I went to https://openvpn.net/index.php/open-sour ... loads.html and downloaded the latest installer for windows (openvpn-install-2.4.6-I602.exe as of this writing).
Then I installed it on every machine by carefully checking the box for "EasyRSA 2 Certificate Management Scripts" (server machine only) and installing the TAP-Windows V9 Driver in every machine.
Generating certificates and keys
I configured openVPN by following the "HOWTO" guide from the official site. From Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients to Starting up the VPN and testing for initial connectivity.
i.e. I opened the command prompt as Administrator change directory to "C:\Program Files\OpenVPN\easy-rsa" and ran the commands:
Code: Select all
init-config
vars
Then I ran the commands:
Code: Select all
clean-all
build-ca
Next I generated and private key for the server like so:
Code: Select all
build-key-server server
After that, I generated and private key for each client like so:
Code: Select all
build-key clientN
Then I Generated Diffie Hellman parameters with the following command:
Code: Select all
build-dh
I then had to configure the server and client. So I first created a server folder in windows 8.1 "Documents" directory for the OpenVPN server. I then copied ca.crt, server.crt, server.key and dh2048.pem from "C:\Program Files\OpenVPN\easy-rsa\keys\" to the server directory in the Documents directory (C:\Users\<Username>\Documents\server\). I also copied server.ovpn from C:\Program Files\OpenVPN\sample-config\ to the same server directory.
Finally I edited server.ovpn so that the ca, cert, key and dh parameters to point to the files I copied to the server directory (basically I had nothing to change)
Since I am using ethernet (dev tap) I did some ethernet bridging (pretty sure it is not necessary) and for that I had to do a few extra things:
I went to Control Panel>Network and Internet>Network and Sharing Center and on the left hand side clicked "Change adapter settings" to open "Network Connections". There I right-clicked on the TAP-Windows Adapter V9 and renamed it to "TAP-Bridge". I also edited the server.ovpn by commenting out the line which says dev tun and replacing it instead with:
dev tap
dev-node tap-bridge
As asked in "Bridge Server on Windows XP" in the OpenVNP Miscellaneous page
And commenting out the line that begins with server and replacing it with:
server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
I also had to uncomment "server-bridge" (a few lines below) as told in the HOWTO's "Editing the server configuration file".
Then I selected the Ethernet NIC and the TAP-Bridge, right clicked on one of them and clicked "Bridge Connections".
I then right clicked on the newly created bridge adapter, opened its properties, double clicked on "Internet Protocol Version 4 (TCP/IPv4)" and Set the TCP/IP properties on the bridge adapter to an IP of 192.168.8.4 and a subnet mask of 255.255.255.0.
At that point my server.ovpn looked something like this (without the comments):
port 1194
proto tcp
dev tap
dev-node TAP-Bridge
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
server-bridge
client-to-client
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 0
Before I ran the server like it says in the HOWTO's Starting up the VPN and testing for initial connectivity I had to generate a "ta.key" file. I did it by opening a command prompt as Administrator and changing directory to C:\Program Files\OpenVPN\bin\ then I ran:
Code: Select all
openvpn --genkey --secret ta.key
Then I opened a command window from the "server" directory and run the command:
Code: Select all
"C:\Program Files\OpenVPN\bin\openvpn" server.ovpn
Code: Select all
Sat Aug 11 23:23:02 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Aug 11 23:23:02 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Aug 11 23:23:02 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Sat Aug 11 23:23:02 2018 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sat Aug 11 23:23:02 2018 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Aug 11 23:23:02 2018 Diffie-Hellman initialized with 2048 bit key
Sat Aug 11 23:23:02 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 11 23:23:02 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 11 23:23:02 2018 interactive service msg_channel=0
Sat Aug 11 23:23:02 2018 open_tun
Sat Aug 11 23:23:02 2018 TAP-WIN32 device [TAP-Bridge] opened: \\.\Global\{214C63C9-1D0F-4FD0-958C-F8147D803E66}.tap
Sat Aug 11 23:23:02 2018 TAP-Windows Driver Version 9.21
Sat Aug 11 23:23:02 2018 Sleeping for 10 seconds...
Sat Aug 11 23:23:12 2018 NOTE: FlushIpNetTable failed on interface [22] {214C63C9-1D0F-4FD0-958C-F8147D803E66} (status=1168) : Element not found.
Sat Aug 11 23:23:12 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sat Aug 11 23:23:12 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Aug 11 23:23:12 2018 setsockopt(IPV6_V6ONLY=0)
Sat Aug 11 23:23:12 2018 Listening for incoming TCP connection on [AF_INET6][undef]:1194
Sat Aug 11 23:23:12 2018 TCPv6_SERVER link local (bound): [AF_INET6][undef]:1194
Sat Aug 11 23:23:12 2018 TCPv6_SERVER link remote: [AF_UNSPEC]
Sat Aug 11 23:23:12 2018 MULTI: multi_init called, r=256 v=256
Sat Aug 11 23:23:12 2018 IFCONFIG POOL: base=192.168.8.128 size=127, ipv6=0
Sat Aug 11 23:23:12 2018 IFCONFIG POOL LIST
Sat Aug 11 23:23:12 2018 MULTI: TCP INIT maxclients=60 maxevents=64
Sat Aug 11 23:23:12 2018 Initialization Sequence Completed
That's it the server was up and running.
Configuring the clients
I first created a client folder in windows 8.1 "Documents" directory for the OpenVPN client on each client machine. I then copied ca.crt, clientN.crt and clientN.key (where N is a number) from "C:\Program Files\OpenVPN\easy-rsa\keys\" to the client directory in the Documents directory of each client machine (C:\Users\<Username>\Documents\client\). I also copied client.ovpn from C:\Program Files\OpenVPN\sample-config\ to the same client directories.
Finally I edited server.ovpn so that the ca, cert, key and dh parameters to point to the files I copied to the server directory. basically I had client.crt and client.key to clientN.crt and clientN.key respectively (where N is a number).
At that point my client.ovpn files looked something like this (without the comments):
client
dev tap
proto tcp
#<my.public.ip.address> is obviously my public IP
remote my.public.ip.address 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
#here N is 1 that's why you read client1 instead of clientN
cert client1.crt
key client1.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
Before I ran the clients like it says in the HOWTO's "Starting up the VPN and testing for initial connectivity" I had to add the same "ta.key" file to each client directory. So I copied the previously created "ta.key" to the client directory in windows 8.1 Documents directory on each client machine.
Then I opened a command window from the "client" directory and run the command:
Code: Select all
"C:\Program Files\OpenVPN\bin\openvpn" client.ovpn
Here is the output of one of the clients:
Code: Select all
Sun Aug 12 03:31:59 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sun Aug 12 03:31:59 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Aug 12 03:31:59 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Sun Aug 12 03:32:00 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 12 03:32:00 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 12 03:32:00 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]my.public.ip.address:1194
Sun Aug 12 03:32:00 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Aug 12 03:32:00 2018 Attempting to establish TCP connection with [AF_INET]my.public.ip.address:1194 [nonblock]
Sun Aug 12 03:32:00 2018 TCP connection established with [AF_INET]my.public.ip.address:1194
Sun Aug 12 03:32:00 2018 TCP_CLIENT link local: (not bound)
Sun Aug 12 03:32:00 2018 TCP_CLIENT link remote: [AF_INET]my.public.ip.address:1194
Sun Aug 12 03:32:01 2018 TLS: Initial packet from [AF_INET]my.public.ip.address:1194, sid=5ce9ab74 c8d073e6
Sun Aug 12 03:32:02 2018 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=OpenVPN-CA, name=changeme, emailAddress=XXX@XXX...
Sun Aug 12 03:32:02 2018 VERIFY KU OK
Sun Aug 12 03:32:02 2018 Validating certificate extended key usage
Sun Aug 12 03:32:02 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Aug 12 03:32:02 2018 VERIFY EKU OK
Sun Aug 12 03:32:02 2018 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=server, name=changeme, emailAddress=XXX@XXX...
Sun Aug 12 03:32:03 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Aug 12 03:32:03 2018 [server] Peer Connection Initiated with [AF_INET]my.public.ip.address:1194
Sun Aug 12 03:32:05 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Aug 12 03:32:05 2018 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.8.4,ping 10,ping-restart 120,ifconfig 192.168.8.128 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: route-related options modified
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: peer-id set
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: adjusting link_mtu to 1658
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: data channel crypto options modified
Sun Aug 12 03:32:05 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Aug 12 03:32:05 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Aug 12 03:32:05 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Aug 12 03:32:05 2018 interactive service msg_channel=0
Sun Aug 12 03:32:05 2018 open_tun
Sun Aug 12 03:32:05 2018 TAP-WIN32 device [TAP-Ethernet] opened: \\.\Global\{600652AF-2FD3-421E-BC51-0C480E6EF549}.tap
Sun Aug 12 03:32:05 2018 TAP-Windows Driver Version 9.21
Sun Aug 12 03:32:05 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.8.128/255.255.255.0 on interface {600652AF-2FD3-421E-BC51-0C480E6EF549} [DHCP-serv: 192.168.8.0, lease-time: 31536000]
Sun Aug 12 03:32:05 2018 NOTE: FlushIpNetTable failed on interface [5] {600652AF-2FD3-421E-BC51-0C480E6EF549} (status=5) : Access is denied.
Sun Aug 12 03:32:05 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Aug 12 03:32:10 2018 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Sun Aug 12 03:32:10 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Aug 12 03:32:10 2018 Initialization Sequence Completed
Since every client could connect to the server I thought to myself "Why not ping" so like the Red October I sent one ping only from each client to any other client. What I got was disappointing. each time, I had an output similar to this:
Code: Select all
Pinging 192.168.8.128 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.8.128:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Troubleshooting
Then I decided to turn off the firewall on every single machine and tried again. And voila! everything worked fine.
Here is an example output:
Code: Select all
Pinging 192.168.8.129 with 32 bytes of data:
Reply from 192.168.8.129: bytes=32 time=69ms TTL=128
Reply from 192.168.8.129: bytes=32 time=75ms TTL=128
Reply from 192.168.8.129: bytes=32 time=27ms TTL=128
Reply from 192.168.8.129: bytes=32 time=45ms TTL=128
Ping statistics for 192.168.8.129:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 75ms, Average = 54ms
Issues that I can't fix (I need help with those)
Both on the server and on every single client the VPN network (Network Bridge on server) appears as an Unidentified Public Network
I have to turn off my firewall so that I can ping (so that they can communicate).
What I tried
A. To make the clients network appear as Private network I did what was done in [Set Windows 10 TAP adaptor to private network]. i.e. I added in the server.ovpn file the following two lines
push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"
it didn't work (or rather it only works on "dev tun" and not "dev tap". I know I tried dev tun). And even if it did the Network Bridge (server) would remain unidentified (I tried with dev tun).
B. To allow me to enable the Firewall on the clients I went to Control Panel>System and Security>Windows Firewall. And on the left hand side I clicked on "Allow an app or feature through Windows Firewall". There I clicked on the "Change settings" button at the top and "Allow another app..." button at the bottom. I browsed for openvpn.exe (C:\Program Files\OpenVPN\bin\openvpn.exe). And selected both networks in "Network types...". Then I clicked Add and then OK.
After I re-activated the firewalls on every client machine and run the clients, I tried to ping from one client to another. Nothing worked! Even server-to-client ping didn't work.
What I need
I need a solution that would work both on Windows 8.1 and Windows 10. Because although I am running it on Windows 8.1 I know that in the near future I will have to run the client on Windows 10.
Thanks in Advance!