_public_ip] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client.crt"
key "C:\\Program Files\\OpenVPN\\config\\client.key"
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
mute 20

View Originalserver

port 1194
proto udp
dev tap
dev-node TAPadapter
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
ifconfig-pool-persist ipp.txt
server-bridge 192.168.2.240 255.255.255.0 192.168.2.241 192.168.2.249
server-bridge
push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

On one of the Windows 7 computers (which is always online and I want to use as a VPN server) I create a network bridge between the system physical NIC and the TAPadapter. I manually assign IP 192.168.2.12 to the bridge (no other adapter or computer on the network uses IP .12, tried without manually assigning an IP, using the one it gets by default, and I get the same behaviour).

Port UDP 1194 is open on the router on network1.

I start both OpenVPN GUIs as administrator, connect the client to the server and it connects no problem, I can ping 192.168.2.X from 192.168.43.X, but the internet traffic still goes out directly, not through the VPN (I go to http://www.whatismyp.com and it still shows the 95.X.X.X IP address instead of the 79.X.X.X, which is what I want).

I tried installing OpenVPN on the other Windows 7 computer and using the server config on it, and I get exactly the same behaviour, so it seems to point to some configuration issue.

This is the server output log:

View Originalserver log

Tue Jul 25 16:57:40 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Tue Jul 25 16:57:40 2017 Windows version 6.1 (Windows 7) 64bit
Tue Jul 25 16:57:40 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Tue Jul 25 16:57:40 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jul 25 16:57:40 2017 Need hold release from management interface, waiting...
Tue Jul 25 16:57:41 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jul 25 16:57:41 2017 MANAGEMENT: CMD 'state on'
Tue Jul 25 16:57:41 2017 MANAGEMENT: CMD 'log all on'
Tue Jul 25 16:57:41 2017 MANAGEMENT: CMD 'echo all on'
Tue Jul 25 16:57:41 2017 MANAGEMENT: CMD 'hold off'
Tue Jul 25 16:57:41 2017 MANAGEMENT: CMD 'hold release'
Tue Jul 25 16:57:41 2017 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Tue Jul 25 16:57:41 2017 Diffie-Hellman initialized with 1024 bit key
Tue Jul 25 16:57:41 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 25 16:57:41 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 25 16:57:41 2017 interactive service msg_channel=0
Tue Jul 25 16:57:41 2017 open_tun
Tue Jul 25 16:57:41 2017 TAP-WIN32 device [TAPadapter] opened: \\.\Global\{3675BBD5-E11B-407C-8AD5-1C51E5979A9D}.tap
Tue Jul 25 16:57:41 2017 TAP-Windows Driver Version 9.21
Tue Jul 25 16:57:41 2017 Sleeping for 10 seconds...
Tue Jul 25 16:57:51 2017 NOTE: FlushIpNetTable failed on interface [15] {3675BBD5-E11B-407C-8AD5-1C51E5979A9D} (status=1168) : Element not found.
Tue Jul 25 16:57:51 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Tue Jul 25 16:57:51 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Jul 25 16:57:51 2017 setsockopt(IPV6_V6ONLY=0)
Tue Jul 25 16:57:51 2017 UDPv6 link local (bound): [AF_INET6][undef]:1194
Tue Jul 25 16:57:51 2017 UDPv6 link remote: [AF_UNSPEC]
Tue Jul 25 16:57:51 2017 MULTI: multi_init called, r=256 v=256
Tue Jul 25 16:57:51 2017 IFCONFIG POOL: base=192.168.2.241 size=9, ipv6=0
Tue Jul 25 16:57:51 2017 ifconfig_pool_read(), in='server,192.168.2.241', TODO: IPv6
Tue Jul 25 16:57:51 2017 succeeded -> ifconfig_pool_set()
Tue Jul 25 16:57:51 2017 IFCONFIG POOL LIST
Tue Jul 25 16:57:51 2017 server,192.168.2.241
Tue Jul 25 16:57:51 2017 Initialization Sequence Completed
Tue Jul 25 16:57:51 2017 MANAGEMENT: >STATE:1500994671,CONNECTED,SUCCESS,,,,::ffff:0:0,1194

and this is the client output log:

View Originalclient log

Tue Jul 25 17:01:51 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Tue Jul 25 17:01:51 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 25 17:01:51 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Tue Jul 25 17:01:51 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jul 25 17:01:51 2017 Need hold release from management interface, waiting...
Tue Jul 25 17:01:51 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jul 25 17:01:51 2017 MANAGEMENT: CMD 'state on'
Tue Jul 25 17:01:51 2017 MANAGEMENT: CMD 'log all on'
Tue Jul 25 17:01:51 2017 MANAGEMENT: CMD 'echo all on'
Tue Jul 25 17:01:51 2017 MANAGEMENT: CMD 'hold off'
Tue Jul 25 17:01:52 2017 MANAGEMENT: CMD 'hold release'
Tue Jul 25 17:01:52 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 25 17:01:52 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 25 17:01:52 2017 MANAGEMENT: >STATE:1500994912,RESOLVE,,,,,,
Tue Jul 25 17:01:52 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]79.X.X.X:1194
Tue Jul 25 17:01:52 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 25 17:01:52 2017 UDP link local: (not bound)
Tue Jul 25 17:01:52 2017 UDP link remote: [AF_INET]79.X.X.X:1194
Tue Jul 25 17:01:52 2017 MANAGEMENT: >STATE:1500994912,WAIT,,,,,,
Tue Jul 25 17:01:52 2017 MANAGEMENT: >STATE:1500994912,AUTH,,,,,,
Tue Jul 25 17:01:52 2017 TLS: Initial packet from [AF_INET]79.X.X.X:1194, sid=4279e9ed 93a5e490
Tue Jul 25 17:01:52 2017 VERIFY OK: depth=1, C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=XX, name=XX, emailAddress=XX
Tue Jul 25 17:01:52 2017 VERIFY KU OK
Tue Jul 25 17:01:52 2017 Validating certificate extended key usage
Tue Jul 25 17:01:52 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 25 17:01:52 2017 VERIFY EKU OK
Tue Jul 25 17:01:52 2017 VERIFY OK: depth=0, C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=XX, name=XX, emailAddress=XX
Tue Jul 25 17:01:53 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Tue Jul 25 17:01:53 2017 [server] Peer Connection Initiated with [AF_INET]79.X.X.X:1194
Tue Jul 25 17:01:54 2017 MANAGEMENT: >STATE:1500994914,GET_CONFIG,,,,,,
Tue Jul 25 17:01:54 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Jul 25 17:01:54 2017 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route-gateway 192.168.2.240,ping 10,ping-restart 120,ifconfig 192.168.2.241 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Tue Jul 25 17:01:54 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 25 17:01:54 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 25 17:01:54 2017 OPTIONS IMPORT: route options modified
Tue Jul 25 17:01:54 2017 OPTIONS IMPORT: route-related options modified
Tue Jul 25 17:01:54 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 25 17:01:54 2017 OPTIONS IMPORT: peer-id set
Tue Jul 25 17:01:54 2017 OPTIONS IMPORT: adjusting link_mtu to 1657
Tue Jul 25 17:01:54 2017 OPTIONS IMPORT: data channel crypto options modified
Tue Jul 25 17:01:54 2017 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jul 25 17:01:54 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 25 17:01:54 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 25 17:01:54 2017 interactive service msg_channel=0
Tue Jul 25 17:01:54 2017 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 I=4 HWADDR=fc:f8:ae:97:32:f9
Tue Jul 25 17:01:54 2017 open_tun
Tue Jul 25 17:01:54 2017 TAP-WIN32 device [TAPadapter] opened: \\.\Global\{DDA274F3-0D5E-45FD-ACE4-50928A2A5CEB}.tap
Tue Jul 25 17:01:54 2017 TAP-Windows Driver Version 9.21
Tue Jul 25 17:01:54 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.2.241/255.255.255.0 on interface {DDA274F3-0D5E-45FD-ACE4-50928A2A5CEB} [DHCP-serv: 192.168.2.0, lease-time: 31536000]
Tue Jul 25 17:01:54 2017 Successful ARP Flush on interface [13] {DDA274F3-0D5E-45FD-ACE4-50928A2A5CEB}
Tue Jul 25 17:01:54 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 25 17:01:54 2017 MANAGEMENT: >STATE:1500994914,ASSIGN_IP,,192.168.2.241,,,,
Tue Jul 25 17:01:59 2017 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Jul 25 17:01:59 2017 C:\WINDOWS\system32\route.exe ADD 79.X.X.X MASK 255.255.255.255 192.168.43.1
Tue Jul 25 17:01:59 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=55 and dwForwardType=4
Tue Jul 25 17:01:59 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 25 17:01:59 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.2.240
Tue Jul 25 17:01:59 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Tue Jul 25 17:01:59 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 25 17:01:59 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.2.240
Tue Jul 25 17:01:59 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Tue Jul 25 17:01:59 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 25 17:01:59 2017 MANAGEMENT: >STATE:1500994919,ADD_ROUTES,,,,,,
Tue Jul 25 17:01:59 2017 C:\WINDOWS\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 192.168.2.240
Tue Jul 25 17:01:59 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Tue Jul 25 17:01:59 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 25 17:01:59 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jul 25 17:01:59 2017 Initialization Sequence Completed
Tue Jul 25 17:01:59 2017 MANAGEMENT: >STATE:1500994919,CONNECTED,SUCCESS,192.168.2.241,79.X.X.X,1194,,

This is a "route print" on the client side:

View Originalroute print

C:\WINDOWS\system32>route print
===========================================================================
Interface List
11...e0 db 55 xx xx xx ......Realtek PCIe GBE Family Controller
15...fc f8 ae xx xx xx ......Microsoft Wi-Fi Direct Virtual Adapter
13...00 ff dd xx xx xx ......TAP-Windows Adapter V9
4...fc f8 ae xx xx xx ......Intel(R) Dual Band Wireless-N 7260
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.193 55
0.0.0.0 128.0.0.0 192.168.2.240 192.168.2.241 35
79.X.X.X 255.255.255.255 192.168.43.1 192.168.43.193 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 192.168.2.240 192.168.2.241 35
192.168.2.0 255.255.255.0 On-link 192.168.2.241 291
192.168.2.0 255.255.255.0 192.168.2.240 192.168.2.241 35
192.168.2.241 255.255.255.255 On-link 192.168.2.241 291
192.168.2.255 255.255.255.255 On-link 192.168.2.241 291
192.168.43.0 255.255.255.0 On-link 192.168.43.193 311
192.168.43.193 255.255.255.255 On-link 192.168.43.193 311
192.168.43.255 255.255.255.255 On-link 192.168.43.193 311
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.2.241 291
224.0.0.0 240.0.0.0 On-link 192.168.43.193 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.2.241 291
255.255.255.255 255.255.255.255 On-link 192.168.43.193 311
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
1 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

I don't want to use IPv6 at all, but I still see some references to IPv6 in some lines of the log, not sure if this is causing the issue or maybe it is the lines I highlight in red... can anyone please help? What am I doing wrong?

Thanks!

[TinCanTech]

I don't want to use IPv6 at all, but I still see some references to IPv6 in some lines of the log, not sure if this is causing the issue

This is irrelevant, ignore it.

I can ping 192.168.2.X from 192.168.43.X, but the internet traffic still goes out directly, not through the VPN (I go to http://www.whatismyp.com and it still shows the 95.X.X.X IP address instead of the 79.X.X.X, which is what I want).

According to your configs/logs that is not the case.

Please post ipconfig /all from your server and client (with the vpn connected)

[diwit]

I don't want to use IPv6 at all, but I still see some references to IPv6 in some lines of the log, not sure if this is causing the issue

This is irrelevant, ignore it.

I can ping 192.168.2.X from 192.168.43.X, but the internet traffic still goes out directly, not through the VPN (I go to http://www.whatismyp.com and it still shows the 95.X.X.X IP address instead of the 79.X.X.X, which is what I want).

According to your configs/logs that is not the case.

Please post ipconfig /all from your server and client (with the vpn connected)

sure, here you go:

View Originalserver

C:\Users\xxx>ipconfig /all

Configuración IP de Windows

Nombre de host. . . . . . . . . : xxx
Sufijo DNS principal . . . . . :
Tipo de nodo. . . . . . . . . . : híbrido
Enrutamiento IP habilitado. . . : no
Proxy WINS habilitado . . . . . : no
Lista de búsqueda de sufijos DNS: telefonica.net

Adaptador de Ethernet Puente de red:

Sufijo DNS específico para la conexión. . : telefonica.net
Descripción . . . . . . . . . . . . . . . : MAC Bridge Miniport
Dirección física. . . . . . . . . . . . . : 02-13-8F-xx-xx-xx
DHCP habilitado . . . . . . . . . . . . . : sí
Configuración automática habilitada . . . : sí
Vínculo: dirección IPv6 local. . . : fe80::fd9c:d06c:a1eb:d906%17(Preferido)
Dirección IPv4. . . . . . . . . . . . . . : 192.168.2.12(Preferido)
Máscara de subred . . . . . . . . . . . . : 255.255.255.0
Concesión obtenida. . . . . . . . . . . . : miércoles, 26 de julio de 2017 13:09:51
La concesión expira . . . . . . . . . . . : jueves, 27 de julio de 2017 1:10:26
Puerta de enlace predeterminada . . . . . : 192.168.2.1
Servidor DHCP . . . . . . . . . . . . . . : 192.168.2.1
Servidores DNS. . . . . . . . . . . . . . : 80.58.61.254
80.58.61.250
NetBIOS sobre TCP/IP. . . . . . . . . . . : habilitado

Adaptador de túnel Teredo Tunneling Pseudo-Interface:

Sufijo DNS específico para la conexión. . :
Descripción . . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Dirección física. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP habilitado . . . . . . . . . . . . . : no
Configuración automática habilitada . . . : sí
Dirección IPv6 . . . . . . . . . . : 2001:0:9d38:953c:18f0:3373:b063:6c60(Preferido)
Vínculo: dirección IPv6 local. . . : fe80::18f0:3373:b063:6c60%11(Preferido)
Puerta de enlace predeterminada . . . . . : ::
NetBIOS sobre TCP/IP. . . . . . . . . . . : deshabilitado

Adaptador de túnel isatap.telefonica.net:

Estado de los medios. . . . . . . . . . . : medios desconectados
Sufijo DNS específico para la conexión. . : telefonica.net
Descripción . . . . . . . . . . . . . . . : Adaptador ISATAP de Microsoft #3
Dirección física. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP habilitado . . . . . . . . . . . . . : no
Configuración automática habilitada . . . : sí

View Originalclient

C:\WINDOWS\system32>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : yyy
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : telefonica.net
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : E0-DB-55-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : FC-F8-AE-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter TAPadapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-DD-A2-74-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.2.241(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 26 July 2017 13:34:50
Lease Expires . . . . . . . . . . : 26 July 2018 13:34:49
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.2.0
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-N 7260
Physical Address. . . . . . . . . : FC-F8-AE-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.43.193(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 26 July 2017 13:34:13
Lease Expires . . . . . . . . . . : 26 July 2017 14:34:13
Default Gateway . . . . . . . . . : 192.168.43.1
DHCP Server . . . . . . . . . . . : 192.168.43.1
DNS Servers . . . . . . . . . . . : 192.168.43.1
NetBIOS over Tcpip. . . . . . . . : Enabled

[TinCanTech]

I create a network bridge between the system physical NIC and the TAPadapter. I manually assign IP 192.168.2.12 to the bridge (no other adapter or computer on the network uses IP .12, tried without manually assigning an IP, using the one it gets by default, and I get the same behaviour).

Do not do DHCP for a server .. And stick to one server ethernet IP (eg. .12)

server-bridge 192.168.2.240 255.255.255.0 192.168.2.241 192.168.2.249

Why ?

Dirección IPv4. . . . . . . . . . . . . . : 192.168.2.12(Preferido)
Máscara de subred . . . . . . . . . . . . : 255.255.255.0
Concesión obtenida. . . . . . . . . . . . : miércoles, 26 de julio de 2017 13:09:51
La concesión expira . . . . . . . . . . . : jueves, 27 de julio de 2017 1:10:26
Puerta de enlace predeterminada . . . . . : 192.168.2.1

See --server-bridge in The Manual v24x

[diwit]

I create a network bridge between the system physical NIC and the TAPadapter. I manually assign IP 192.168.2.12 to the bridge (no other adapter or computer on the network uses IP .12, tried without manually assigning an IP, using the one it gets by default, and I get the same behaviour).

Do not do DHCP for a server .. And stick to one server ethernet IP (eg. .12)

server-bridge 192.168.2.240 255.255.255.0 192.168.2.241 192.168.2.249

Why ?

Dirección IPv4. . . . . . . . . . . . . . : 192.168.2.12(Preferido)
Máscara de subred . . . . . . . . . . . . : 255.255.255.0
Concesión obtenida. . . . . . . . . . . . : miércoles, 26 de julio de 2017 13:09:51
La concesión expira . . . . . . . . . . . : jueves, 27 de julio de 2017 1:10:26
Puerta de enlace predeterminada . . . . . : 192.168.2.1

See --server-bridge in The Manual v24x

ok, I see that should be "server-bridge 192.168.2.12 255.255.255.0 192.168.2.241 192.168.2.249"... this is working now, I can ping internal 192.168.2.X ip addresses and I am also browsing from the 79.X.X.X public address, which is great, thanks!

But I have another problem: I want to use my own internet connection in a different country (79.X.X.X) to bypass geo-blocking restrictions on some websites, but even after browsing from that 79.X.X.X address, I still get the geo-blocking message on websites and it won't let me access the contents. Is there any config I can change in OpenVPN for it to act as a "transparent proxy" does? Or is this not what my problem is?

Thanks, regards!

[TinCanTech]

You need a server outside of your country to connect to ..

[diwit]

You need a server outside of your country to connect to ..

yes, network1 and network2 are in different countries. the content I want to access is allowed from the country where network1 is but not from the country where network2 is, so I am on network2 and VPNing to network1, so I should also be allowed to access those contents now that I am on VPN...

[TinCanTech]

Yeah .. providers of those geo-blocked services aren't as stupid as they once were.

If you have setup your VPN correctly and a website, like whatsmyip.com, shows your server IP address when browsing from your client then they have figured out what you are doing and block you anyway.

I can't help you with that.

[diwit]

Yeah .. providers of those geo-blocked services aren't as stupid as they once were.

If you have setup your VPN correctly and a website, like whatsmyip.com, shows your server IP address when browsing from your client then they have figured out what you are doing and block you anyway.

I can't help you with that.

ok, I think the DNS servers may have an impact here, will have to do some more testing. Thank you very much for all your help today!