Vpn clients not pushing (lan) route from server
Posted: Thu Dec 11, 2014 4:39 am
Both server and client are connected successfully, server is running on Windows 7 64bit, client Windows 8.1 Pro 64bits, they pull ips according to the config files (10.8.0.1 server and 10.8.0.6 client). But they cannot ping each other if Windows Firewall Protection is turn on. However, after turning off Windows firewall they can ping each other over the Virtual Network (10.8.0.0 255.255.255.0)... Server private ip is 192.168.1.2 and have other 3 pcs on that lan including the DD-WRT gateway(192.168.1.1) nevertheless the client cannot "know/see"(ping) that (192.168.1.0 255.255.255.0) LAN on the server-side... Push route is uncommented in server config file, tried adding "route 192.168.1.0" on the .ovpn client config file but didn't work. What else should i try or do?
Server .ovpn config file:
Client .ovpn config file:
On the DD-WRT gateway i added this rules:
Server Status Log:
Client Log status:
Server .ovpn config file:
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert fresh-server.crt
key fresh-server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Code: Select all
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
#This line was added as last option--> route 192.168.1.0
Code: Select all
iptables -I INPUT 1 -p udp -dport=1194 -j ACCEPT
iptables -I FORWARD 1 -source=192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Server Status Log:
Code: Select all
OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 1 2014
library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Enter Management Password:
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Diffie-Hellman initialized with 1024 bit key
Socket Buffers: R=[8192->8192] S=[8192->8192]
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
MANAGEMENT: >STATE:1418268946,ASSIGN_IP,,10.8.0.1,
open_tun, tt->ipv6=0
TAP-WIN32 device [Conexión de área local 4] opened: \\.\Global\{A6871623-E6E7-4F92-AAEB-EFC29A39558E}.tap
TAP-Windows Driver Version 9.21
Sleeping for 10 seconds...
Successful ARP Flush on interface [26] {A6871623-E6E7-4F92-AAEB-EFC29A39558E}
MANAGEMENT: >STATE:1418268956,ADD_ROUTES,,,
C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
UDPv4 link local (bound): [undef]
UDPv4 link remote: [undef]
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
ifconfig_pool_read(), in='client1,10.8.0.4', TODO: IPv6
succeeded -> ifconfig_pool_set()
IFCONFIG POOL LIST
client1,10.8.0.4
Initialization Sequence Completed
MANAGEMENT: >STATE:1418268956,CONNECTED,SUCCESS,10.8.0.1,
xxx.x.xxx:56342 TLS: Initial packet from [AF_INET]200.71.174.134:56342, sid=4297471e a29cf5eb
xxx.x.xxx:56342 VERIFY OK: depth=0, C=xx, ST=xx, L=xx, O=xx, OU=changeme, CN=client1, name=changeme, emailAddress=xxx@xx
xxx.x.xxx:56342 VERIFY OK: depth=0, C=xx, ST=xx, L=xx, O=xx, OU=changeme, CN=client1, name=changeme, emailAddress=xxx@xx
xxx.x.xxx:56342 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
xxx.x.xxx:56342 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
xxx.x.xxx:56342 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
xxx.x.xxx:56342 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
xxx.x.xxx:56342 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
xxx.x.xxx:56342 [client1] Peer Connection Initiated with [AF_INET]200.71.174.134:56342
client1/200.71.174.134:56342 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
client1/200.71.174.134:56342 MULTI: Learn: 10.8.0.6 -> client1/200.71.174.134:56342
client1/200.71.174.134:56342 MULTI: primary virtual IP for client1/200.71.174.134:56342: 10.8.0.6
client1/200.71.174.134:56342 PUSH: Received control message: 'PUSH_REQUEST'
client1/200.71.174.134:56342 send_push_reply(): safe_cap=940
client1/200.71.174.134:56342 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Client Log status:
Code: Select all
OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 1 2014
library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Enter Management Password:
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
Socket Buffers: R=[65536->65536] S=[65536->65536]
MANAGEMENT: >STATE:1418269162,RESOLVE,,,
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]xxx.x.xxx:1194
MANAGEMENT: >STATE:1418269162,WAIT,,,
MANAGEMENT: >STATE:1418269163,AUTH,,,
TLS: Initial packet from [AF_INET]xxx.x.xxx:1194, sid=c1bd3be9 2e7a38b2
VERIFY OK: depth=1, C=VE, ST=ZU, L=Maracaibo, O=FreshTechs, OU=changeme, CN=freshserver, name=changeme, emailAddress=info@freshtechs.com.ve
Validating certificate key usage
++ Certificate has key usage 00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, C=VE, ST=ZU, L=Maracaibo, O=FreshTechs, OU=changeme, CN=fresh-server, name=changeme, emailAddress=info@freshtechs.com.ve
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
[fresh-server] Peer Connection Initiated with [AF_INET]xxx.x.xxx:1194
MANAGEMENT: >STATE:1418269185,GET_CONFIG,,,
SENT CONTROL [fresh-server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
MANAGEMENT: >STATE:1418269186,ASSIGN_IP,,10.8.0.6,
open_tun, tt->ipv6=0
TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{D4CA51F9-E2D3-4C6F-A9BA-E9AF254F9BB8}.tap
TAP-Windows Driver Version 9.21
Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {D4CA51F9-E2D3-4C6F-A9BA-E9AF254F9BB8} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Successful ARP Flush on interface [25] {D4CA51F9-E2D3-4C6F-A9BA-E9AF254F9BB8}
TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
MANAGEMENT: >STATE:1418269191,ADD_ROUTES,,,
C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.255 10.8.0.5
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.5
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
Initialization Sequence Completed
MANAGEMENT: >STATE:1418269191,CONNECTED,SUCCESS,10.8.0.6,201.249.23.117