Page 1 of 2

Windows 7 as OpenVPN server with redirect-gateway

Posted: Sun Mar 20, 2011 7:46 am
by Bebop
Goal:
  • Tunnel Internet traffic through a Windows 7 PC, using OpenVPN server mode. Traffic can be tunneled from any OpenVPN client.
Scope:
  • This example assumes that you already know how to install OpenVPN and setup keys and/or certificates. For the scope of this example, information about key and certificate management will not be provided.
Overview:
  • We'll setup a server.ovpn, a client.ovpn, and some Windows 7 tweaks.
The Code

server.ovpn

Code: Select all

port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.0   #you may choose any subnet. 10.0.0.x is used for this example.

ca ca.crt                    #certs are optional. you may choose to go with keys or passwords instead.
cert server_win7.crt
key server_win7.key  
dh dh1024.pem

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"      

#the following commands are optional
keepalive 10 120         
comp-lzo                   
persist-key                
persist-tun                
verb 3                      

#last updated May 29, 2011
Client.ovpn

Code: Select all

client
dev tun
proto udp
remote ip.of.win7.server 1194   

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
ns-cert-type server

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 2

#last updated June 04, 2011
Windows 7 tweaks for forwarding VPN traffic

Code: Select all

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

Next:

Control Panel
Network and Sharing Center
Local Area Connection
Properties
Sharing
Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)
Notes:
  • Further tweaking and streamlining may be possible.
  • Thank you to Krzee for the register-dns tweak

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Mon Mar 21, 2011 9:57 am
by maikcat
nice howto bebop

:D


Michael.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Thu Mar 24, 2011 1:01 pm
by pwens
I have confirmed this config to be working as well (forwarding all TCP/IP traffic exclusively through virtual TAP adapter). Server is Windows 7, client is XP.

I should also note that page load speeds during web browsing are also much faster than expected. In fact, I barely notice any increased latency. I haven't run any formal speed tests or metrics, but as a casual observation I have no complaints.

Thanks bebop

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Sat Mar 26, 2011 9:52 am
by Bebop
pwens wrote:Thanks bebop
You're most welcome. And thank you for reporting your experience.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Wed Apr 06, 2011 10:14 pm
by errdos
1)push "redirect-gateway def1"
with this method u redirect every outgoing connection trough the openvpn ... is there a way to redirect only some of the connections? (for example according to ips/subnets?)

2)is there away to choose the redirection according to the client and not the server (i mean the clinet should choose if to use the server for the connections or not in my opinion

3) ithe dns solution seems kind of weird .. what if my server cant use the google dns? (which it cant) is there another way to slove that? (like using the openvpn server as dns so it will use it own or something like it )

4)u said it is unknown if the 3 tweaks are needed... is there anything new about that subject? its kind of weird to tweak a machine for no reason (yet i will do it... just need it to work)

thanks for all the help!
er.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Sun Apr 10, 2011 9:07 am
by Bebop
errdos wrote:1)push "redirect-gateway def1"
with this method u redirect every outgoing connection trough the openvpn ... is there a way to redirect only some of the connections? (for example according to ips/subnets?)
errdos wrote:2)is there away to choose the redirection according to the client and not the server (i mean the clinet should choose if to use the server for the connections or not in my opinion
Yes on both accounts. Those two are best answered together. See this code (this code is for client.ovpn):

Code: Select all

route-nopull
route remote_host 255.255.255.255 net_gateway
route 126.21.20.256 255.255.255.255 10.0.0.1
"route-nopull" tells the client to ignore any routes pushed from the server (so, it will ignore "redirect gateway").
"route remote_host 255.255.255.255 net_gateway" tells Windows that the route to the VPN server is via the default Internet connection.
"route 126.21.20.0 255.255.255.0 10.0.0.1" tells Windows that all connections to subnet 126.21.20.x should be routed through 10.0.0.1 (VPN server LAN IP)
errdos wrote:3) ithe dns solution seems kind of weird .. what if my server cant use the google dns? (which it cant) is there another way to slove that? (like using the openvpn server as dns so it will use it own or something like it )
Not sure yet, sorry though. If you or any of the experts does know the answer, please do share. I think it will be something very simple and obvious. After all, Windows 7 has built in DNS service, so it must be something to do with that. Potentially, you may need some 3rd party DNS serving tool.
errdos wrote:4)u said it is unknown if the 3 tweaks are needed... is there anything new about that subject? its kind of weird to tweak a machine for no reason (yet i will do it... just need it to work)

thanks for all the help!
er.
The reason its unknown (its only unknown by me) is that I tried to set up the server with these 3 tweaks and it worked. What I didn't do, was go back and get it working without just 1 tweak at a time. Its essentially just a time/effort limitation on my behalf. If you can do that and report back it would be excellent.. If not, I do intend to do that myself soon too -- thank you for the reminder.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Mon Apr 11, 2011 9:21 pm
by peterlinuxgeek
I got this working except for rdesktop from client (win 7) to server (win 7)

rdesktop into win7 server form a linux sitting in the same network works fine.

see my question : topic7925.html

Thanks for the tips.

Peter

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Thu May 12, 2011 8:58 am
by krzee

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Thu May 26, 2011 12:12 pm
by Bebop
krzee wrote:the dns issue:
http://permalink.gmane.org/gmane.networ ... user/31978

nice guides bebop!
Thanks for the compliment :] and thank you for the (seemingly simple looking, yet ever elusive and much needed) info.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Tue Jun 21, 2011 6:09 pm
by zothen
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.
Huh? I see no dropdown list, only two check boxes for "Allow other network users to connect..." and Allow other network users to control..."

Currently I am unable to ping internet IP addresses from the client when using the above scripts but I'm able to ping the local ones so I would guess that this is my problem.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Wed Jul 13, 2011 4:40 am
by Bebop
zothen wrote: I see no dropdown list, only two check boxes for "Allow other network users to connect..." and Allow other network users to control..."
Not a problem if the dropdown box is missing. It just means you only have 1 possible connection to share.

If no ping, your problem is something else.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Wed Jul 20, 2011 11:19 pm
by TopKnot
Looks like a great howto - my only question (which may arise from my inexperience) is, why is the push "dhcp-option DNS on the server set to 8.8.8.8? is that meant to be something on the local network, or is that the IP I should use no matter what?

thanks!

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Fri Jul 22, 2011 12:29 am
by Bebop
TopKnot wrote:why is the push "dhcp-option DNS on the server set to 8.8.8.8? is that meant to be something on the local network, or is that the IP I should use no matter what?
Hi TopKnot. 8.8.8.8 is an IP for Google DNS (free public DNS server). So, with this option all of your clients will be using Google DNS to resolve domain names as they browse the web through your VPN.

You can change it do any DNS server IP you desire, or you can leave it as is.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Sat Oct 22, 2011 1:54 pm
by aaaa2209
Hello Bebop,
Thanks for the posts. It saves me a lot of time. I use windows 2003 as server. And the config I need is quite similar to Windows 7. At first the client can connect and ping to the server. It can even open the share folders in the server. But the traffic like http 80 and smtp 25 is still passing through my own gateway instead of the server. I found this post and fixed the problem. However, there is a slightly difference here and I want to share.
I followed the same config files for server and client without changes. And then there 3 three steps to config the windows: 1, Routing and Remote Access ; 2, Internet connection sharing; 3, change regedit file.
I cannot make 1 and 2 work at the same time. The system told me one is currently running and it has to be disable while trying to enable another one. I found when I use 2 and 3 it works perfectly. 1 and 3 don't work for me.

---
Also I have a few questions to ask. My goal is trying to use some computers in the other network like in LAN environment. Those computers' IPs are 192.168.1.157 and 177.0.0.0/8. My LAN IP range is 192.168.1.0/24. I just want to route the above traffic to the server and all other traffic goes to my own network. I don't want to use VPN when I watch video online. I think the 3 codes you mention might be for me. My codes are like this:

route-nopull
route 192.168.1.157 255.255.255.255 10.8.0.6
route 177.0.0.0 255.0.0.0 10.8.0.6

10.8.0.6 is my VPN interface IP address. When I use the code above I cannot get through the computers I want. I don't use route remote_host 255.255.255.255 net_gateway because I don't quite understand it even you explain. But I did try and it didn't work. You said the code tells windows about the route to the VPN, but I think the windows already knew that before we add this code. The VPN works because the windows knows it.

What should I do to achieve this goal? I think the goal is simple and basic. Can you please simply explain or give me some hints like key words to search in google?



Thanks again.

William

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Tue Nov 22, 2011 10:39 pm
by Fhilps
Hi aaaa2209.

I have exactly the same problem you do.
I'm desperate to find how to solve this problem.

I need this for my graduating project at college.

If you find the solution send me a message, ok ?
I'll do the same.

Thanks

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Thu Nov 24, 2011 12:54 am
by Bebop
aaaa2209 wrote: I cannot make 1 and 2 work at the same time. The system told me one is currently running and it has to be disable while trying to enable another one. I found when I use 2 and 3 it works perfectly. 1 and 3 don't work for me.
Thanks. I was looking for feedback on this part. I got a chance to go back to my setup soon and test it with just 2 and 3.. then it might be a universal solution for 2003 / Vista / 7.

I'm thinking of a solution for your dilemma. I've not used 'iroute' with Windows server before but its designed to work in a situation like yours I think. So that would involve removing 'push redirect-gateway' from server and removing 'route no-pull' from client, and then add to server config 'iroute 177.0.0.0 255.0.0.0' (and create the appropriate 'ccd' file). To fully get it you would need to have a quick read of the iroute commands in the man page.

Where is the "192.168.1.157" computer? (not on your LAN?).

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Sat Jan 07, 2012 9:31 pm
by m4f1050
Hi, thanks for the tips. I found Windows XP and Windows 7 examples but no Linux example.

I searched and found this:

Code: Select all

http://www.howtoforge.com/internet-connection-sharing-masquerading-on-linux
Is there a better way of doing this? Or can you post the example for Linux?

Thanks!

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Tue Jan 24, 2012 3:50 am
by sprintf
Bebop wrote: Windows 7 tweaks for forwarding VPN traffic

Code: Select all

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

...

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)
Notes:
  • Further tweaking and streamlining may be possible.
  • Thank you to Krzee for the register-dns tweak
FYI, I just setup a fresh Windows 7 box with OpenVPN server and found that these two steps (enable Routing and Remote Access, and set IPEnableRouter=1) were not necessary. In other words, I setup my box without doing those two steps and OpenVPN server still worked fine.

Thanks.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Tue Jan 24, 2012 10:23 pm
by Lisa_York77
Thank you so much. This works for me too! Keep posting such they are very helpful.

Re: Windows 7 as OpenVPN server with redirect-gateway

Posted: Sun Apr 22, 2012 8:35 pm
by majod
Hello,

thank you very much for this tutorial, I have succesfully set up Internet sharing with my Windows 7 PC to another PC on local network. Unfortunately I have some trouble and I need some help with that.

The problem is that my Internet connection randomly fails for few seconds to few minutes period with the client connected to VPN (I have only one client set up). I didn't change anything in config files (except IP addresses and DNS). When the client is not connected, even with server running everything works perfectly. With the client connected, random connection problems occur for me and for the client as well. Any hint?

Thanks.