Windows 10 as OpenVPN server with redirect-gateway

This is the forum to post your config. Include diagrams, usage graphs, and all the other goodies to show off your network.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
polo88
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 15, 2021 11:06 pm

Windows 10 as OpenVPN server with redirect-gateway

Post by polo88 » Tue Jun 15, 2021 11:55 pm

Although I think issues may be similar to Windows 7 as OpenVPN server, that thread is closed and maybe some new issues can occur.

I am asking here help to debug my connection problem and possibly to find a solution for that.

My problem is that although I can connect to the openVPN server from and openVPN client (see settings below), I cannot reach the internet from the openVPN client.

I followed your guide to set up the server and client on Windows, this guide lacks how to set up Windows to allow VPN clients to use the server's internet. This is described some other places [1], [2], [3], [4], but most importantly, on this forum for Windows 7 and for Windows 10, I still cannot reach the internet from the VPN client side.

I can connect to the VPN server (with a log on the client-side attached below), I get a private IP 10.8.0.2, and I can access the server's HTTP and openSSH services on 10.8.0.2:8080 and 10.8.0.2:22, respectively. However, I cannot reach websites from the client (nor can I reach web pages based on their IP address).

Difficulties:
1. I have a firewall on the client but I can control it. I already set up another, linux openVPN server and can use it properly, so I don't think the problem lies here.
2. I have a firewall on the server side too but I can control that too. I can connect to the server and reach its services, and incoming udp on 1194 are also enabled, so I don't think the problem lies here.
3. I have openVPN connect installed on the server (but I don't use it if I want to connect to the server). This adds an extra item to the network adapters.
4. The client is behind 2 routers after the ISP's modem. (It really shouldn't matter.)

It is not shown here, but the Routing and Remote Access service is started. Routing in the regedit is also enabled. The adapters' settings:
Image

My guess is that the problem still lies somewhere around NAT and forwarding on the Windows server side.
- Should the "Incoming Connections" show connected user when I connect to the server? Should its settings be modified?
- Is the Ethernet network sharing set up properly? (The home network connection field in the sharing tab expects an adapter name as provided?)

server's server.ovpn file:

Code: Select all

port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh.pem"
topology subnet
push "topology subnet"
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.0.8.1"
keepalive 10 120
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 0 
persist-key
persist-tun
status "C:\\Users\\username\\Desktop\\openvpn-status.log"
verb 3
explicit-exit-notify 1
client's client.ovpn file:

Code: Select all

client
dev tun
proto udp
remote win10.server.name 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Users\\username\\config\\ca.crt"
cert "C:\\Users\\username\\config\\client01.crt"
key "C:\\Users\\username\\config\\client01.key"
remote-cert-tls server
tls-auth "C:\\Users\\username\\config\\ta.key" 1
verb 3
block-outside-dns
Client log:

Code: Select all

Wed Jun 16 00:03:13 2021 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 16 00:03:13 2021 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 16 00:03:13 2021 MANAGEMENT: >STATE:1623798193,RESOLVE,,,,,,
Wed Jun 16 00:03:13 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]win10.server.ip.address:1194
Wed Jun 16 00:03:13 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jun 16 00:03:13 2021 UDP link local: (not bound)
Wed Jun 16 00:03:13 2021 UDP link remote: [AF_INET]win10.server.ip.address:1194
Wed Jun 16 00:03:13 2021 MANAGEMENT: >STATE:1623798193,WAIT,,,,,,
Wed Jun 16 00:03:13 2021 MANAGEMENT: >STATE:1623798193,AUTH,,,,,,
Wed Jun 16 00:03:13 2021 TLS: Initial packet from [AF_INET]win10.server.ip.address:1194, sid=84926cfd 87b6fabc
Wed Jun 16 00:03:13 2021 VERIFY OK: depth=1, CN=server_auth
Wed Jun 16 00:03:13 2021 VERIFY KU OK
Wed Jun 16 00:03:13 2021 Validating certificate extended key usage
Wed Jun 16 00:03:13 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jun 16 00:03:13 2021 VERIFY EKU OK
Wed Jun 16 00:03:13 2021 VERIFY OK: depth=0, CN=server
Wed Jun 16 00:03:13 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Wed Jun 16 00:03:13 2021 [server] Peer Connection Initiated with [AF_INET]win10.server.ip.address:1194
Wed Jun 16 00:03:13 2021 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.0.8.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Jun 16 00:03:13 2021 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 16 00:03:13 2021 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 16 00:03:13 2021 OPTIONS IMPORT: route options modified
Wed Jun 16 00:03:13 2021 OPTIONS IMPORT: route-related options modified
Wed Jun 16 00:03:13 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 16 00:03:13 2021 OPTIONS IMPORT: peer-id set
Wed Jun 16 00:03:13 2021 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jun 16 00:03:13 2021 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 16 00:03:13 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 16 00:03:13 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 16 00:03:13 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 16 00:03:13 2021 interactive service msg_channel=456
Wed Jun 16 00:03:13 2021 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 I=7 HWADDR=b4:2e:99:19:c8:41
Wed Jun 16 00:03:13 2021 open_tun
Wed Jun 16 00:03:13 2021 tap-windows6 device [Local Area Connection] opened
Wed Jun 16 00:03:13 2021 TAP-Windows Driver Version 9.24 
Wed Jun 16 00:03:13 2021 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
Wed Jun 16 00:03:13 2021 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {1672F06C-1B01-4A57-8D86-B59F00FDAB16} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Wed Jun 16 00:03:13 2021 Successful ARP Flush on interface [5] {1672F06C-1B01-4A57-8D86-B59F00FDAB16}
Wed Jun 16 00:03:13 2021 MANAGEMENT: >STATE:1623798193,ASSIGN_IP,,10.8.0.2,,,,
Wed Jun 16 00:03:13 2021 IPv4 MTU set to 1500 on interface 5 using service
Wed Jun 16 00:03:13 2021 Blocking outside dns using service succeeded.
Wed Jun 16 00:03:18 2021 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Wed Jun 16 00:03:18 2021 C:\WINDOWS\system32\route.exe ADD win10.server.ip.address MASK 255.255.255.255 192.168.2.1
Wed Jun 16 00:03:18 2021 Route addition via service succeeded
Wed Jun 16 00:03:18 2021 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Wed Jun 16 00:03:18 2021 Route addition via service succeeded
Wed Jun 16 00:03:18 2021 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Wed Jun 16 00:03:18 2021 Route addition via service succeeded
Wed Jun 16 00:03:18 2021 Initialization Sequence Completed
Wed Jun 16 00:03:18 2021 MANAGEMENT: >STATE:1623798198,CONNECTED,SUCCESS,10.8.0.2,win10.server.ip.address,1194,,
Last edited by polo88 on Wed Jun 16, 2021 9:06 am, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows 10 as OpenVPN server with redirect-gateway

Post by TinCanTech » Wed Jun 16, 2021 12:31 am

If you can figure it out then you can be a tutorial.

Post Reply