OpenVPN post disconnect problem

[kmoerder]

Hi...

I am using OpenVPN 2.2.

I have a bridged VPN from some laptops to my home computer. The laptops are both running Windows 7. I push a false gateway route with a high metric to the clients to allow Windows 7 to identify my home network. I can disconnect and reconnect the VPN multiple times just fine. I can disconnect the VPN change to a different wireless network and reconnect the VPN just fine as well. The problem occurs when I disconnect the VPN and then try to switch to my home wireless network. In this case, Windows 7 never identifies my home network or populates the routing table.

I discovered by experimenting that if I disable and reenable the Tap interface, then the above problem goes away. I automated this disable reenable with a --down script and everything is working fine.

I googled and found several references to disabling and reenabling the Tap interface for various reasons.

So my question is this, why do I need to disable and reenable the Tap interface in this scenareo?

What is the problem that this is working around?

Can this workaround be eliminated in a future release of OpenVPN?

Thanks,

...Karl

[janjust]

Microsoft changed a setting when adding routes: up to WinXP all routes added were not persistent, in Vista and 7 they are persistent unless specified otherwise. It could be that you are being bitten by this. A fix is scheduled for the next release of OpenVPN, if I am not mistaken.

You can verify if this is the problem by looking at the routing tables after the VPN has been disconnected - are the routes to the VPN server still there?
You might be able to mitigate this problem by explicitly removing all routes when the VPN disconnects, e.g. using a 'down' script.

[kmoerder]

Hi...

When I used "route print" to look at the routing table I didn't see any remaining VPN routes. I don't know if that shows everything.

The problem only occurred when I tried to connect directly to the same network (my home network) as I had previously connected to with OpenVPN and the Tap. Connecting to some other network (different from any other network previously used) works fine. And from there, connecting via OpenVPN and the Tap to my home network also works fine.

Thanks,

...Karl

[janjust]

it depends on your openvpn setup why this is not working - as you said you are using bridging , but are you also redirecting all traffic via the VPN? are you pushing out DNS servers to the clients?
Post the server config file , as that might give some insight why this is failing...

[kmoerder]

Hi All...

Below are my server and client scripts.

udp-server.ovpn

port 1194
proto udp
dev tap
dev-node OpenVPN-UDP
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server-bridge
client-to-client
push "route 0.0.0.0 0.0.0.0 172.20.128.1 999999"
keepalive 10 120
comp-lzo
max-clients 10
status ../log/udp-server-status.log
verb 4
mute 10

udp-client.ovpn

client
dev tap
proto udp
remote paguay.dyndns.info 1194
resolv-retry infinite
nobind
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
redirect-gateway def1 bypass-dhcp
comp-lzo
script-security 2
down down.cmd
verb 4
mute 10

down.cmd

C:\Windows\System32\netsh interface set interface OpenVPN disable
C:\Windows\System32\netsh interface set interface OpenVPN enable

Just to restate...what I have now is working, so I have no immediate problem. If anyone wants to use these scripts in a Windows 7 environment, they work fine as is.

I wanted to explore the reason that I fail to reconnect directly to my home network without a reboot or the disable/enable Tap that I am using now. The added route is only to make Windows 7 happy, so my home network is identified and the firewall works; the added route does not affect any traffic routing.

By the way, is it still true that tun mode does not work for Windows (from the documentation) or does version 2.2 support tun mode on Windows?

Thanks,

...Karl

[janjust]

there are other posts about users who need to do a 'netsh interface ... disable' before things start working again; I don't know what the exact problem is, and I don't see it myself on my Win7 box, but I'll keep a tap on it.

By the way, is it still true that tun mode does not work for Windows (from the documentation) or does version 2.2 support tun mode on Windows?

OpenVPN 2.0 already supported 'tun' mode, it's just that the device driver is always called 'tap-win32' ; to use 'tun' mode, simple use

Code: Select all

dev tun
dev-node OpenVPN-UDP

[kmoerder]

If there is any other information I can provide or anything I can do to help eliminate this issue in the next release, please let me know.

Thanks,

...Karl

[kmoerder]

The problem that I have (without the disable/enable) is seen in the following situation (and perhaps others).

I have two wireless networks available, A (home) and B (other).

1) Connect to network B and then use openvpn to get to network A.

2) Disconnect the openvpn connection.

3) Disconnect from wireless network B.

4) Connect directly to wireless network A.

At this point, windows 7 can not identify the local network. The disable/enable on the tap interface resolves the issue. So I do the disable/enable in a down.cmd when the openvpn connection is disconnected.

Note that I push a route (high cost so it is not actually used) to the client, so that windows 7 can identify network A (home) from the gateway mac address.

So it seems that there is some state information in or about the tap interface that is retained and messes up normal connections.

Is there any current development in the tap drive that might be related to this?

Thanks,

...Karl