OpenVPN Configuration Problems - Routing

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
mpovah
OpenVpn Newbie
Posts: 9
Joined: Tue Feb 14, 2017 4:35 am

OpenVPN Configuration Problems - Routing

Post by mpovah » Tue Feb 14, 2017 4:45 am

Hello all,

After an entire 16 hour day playing with this, with very little progress, I have finally resorted to writing this on the forums in the hope that someone can give me a pointer.

I have installed and configured OpenVPN as a server, on a Windows 7 platform, with the goal of being able to connect via iOS devices, Android devices, and Windows devices, through my DynDNS router configuration, and remote control my home servers from outside locations.

My VPN will connect fine from my iPhone, every time - but what I don't understand is, if the device is then completely unable to do anything at all on the network, what is the use of the VPN? I have no access to the internal LAN. I don't even have access to the VPN server machine - it will ping the MyTap Ip address, but otherwise nothing.

After fiddling with it all day, adjusting routing tables, modifying and remodifying the ovpn configuration scripts, reading every forum post and article I could find - nothing. Connects perfectly, everytime. however, no ping to any internal Ip addresses; no remote control capability of the servers. Zero, zilch, nada.

I have done the Regedit modification. I have added static routes in the WIndows routing table, and made them persistent. I have added static routes on the gateway firewall device. I have configured and reconfigured the ovpn files. Nothing seems to work.

I am an IT pro; I have 20 years experience in the industry - my thoughts on this at this stage are, if I am unable to make this work in 16 hours, how the heck would any neophyte ever, ever be able to use this? And if that's the case, how is this thing useful to anyone? Maybe I have missed something? I realize I sound frustrated; I am frustrated.

Here are my config files and route table from the VPN server machine. Any assistance kindly appreciated.

C:\Windows\system32>route print
===========================================================================
Interface List
15...00 ff a6 a2 6b 35 ......TAP-Windows Adapter V9
10...00 1a 92 d6 d6 c3 ......NVIDIA nForce Networking Controller
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.23.66.1 10.23.66.99 11
10.23.66.0 255.255.255.0 On-link 10.23.66.99 266
10.23.66.99 255.255.255.255 On-link 10.23.66.99 266
10.23.66.255 255.255.255.255 On-link 10.23.66.99 266
10.23.67.0 255.255.255.0 10.23.66.1 10.23.66.99 11
10.23.67.0 255.255.255.0 10.23.67.2 10.23.67.1 20
10.23.67.0 255.255.255.252 On-link 10.23.67.1 276
10.23.67.1 255.255.255.255 On-link 10.23.67.1 276
10.23.67.3 255.255.255.255 On-link 10.23.67.1 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.23.66.99 266
224.0.0.0 240.0.0.0 On-link 10.23.67.1 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.23.66.99 266
255.255.255.255 255.255.255.255 On-link 10.23.67.1 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
10.23.67.0 255.255.255.0 10.23.66.1 1
0.0.0.0 0.0.0.0 10.23.66.1 1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 266 fe80::/64 On-link
10 266 fe80::4dd1:dfc4:cfae:695e/128
On-link
1 306 ff00::/8 On-link
10 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

port 1194 #change to any port you see fit. The client needs to use the same port
proto udp #switch to tcp if you wish to use a tcp connection, the client needs to use the same protocol. udp gives better performance
dev tun
dev-node MyTap #name of your TAP interface.

;server-bridge 10.23.66.99 255.255.255.252 10.23.66.100 10.23.66.102
;server-bridge

server 10.23.67.0 255.255.255.0 #This may need modification as dictated by Internet Connection Settings. This is the default for ICS on Windows 7.
topology subnet
push "route 10.23.66.0 255.255.255.0"
route 10.23.67.0 255.255.255.0 10.23.66.1

client-to-client

ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt

;push "redirect-gateway def1" #tells all Internet traffic to go through the tunnel
;push "dhcp-option DNS 10.23.66.1" #OpenDNS servers, makes it easy to check if the tunnel is working properly
;push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo #compression for better network performance. Disable if your server isn't powerful enough. Needs to be included in both server and client configs if you use it.
persist-key
persist-tun
status openvpn-status.log
verb 3

client
dev tun
dev-node MyTap #Name of your TAP network interface
proto udp #switch to tcp if you wish to use a tcp connection, needs to match server. udp gives better performance
remote povah.dyndns-home.com 1194 #change port as you see fit, needs to match server

resolv-retry infinite
nobind
persist-key
persist-tun

iroute 10.23.66.0 255.255.255.0

ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server

comp-lzo #compression for better performance. Disable if your server isn't powerful enough. Needs to be included in both server and client configs if you use it.
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

;register-dns #uncomment this if you you run into dns issues
route-method exe
route-delay 2

mpovah
OpenVpn Newbie
Posts: 9
Joined: Tue Feb 14, 2017 4:35 am

Re: OpenVPN Configuration Problems - Routing

Post by mpovah » Tue Feb 14, 2017 4:55 am

Realized I didn't fully describe the network configs.

internal LAN IP addresses are 10.23.66.0/24
VPN Ip address pool is 10.23.67.0/24
Static routes have all been set to point all traffic on 10.23.67.0 over to 10.23.66.1, which is the gateway.

Granted all this routing table stuff has never been my forte. Am I doing this backwards or something? After trying everything one way, then the reverse way, then trying everything and anything I could think of with no progress, I am asking for help.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Configuration Problems - Routing

Post by TinCanTech » Tue Feb 14, 2017 1:29 pm

Have you bothered to read the HOWTO ?
mpovah wrote:I am an IT pro; I have 20 years experience
We have kids come on here and after reading the HOWTO once they never need to ask again ...

HOWTO: For OpenVPN Community Edition

mpovah
OpenVpn Newbie
Posts: 9
Joined: Tue Feb 14, 2017 4:35 am

Re: OpenVPN Configuration Problems - Routing

Post by mpovah » Tue Feb 14, 2017 3:50 pm

I read the HOWTO. Where in the HOWTO does it talk about routing?

I read everything I could find. Today, I made some progress, found another site with the idea to do the following:

route add <internal LAN subnet> mask 255.255.255.0 gw <LAN IP address of the VPN server system>

So in my network, it looks like this:

route add 10.23.66.0 mask 255.255.255.0 gw 10.23.66.99

This allows me to ping 10.23.66.99, and as well the VPN subnet GW which is 10.23.67.1.

However I still have no local LAN access and cannot run any services for remote control access either - can't even do any interactions with the 10.23.66.99 address besides ping.

mpovah
OpenVpn Newbie
Posts: 9
Joined: Tue Feb 14, 2017 4:35 am

Re: OpenVPN Configuration Problems - Routing

Post by mpovah » Tue Feb 14, 2017 4:21 pm

Tried disabling RRAS on the Windows 7 VPN server platform to see if that would help - this removed the ability to even ping 10.23.66.99. Now keep in mind I am connecting from an iPhone - Apple is the real reason for all of this, as their lovely new software update has killed the old VPN client capability of the mobile device.

On my iPhone I have a ping app and VNC app. Ping I am using to troubleshoot, VNC would be the application I require in order to remote control servers at home from remote locations.

So on the gateway router, I have the static route set up:

10.23.67.0 255.255.255.0 to gateway 10.23.66.99

I had also tried 10.23.67.0 255.255.255.0, point to gateway 10.23.66.1 - neither seems to work properly.

Only since adding the "add route" command, which is not even mentioned in the HOWTO under "Expanding the scope of the VPN to include additional machines on either the client or server subnet" have I been able to ping even the VPN server from the iPhone when connected.

Under the HOWTO, it says "Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine." If you click the links to read up and verify these steps, it takes you to a whole raft of additional information; some of it is seemingly contradictory. What I read about promiscuous mode seems to only apply to TAP, not TUN - and only in cases where you bridge the two adapters together on the Windows 7 platform, which I have already tried, however later I read that TAP configs will not work on iOS. So out that went.

Under "How do I enable IP forwarding?" it provides examples for Linux, OSX, WIn XP, and Windows 2000, but nothing addressing Win 7. The link to the KB article listed there as well does not work.

After reading the HOWTO and feeling a bit bogged down, I actually started with this article:

http://blog.defron.org/2013/01/openvpn-server-on-windows.html

Which seemed a bit more step by step and straightforward, although the writer of that article as well does not address routing issues and seems preoccupied with getting Windows ICS working over the VPN (which I am not concerned about at all.) I just need LAN access after the VPN connects.

This issue despite the unhelpful comments which are my only reply so far above, seems to be quite common and there does not seem to be any straightforward examples or howto's that address it reasonably. I have read how to's basically for every other situation but this one.

mpovah
OpenVpn Newbie
Posts: 9
Joined: Tue Feb 14, 2017 4:35 am

Re: OpenVPN Configuration Problems - Routing

Post by mpovah » Tue Feb 14, 2017 4:32 pm

This article seems helpful: but I have followed and verified each and every one of these steps;

https://community.openvpn.net/openvpn/w ... ote-subnet

I have disabled the WIndows firewall on the device entirely.

I have done the REGEDIT modification and enabled the RRAS service, so IP forwarding should be enabled.

I have added the static routes on the gateway router device.

I have broadcasted the route in the server config file, this was ineffective until I used the route add script in addition to this.

This I haven't tried: I assume this refers to the "NAT hack" I have read about previously: "NATing all VPN traffic to the local address of the OpenVPN machine for network traffic which leaves the OpenVPN machine for the local net." The reference is interesting sounding but somewhat obscure.

Still all but ready to throw my hands up on all this.

mpovah
OpenVpn Newbie
Posts: 9
Joined: Tue Feb 14, 2017 4:35 am

Re: OpenVPN Configuration Problems - Routing

Post by mpovah » Tue Feb 14, 2017 4:39 pm

Tried commenting out "topology subnet" in case that was affecting it somehow. This also removed ability to even ping the VPN server's LAN address. Grasping at straws at this point.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Configuration Problems - Routing

Post by TinCanTech » Tue Feb 14, 2017 4:42 pm

Randomly changing things you don't fully understand is not a diagnostic approach that will work.

mpovah
OpenVpn Newbie
Posts: 9
Joined: Tue Feb 14, 2017 4:35 am

Re: OpenVPN Configuration Problems - Routing

Post by mpovah » Tue Feb 14, 2017 5:28 pm

TinCanTech: thanks so much for all your help. Very constructive.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Configuration Problems - Routing

Post by TinCanTech » Tue Feb 14, 2017 5:54 pm

Please post your log files @ verb 4 .. then we can see what openvpn is doing.

This may help:
HOWTO: Request Help !

mpovah
OpenVpn Newbie
Posts: 9
Joined: Tue Feb 14, 2017 4:35 am

Re: OpenVPN Configuration Problems - Routing

Post by mpovah » Tue Feb 14, 2017 8:04 pm

Thanks for sending the HOWTO on how to request help. At 1 AM last night I think I was less coherence, more aggravation.

The server is Windows 7 x64 SP1. Server OpenVPN Software is: 2.4.0-I602, latest download, with GUI version 11.4.0.0

IOS client device is running IOS version 9.3.4; with OpenVPN Connect 1.1.1 build 212.

Server Config:

port 1194 #change to any port you see fit. The client needs to use the same port
proto udp #switch to tcp if you wish to use a tcp connection, the client needs to use the same protocol. udp gives better performance
dev tun
dev-node MyTap #name of your TAP interface.

server 10.23.67.0 255.255.255.0 #This may need modification as dictated by Internet Connection Settings.
topology subnet

;route add 10.23.66.0 MASK 255.255.255.0 gw 10.23.66.99
;client-to-client

ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt

push "route 10.23.66.0 255.255.255.0"
push "redirect-gateway def1" #tells all Internet traffic to go through the tunnel
;push "dhcp-option DNS 10.23.66.1" #OpenDNS servers, makes it easy to check if the tunnel is working properly
;push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo #compression for better network performance. Disable if your server isn't powerful enough. Needs to be included in both server and client configs if you use it.
persist-key
persist-tun
status openvpn-status.log
verb 3

Server Log:

Tue Feb 14 15:49:28 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
Tue Feb 14 15:49:28 2017 Windows version 6.1 (Windows 7) 64bit
Tue Feb 14 15:49:28 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Tue Feb 14 15:49:28 2017 Diffie-Hellman initialized with 1024 bit key
Tue Feb 14 15:49:28 2017 interactive service msg_channel=0
Tue Feb 14 15:49:28 2017 open_tun
Tue Feb 14 15:49:28 2017 TAP-WIN32 device [MyTap] opened: \\.\Global\{A6A26B35-95B6-4C57-942D-DF765DC24668}.tap
Tue Feb 14 15:49:28 2017 TAP-Windows Driver Version 9.21
Tue Feb 14 15:49:28 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.23.67.0/10.23.67.1/255.255.255.0 [SUCCEEDED]
Tue Feb 14 15:49:28 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.23.67.1/255.255.255.0 on interface {A6A26B35-95B6-4C57-942D-DF765DC24668} [DHCP-serv: 10.23.67.254, lease-time: 31536000]
Tue Feb 14 15:49:28 2017 Sleeping for 10 seconds...
Tue Feb 14 15:49:38 2017 Successful ARP Flush on interface [15] {A6A26B35-95B6-4C57-942D-DF765DC24668}
Tue Feb 14 15:49:38 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Feb 14 15:49:38 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Tue Feb 14 15:49:38 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Feb 14 15:49:38 2017 setsockopt(IPV6_V6ONLY=0)
Tue Feb 14 15:49:38 2017 UDPv6 link local (bound): [AF_INET6][undef]:1194
Tue Feb 14 15:49:38 2017 UDPv6 link remote: [AF_UNSPEC]
Tue Feb 14 15:49:38 2017 MULTI: multi_init called, r=256 v=256
Tue Feb 14 15:49:38 2017 IFCONFIG POOL: base=10.23.67.2 size=252, ipv6=0
Tue Feb 14 15:49:38 2017 ifconfig_pool_read(), in='client1,10.23.67.4', TODO: IPv6
Tue Feb 14 15:49:38 2017 succeeded -> ifconfig_pool_set()
Tue Feb 14 15:49:38 2017 IFCONFIG POOL LIST
Tue Feb 14 15:49:38 2017 client1,10.23.67.4
Tue Feb 14 15:49:38 2017 Initialization Sequence Completed
Tue Feb 14 15:51:04 2017 142.177.130.153 TLS: Initial packet from [AF_INET6]::ffff:142.177.130.153:14168, sid=83fb867e 2c07007e
Tue Feb 14 15:51:04 2017 142.177.130.153 VERIFY OK: depth=1, C=CA, ST=NS, L=Windsor, O=OpenVPN, OU=VPN***ome, CN=server, name=m***, emailAddress=************************
Tue Feb 14 15:51:04 2017 142.177.130.153 VERIFY OK: depth=0, C=CA, ST=NS, L=Windsor, O=OpenVPN, OU=VPN***ome, CN=client1, name=m***, emailAddress=************************
Tue Feb 14 15:51:04 2017 142.177.130.153 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212
Tue Feb 14 15:51:04 2017 142.177.130.153 peer info: IV_VER=3.1.2
Tue Feb 14 15:51:04 2017 142.177.130.153 peer info: IV_PLAT=ios
Tue Feb 14 15:51:04 2017 142.177.130.153 peer info: IV_NCP=2
Tue Feb 14 15:51:04 2017 142.177.130.153 peer info: IV_TCPNL=1
Tue Feb 14 15:51:04 2017 142.177.130.153 peer info: IV_PROTO=2
Tue Feb 14 15:51:04 2017 142.177.130.153 peer info: IV_LZO=1
Tue Feb 14 15:51:04 2017 142.177.130.153 peer info: IV_AUTO_SESS=1
Tue Feb 14 15:51:04 2017 142.177.130.153 peer info: IV_BS64DL=1
Tue Feb 14 15:51:04 2017 142.177.130.153 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Tue Feb 14 15:51:04 2017 142.177.130.153 [client1] Peer Connection Initiated with [AF_INET6]::ffff:142.177.130.153:14168
Tue Feb 14 15:51:04 2017 client1/142.177.130.153 MULTI_sva: pool returned IPv4=10.23.67.4, IPv6=(Not enabled)
Tue Feb 14 15:51:04 2017 client1/142.177.130.153 MULTI: Learn: 10.23.67.4 -> client1/142.177.130.153
Tue Feb 14 15:51:04 2017 client1/142.177.130.153 MULTI: primary virtual IP for client1/142.177.130.153: 10.23.67.4
Tue Feb 14 15:51:04 2017 client1/142.177.130.153 PUSH: Received control message: 'PUSH_REQUEST'
Tue Feb 14 15:51:04 2017 client1/142.177.130.153 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.23.66.0 255.255.255.0,redirect-gateway def1,route-gateway 10.23.67.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.23.67.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Feb 14 15:51:04 2017 client1/142.177.130.153 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb 14 15:51:04 2017 client1/142.177.130.153 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

Client Config:

client
dev tun
dev-node MyTap #Name of your TAP network interface
proto udp #switch to tcp if you wish to use a tcp connection, needs to match server. udp gives better performance
remote ***.dyndns-home.com 1194 #change port as you see fit, needs to match server

resolv-retry infinite
nobind
persist-key
persist-tun

;iroute 10.23.66.0 255.255.255.0

ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server

comp-lzo #compression for better performance. Disable if your server isn't powerful enough. Needs to be included in both server and client configs if you use it.
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

;register-dns #uncomment this if you you run into dns issues
route-method exe
route-delay 2

Client Log: (This had to be reduced, the iOS client sent 20 pages of logs from all the trying and retrying I have been doing.)

--
OpenVPN core 3.1.2 ios arm64 64-bit built on Dec 5 2016 12:50:25
2017-02-14 00:18:43 Frame=512/2048/512 mssfix-ctrl=1250
2017-02-14 00:18:43 UNUSED OPTIONS
2 [dev-node] [MyTap]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
14 [verb] [3]
15 [explicit-exit-notify] [2]
18 [route-method] [exe]
19 [route-delay] [2]

2017-02-14 00:18:43 EVENT: RESOLVE
2017-02-14 00:18:44 Contacting x.x.x.x:1194 via UDP
2017-02-14 00:18:44 EVENT: WAIT
2017-02-14 00:18:44 SetTunnelSocket returned 1
2017-02-14 00:18:44 Connecting to [***.dyndns-home.com]:1194 (x.x.x.x) via UDPv4
2017-02-14 00:18:46 EVENT: CONNECTING
2017-02-14 00:18:46 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2017-02-14 00:18:46 Creds: UsernameEmpty/PasswordEmpty
2017-02-14 00:18:46 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1
IV_BS64DL=1

2017-02-14 00:18:47 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=CA, ST=NS, L=Windsor, O=OpenVPN, OU=VPN***ome, CN=server, ??=m***, emailAddress=*******************
subject name : C=CA, ST=NS, L=Windsor, O=OpenVPN, OU=VPN***ome, CN=server, ??=m***, emailAddress=******************
issued on : 2017-02-13 16:21:13
expires on : 2027-02-11 16:21:13
signed using : RSA with MD5
RSA key size : 1024 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

2017-02-14 00:18:47 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2017-02-14 00:18:47 Session is ACTIVE
2017-02-14 00:18:47 EVENT: GET_CONFIG
2017-02-14 00:18:47 Sending PUSH_REQUEST to server...
2017-02-14 00:18:47 OPTIONS:
0 [route] [10.23.66.0] [255.255.255.0]
1 [route-gateway] [10.23.66.1]
2 [topology] [subnet]
3 [ping] [10]
4 [ping-restart] [120]
5 [ifconfig] [10.23.66.2] [255.255.255.0]
6 [peer-id] [0]
7 [cipher] [AES-256-GCM]

2017-02-14 00:18:47 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: LZO
peer ID: 0
2017-02-14 00:18:47 EVENT: ASSIGN_IP
2017-02-14 00:18:47 Connected via tun
2017-02-14 00:18:47 LZO-ASYM init swap=0 asym=0
2017-02-14 00:18:47 EVENT: CONNECTED @***.dyndns-home.com:1194 (x.x.x.x) via /UDPv4 on tun/10.23.66.2/ gw=[10.23.66.1/]
2017-02-14 00:18:47 SetStatus Connected
2017-02-14 00:20:25 TUN reset routes
2017-02-14 00:20:25 EVENT: DISCONNECTED
2017-02-14 00:20:26 Raw stats on disconnect:
BYTES_IN : 3940
BYTES_OUT : 3655
PACKETS_IN : 23
PACKETS_OUT : 37
TUN_BYTES_IN : 768
TUN_BYTES_OUT : 288
TUN_PACKETS_IN : 16
TUN_PACKETS_OUT : 6
2017-02-14 00:20:26 Performance stats on disconnect:
CPU usage (microseconds): 102210
Tunnel compression ratio (uplink): 4.75911
Tunnel compression ratio (downlink): 13.6806
Network bytes per CPU second: 74307
Tunnel bytes per CPU second: 10331
2017-02-14 00:20:26 ----- OpenVPN Stop -----
2017-02-14 00:20:27 ----- OpenVPN Start -----
OpenVPN core 3.1.2 ios arm64 64-bit built on Dec 5 2016 12:50:25
2017-02-14 00:20:27 Frame=512/2048/512 mssfix-ctrl=1250
2017-02-14 00:20:27 UNUSED OPTIONS
2 [dev-node] [MyTap]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
14 [verb] [3]
15 [explicit-exit-notify] [2]
18 [route-method] [exe]
19 [route-delay] [2]

2017-02-14 00:20:27 EVENT: RESOLVE
2017-02-14 00:20:28 Contacting x.x.x.x:1194 via UDP
2017-02-14 00:20:28 EVENT: WAIT
2017-02-14 00:20:28 SetTunnelSocket returned 1
2017-02-14 00:20:28 Connecting to [***.dyndns-home.com]:1194 (x.x.x.x) via UDPv4
2017-02-14 00:20:28 EVENT: CONNECTING
2017-02-14 00:20:28 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2017-02-14 00:20:28 Creds: UsernameEmpty/PasswordEmpty
2017-02-14 00:20:28 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1
IV_BS64DL=1

2017-02-14 00:20:28 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=CA, ST=NS, L=Windsor, O=OpenVPN, OU=VPN***ome, CN=server, ??=m***, emailAddress=*****************
subject name : C=CA, ST=NS, L=Windsor, O=OpenVPN, OU=VPN***ome, CN=server, ??=m***, emailAddress=*****************
issued on : 2017-02-13 16:21:13
expires on : 2027-02-11 16:21:13
signed using : RSA with MD5
RSA key size : 1024 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

2017-02-14 00:20:28 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2017-02-14 00:20:28 Session is ACTIVE
2017-02-14 00:20:28 EVENT: GET_CONFIG
2017-02-14 00:20:28 Sending PUSH_REQUEST to server...
2017-02-14 00:20:28 OPTIONS:
0 [route] [10.23.66.0] [255.255.255.0]
1 [route] [10.23.66.0] [255.255.255.0]
2 [topology] [net30]
3 [ping] [10]
4 [ping-restart] [120]
5 [ifconfig] [10.23.66.6] [10.23.66.5]
6 [peer-id] [0]
7 [cipher] [AES-256-GCM]

2017-02-14 00:20:28 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: LZO
peer ID: 0
2017-02-14 00:20:28 EVENT: ASSIGN_IP
2017-02-14 00:20:28 Connected via tun
2017-02-14 00:20:28 LZO-ASYM init swap=0 asym=0
2017-02-14 00:20:28 EVENT: CONNECTED @***.dyndns-home.com:1194 (x.x.x.x) via /UDPv4 on tun/10.23.66.6/ gw=[10.23.66.5/]
2017-02-14 00:20:28 SetStatus Connected
2017-02-14 00:23:58 TUN reset routes
2017-02-14 00:23:58 EVENT: DISCONNECTED
2017-02-14 00:23:58 Raw stats on disconnect:
BYTES_IN : 4454
BYTES_OUT : 5578
PACKETS_IN : 35
PACKETS_OUT : 63
TUN_BYTES_IN : 1984
TUN_BYTES_OUT : 384
TUN_PACKETS_IN : 38
TUN_PACKETS_OUT : 8
2017-02-14 00:23:58 Performance stats on disconnect:
CPU usage (microseconds): 113897
Tunnel compression ratio (uplink): 2.81149
Tunnel compression ratio (downlink): 11.599
Network bytes per CPU second: 88079
Tunnel bytes per CPU second: 20790
2017-02-14 00:23:58 ----- OpenVPN Stop -----
2017-02-14 00:24:00 ----- OpenVPN Start -----
OpenVPN core 3.1.2 ios arm64 64-bit built on Dec 5 2016 12:50:25
2017-02-14 00:24:00 Frame=512/2048/512 mssfix-ctrl=1250
2017-02-14 00:24:00 UNUSED OPTIONS
2 [dev-node] [MyTap]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
14 [verb] [3]
15 [explicit-exit-notify] [2]
18 [route-method] [exe]
19 [route-delay] [2]

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Configuration Problems - Routing

Post by TinCanTech » Tue Feb 14, 2017 8:52 pm

Try this in your server config:
Server
### server 10.23.67.0 255.255.255.0 ### '#'=comment

server 10.8.99.0 255.255.255.0

#
Click the {View original} button ^^

mpovah
OpenVpn Newbie
Posts: 9
Joined: Tue Feb 14, 2017 4:35 am

Re: OpenVPN Configuration Problems - Routing

Post by mpovah » Mon Feb 20, 2017 2:35 pm

Update on this issue:

Well that was interesting. Sincere thanks to TinCanTech, who basically pointed out the obvious to me in terms of the core configuration: I wasn't using the subnet recommended in the HOWTO.

This is because originally i was using instructions from another source, listed above - those instructions recommended using a completely different IP address for the server config - 192.168.137.x I believe; this was in support of trying to get Windows ICS working over the VPN platform. I decided to just go one octet up from my internal network and picked basically at random another subnet. Everything was configured properly otherwise, apparently - but with the 10.23.67.x subnet set up on the server side as the DHCp pool for incoming VPN clients, it simply would not work. I am not sure why exactly but I am assuming the IP address ranges may have been preferred by the source code? Not sure. It certainly caused a lot of confusion and delay.

In any event, once I had followed TinCan's recommendation and switched the IP address range to 10.8.99.x it worked - (after updating the static route accordingly in my router.) If someone can explain exactly why one subnet would not work while another does, that would be enlightening! So, again thanks to TinCanTech and hopefully this thread is helpful to others.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Configuration Problems - Routing

Post by TinCanTech » Mon Feb 20, 2017 4:02 pm

mpovah wrote:If someone can explain exactly why one subnet would not work while another does, that would be enlightening!
Sure ..
mpovah wrote:IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.23.66.1 10.23.66.99 11
Your server LAN is(was) 10.23.66.x (probably /24)
mpovah wrote:5 [ifconfig] [10.23.66.6] [10.23.66.5]
Here we see you are pushing an ifconfig to your client with the same subnet as your server LAN not your --server subnet

I read all of your posts and instead of trying to debug each and every mistake, I thought it simpler to bring your attention to a key mistake and let you work it out for yourself. ie. change the --server subnet to something different. I did notice that you had also tried with --server-bridge and the same LAN subnet (which is the right way for --server-bridge but also much more complicated).
mpovah wrote:again thanks to TinCanTech and hopefully this thread is helpful to others
Thanks for your kind feedback. But you really did the hardwork by getting down to the nitty-gritty and redoing your setup but with that one key change (hopefully) to guide you. I recommend reading the howto a lot more .. I still refer back to it constantly.

8-)

Post Reply