Quantic Windows 10 client: it works and doesn't

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
zamana
OpenVpn Newbie
Posts: 5
Joined: Wed Sep 21, 2016 2:34 pm

Quantic Windows 10 client: it works and doesn't

Post by zamana » Wed Apr 07, 2021 9:34 pm

Hi!

I'm facing a weird, really weird problem with the latest OpenVPN Windows 10 client.

I have two separated/isolated/non-related OpenVPN servers: one embedded in PFSense, and another installed in a Ubuntu Server 20.04-LTS.

After connect to anyone of these VPNs, I want to route the traffic of the VPN's network through the VPN connection (obvious) and all the public internet traffic through the local connection of the client.

This works fine when I'm connected to the PFSense's VPN (both from Windows 10 and MacOS client), but not when I'm connected to the Ubuntu Server's OpenVPN using the Windows 10 client. The Ubuntu Server's OpenVPN works as I need only when I'm connected from the MacOS client.

When connected to the Ubuntu Server's VPN with the Windows 10 client, all my access are routed through the VPN, and the DNS stops to work.

Just to clarify the "topology" a little bit:
Image

None of the servers are using the block-outside-dns explicitly, but I can see from the Windows 10 client log that this option is being sent someway, and the "pull-filter ignore "block-outside-dns"" has absolutely no effect in the Windows 10 Client.

Sometimes it seems to be a problem with the Windows 10 client (because it doesn't work), but at the same time it works when connected to the PFSense's VPN.

Does anybody can help me to identify where is the error, please?

UBUNTU SERVER 20.04 LTS /etc/openvpn/server.conf

Code: Select all

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 10.0.0.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_iRa4U3J6D1xWv9OI.crt
key server_iRa4U3J6D1xWv9OI.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
PFSense's embedded OpenVPN configuration

Code: Select all

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 189.112.202.5
tls-server
server 10.100.77.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user REMwMV9HQV9WUE4= false server1 1195
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPNS' 1"
lport 1195
management /var/etc/openvpn/server1.sock unix
push "route 10.100.0.0 255.255.0.0"
push "route 172.16.32.0 255.255.255.0"
push "route 10.99.99.0 255.255.255.0"
push "route 172.16.70.0 255.255.255.224"
push "dhcp-option DOMAIN xxxx.corp"
push "dhcp-option DNS 10.100.20.1"
push "dhcp-option DNS 10.200.20.3"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-128-GCM
persist-remote-ip
float
topology subnet

Ubuntu OpenVPN client config:

Code: Select all

client
proto udp
explicit-exit-notify
remote xxxxx.com 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_iRa4U3J6D1xWv9OI name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
PFSense client config:

Code: Select all

dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote xxxx.com 1195 udp
auth-user-pass
ca ca.crt
tls-auth tls.key 1
remote-cert-tls server
Windows 10 client log (the NOK connection):

Code: Select all

2021-04-07 17:58:10 OpenVPN 2.5.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 24 2021
2021-04-07 17:58:10 Windows version 10.0 (Windows 10 or greater) 64bit
2021-04-07 17:58:10 library versions: OpenSSL 1.1.1j  16 Feb 2021, LZO 2.10
Enter Management Password:
2021-04-07 17:58:10 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343
2021-04-07 17:58:10 Need hold release from management interface, waiting...
2021-04-07 17:58:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25343
2021-04-07 17:58:11 MANAGEMENT: CMD 'state on'
2021-04-07 17:58:11 MANAGEMENT: CMD 'log all on'
2021-04-07 17:58:11 MANAGEMENT: CMD 'echo all on'
2021-04-07 17:58:11 MANAGEMENT: CMD 'bytecount 5'
2021-04-07 17:58:11 MANAGEMENT: CMD 'hold off'
2021-04-07 17:58:11 MANAGEMENT: CMD 'hold release'
2021-04-07 17:58:11 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-04-07 17:58:11 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-07 17:58:11 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-04-07 17:58:11 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-07 17:58:11 MANAGEMENT: >STATE:1617829091,RESOLVE,,,,,,
2021-04-07 17:58:11 TCP/UDP: Preserving recently used remote address: [AF_INET]191.232.52.148:1194
2021-04-07 17:58:11 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-04-07 17:58:11 UDP link local: (not bound)
2021-04-07 17:58:11 UDP link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
2021-04-07 17:58:11 MANAGEMENT: >STATE:1617829091,WAIT,,,,,,
2021-04-07 17:58:11 MANAGEMENT: >STATE:1617829091,AUTH,,,,,,
2021-04-07 17:58:11 TLS: Initial packet from [AF_INET]aaa.bbb.ccc.ddd:1194, sid=15593d62 a6f1cee4
2021-04-07 17:58:11 VERIFY OK: depth=1, CN=cn_j5khS9oe2w7KNJOL
2021-04-07 17:58:11 VERIFY KU OK
2021-04-07 17:58:11 Validating certificate extended key usage
2021-04-07 17:58:11 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-04-07 17:58:11 VERIFY EKU OK
2021-04-07 17:58:11 VERIFY X509NAME OK: CN=server_iRa4U3J6D1xWv9OI
2021-04-07 17:58:11 VERIFY OK: depth=0, CN=server_iRa4U3J6D1xWv9OI
2021-04-07 17:58:11 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
2021-04-07 17:58:11 [server_iRa4U3J6D1xWv9OI] Peer Connection Initiated with [AF_INET]aaa.bbb.ccc.ddd:1194
2021-04-07 17:58:12 MANAGEMENT: >STATE:1617829092,GET_CONFIG,,,,,,
2021-04-07 17:58:12 SENT CONTROL [server_iRa4U3J6D1xWv9OI]: 'PUSH_REQUEST' (status=1)
2021-04-07 17:58:12 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.0.0.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-128-GCM'
2021-04-07 17:58:12 OPTIONS IMPORT: timers and/or timeouts modified
2021-04-07 17:58:12 OPTIONS IMPORT: --ifconfig/up options modified
2021-04-07 17:58:12 OPTIONS IMPORT: route options modified
2021-04-07 17:58:12 OPTIONS IMPORT: route-related options modified
2021-04-07 17:58:12 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-04-07 17:58:12 OPTIONS IMPORT: peer-id set
2021-04-07 17:58:12 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-04-07 17:58:12 OPTIONS IMPORT: data channel crypto options modified
2021-04-07 17:58:12 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2021-04-07 17:58:12 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2021-04-07 17:58:12 interactive service msg_channel=580
2021-04-07 17:58:12 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=9 HWADDR=fc:f8:ae:f6:83:a3
2021-04-07 17:58:12 open_tun
2021-04-07 17:58:12 tap-windows6 device [OpenVPN TAP-Windows6] opened
2021-04-07 17:58:12 TAP-Windows Driver Version 9.24 
2021-04-07 17:58:12 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
2021-04-07 17:58:12 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {46A3B0C8-5127-4B10-B4B7-06E7FDBF725C} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
2021-04-07 17:58:12 Successful ARP Flush on interface [19] {46A3B0C8-5127-4B10-B4B7-06E7FDBF725C}
2021-04-07 17:58:12 MANAGEMENT: >STATE:1617829092,ASSIGN_IP,,10.8.0.2,,,,
2021-04-07 17:58:12 IPv4 MTU set to 1500 on interface 19 using service
2021-04-07 17:58:12 Blocking outside dns using service succeeded.
2021-04-07 17:58:17 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
2021-04-07 17:58:17 MANAGEMENT: >STATE:1617829097,ADD_ROUTES,,,,,,
2021-04-07 17:58:17 C:\Windows\system32\route.exe ADD 10.0.0.0 MASK 255.255.255.0 10.8.0.1
2021-04-07 17:58:17 Route addition via service succeeded
2021-04-07 17:58:17 Initialization Sequence Completed
2021-04-07 17:58:17 MANAGEMENT: >STATE:1617829097,CONNECTED,SUCCESS,10.8.0.2,aaa.bbb.ccc.ddd,1194,,
2021-04-07 17:58:34 SIGTERM received, sending exit notification to peer
2021-04-07 17:58:35 C:\Windows\system32\route.exe DELETE 10.0.0.0 MASK 255.255.255.0 10.8.0.1
2021-04-07 17:58:35 Route deletion via service succeeded
2021-04-07 17:58:35 Closing TUN/TAP interface
2021-04-07 17:58:35 TAP: DHCP address released
2021-04-07 17:58:35 Unblocking outside dns using service succeeded.
2021-04-07 17:58:35 SIGTERM[soft,exit-with-notification] received, process exiting
2021-04-07 17:58:35 MANAGEMENT: >STATE:1617829115,EXITING,exit-with-notification,,,,,

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Quantic Windows 10 client: it works and doesn't

Post by TinCanTech » Thu Apr 08, 2021 12:28 am

zamana wrote:
Wed Apr 07, 2021 9:34 pm
None of the servers are using the block-outside-dns
zamana wrote:
Wed Apr 07, 2021 9:34 pm
Windows 10 client log (the NOK connection):
<snippety-doo-dah>
2021-04-07 17:58:12 Blocking outside dns using service succeeded.
Look again .. :ugeek:

zamana
OpenVpn Newbie
Posts: 5
Joined: Wed Sep 21, 2016 2:34 pm

Re: Quantic Windows 10 client: it works and doesn't

Post by zamana » Thu Apr 08, 2021 2:03 pm

TinCanTech wrote:
Thu Apr 08, 2021 12:28 am
zamana wrote:
Wed Apr 07, 2021 9:34 pm
None of the servers are using the block-outside-dns
zamana wrote:
Wed Apr 07, 2021 9:34 pm
Windows 10 client log (the NOK connection):
<snippety-doo-dah>
2021-04-07 17:58:12 Blocking outside dns using service succeeded.
Look again .. :ugeek:
Hi!

That's what I'm trying to find: where the "block outside dns" is configured in the Ubuntu Server? Or, if it is enabled by default, where/how do I disable it?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Quantic Windows 10 client: it works and doesn't

Post by TinCanTech » Thu Apr 08, 2021 2:11 pm

It must be in the client config file.

zamana
OpenVpn Newbie
Posts: 5
Joined: Wed Sep 21, 2016 2:34 pm

Re: Quantic Windows 10 client: it works and doesn't

Post by zamana » Thu Apr 08, 2021 3:47 pm

TinCanTech wrote:
Thu Apr 08, 2021 2:11 pm
It must be in the client config file.
That's what I thought initially. But the question is: the very same client config file works in a way in MacOS (the way I want) but not in the Windows Client.

And the other client config file (that from PFSense) works fine on both client systems: MacOS and Windows 10.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Quantic Windows 10 client: it works and doesn't

Post by TinCanTech » Thu Apr 08, 2021 3:54 pm

You have not posted the config in question .....

zamana
OpenVpn Newbie
Posts: 5
Joined: Wed Sep 21, 2016 2:34 pm

Re: Quantic Windows 10 client: it works and doesn't

Post by zamana » Thu Apr 08, 2021 6:48 pm

TinCanTech wrote:
Thu Apr 08, 2021 3:54 pm
You have not posted the config in question .....
Both configs (clients and servers) were posted in my first message.

Post Reply