Win 10 openvpn client

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
jbbasso
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 22, 2017 1:24 pm

Win 10 openvpn client

Post by jbbasso » Fri Sep 22, 2017 1:36 pm

First my apologies if, as I suspect, I am missing something obvious. I have been researching and reading for 2 weeks now so I have tried to do my due diligence.

I am running openvpn server on my linksys router at home connecting from a windows 10 laptop. Connection is successful but when I try to ping from the client; openvpn server, router lan, etc it times out. Looking at the syslog on the router I am getting

daemon.notice openvpn(Linksys_server)[11295]: Work-Laptop/Public.IP.From.ISP:12804 MULTI: bad source address from client [192.168.1.2], packet dropped

The pre and post client routing tables look ok and I think this is evident from the ping command getting to the server from the client. What I don't understand is why is the client using the ISP assigned private address (192.168.1.2) instead of the VPN assigned address (10.8.0.6). My Linksys router is configured to use 192.168.2.x so I don't believe I have an address conflict.

Linksys WRT1900ACv2 Router
uname -a
Linux lede 4.4.71 #0 SMP Thu Jun 8 10:18:56 2017 armv7l GNU/Linux
opkg list-installed | grep openvpn
luci-app-openvpn - git-17.232.21093-079f65a-1
openvpn-easy-rsa - 2013-01-30-ff5bfd1d-2
openvpn-openssl - 2.4.3-1

server config

config openvpn Linksys_server
option enabled 1
option port 1194
option proto udp
option dev tun
option ca /etc/openvpn/ca.crt
option cert /etc/openvpn/Linksys1900ACv2.crt
option key /etc/openvpn/Linksys1900ACv2.key
option dh /etc/openvpn/dh4096.pem
option server "10.8.0.0 255.255.255.0"
option ifconfig_pool_persist /tmp/ipp.txt
list push "route 192.168.2.0 255.255.255.0"
list push "redirect-gateway autolocal def1"
list push "dhcp-option DNS 8.8.8.8"
list push "dhcp-option DNS 8.8.4.4"
option client_to_client 1
option keepalive "10 120"
option cipher AES-256-CBC
option comp_lzo no
option persist_key 1
option persist_tun 1
option user nobody
option status /tmp/openvpn-status.log
option verb 4


client config

client
dev tun
proto udp
remote public.ddns FQDN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Work-Laptop.crt
key Work-Laptop.key
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 4


Many thanks in advance for any assistance or pointer.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Win 10 openvpn client

Post by TinCanTech » Fri Sep 22, 2017 1:51 pm

jbbasso wrote:
Fri Sep 22, 2017 1:36 pm
 MULTI: bad source address from client [192.168.1.2], packet dropped
You can safely ignore that message.
Top
jbbasso
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 22, 2017 1:24 pm

Re: Win 10 openvpn client

Post by jbbasso » Fri Sep 22, 2017 1:56 pm

Thanks, I probably should have already tried to ssh to the router. I'll try that next and report on result either way. Thank you
Top
jbbasso
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 22, 2017 1:24 pm

Re: Win 10 openvpn client

Post by jbbasso » Fri Sep 22, 2017 2:23 pm

I get the same result when I try to SSH into the router. Seems to me that the client should use the VPN assigned IP (10.8.0.6) when routing traffic to the VPN. Granted I am very much a newbie but I don't see how anything can work if all messages are dropped by the VPN server due to a bad source address. I've read about the iroute command but that seems more applicable for exposing a LAN behind the client not the client itself. Besides there is no way I can be sure that every external network I connect from will give me an IP in the same address space.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Win 10 openvpn client

Post by TinCanTech » Fri Sep 22, 2017 2:34 pm

Please post your sanitized client log file at verb 4

See --log & --verb in The Manual v24x
Top
jbbasso
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 22, 2017 1:24 pm

Re: Win 10 openvpn client

Post by jbbasso » Fri Sep 22, 2017 2:55 pm

Ok, hopefully sanitized

Client log at verb 4

Fri Sep 22 09:13:30 2017 us=269398 Current Parameter Settings:
Fri Sep 22 09:13:30 2017 us=269398 config = 'Work-Laptop.ovpn'
Fri Sep 22 09:13:30 2017 us=269398 mode = 0
Fri Sep 22 09:13:30 2017 us=269398 show_ciphers = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 show_digests = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 show_engines = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 genkey = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 key_pass_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 show_tls_ciphers = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 connect_retry_max = 0
Fri Sep 22 09:13:30 2017 us=269398 Connection profiles [0]:
Fri Sep 22 09:13:30 2017 us=269398 proto = udp
Fri Sep 22 09:13:30 2017 us=269398 local = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 local_port = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 remote = 'public ddns name'
Fri Sep 22 09:13:30 2017 us=269398 remote_port = '1194'
Fri Sep 22 09:13:30 2017 us=269398 remote_float = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 bind_defined = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 bind_local = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 bind_ipv6_only = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 connect_retry_seconds = 5
Fri Sep 22 09:13:30 2017 us=269398 connect_timeout = 120
Fri Sep 22 09:13:30 2017 us=269398 socks_proxy_server = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 socks_proxy_port = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 tun_mtu = 1500
Fri Sep 22 09:13:30 2017 us=269398 tun_mtu_defined = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 link_mtu = 1500
Fri Sep 22 09:13:30 2017 us=269398 link_mtu_defined = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 tun_mtu_extra = 0
Fri Sep 22 09:13:30 2017 us=269398 tun_mtu_extra_defined = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 mtu_discover_type = -1
Fri Sep 22 09:13:30 2017 us=269398 fragment = 0
Fri Sep 22 09:13:30 2017 us=269398 mssfix = 1450
Fri Sep 22 09:13:30 2017 us=269398 explicit_exit_notification = 0
Fri Sep 22 09:13:30 2017 us=269398 Connection profiles END
Fri Sep 22 09:13:30 2017 us=269398 remote_random = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 ipchange = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 dev = 'tun'
Fri Sep 22 09:13:30 2017 us=269398 dev_type = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 dev_node = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 lladdr = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 topology = 1
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_local = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_remote_netmask = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_noexec = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_nowarn = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_ipv6_local = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_ipv6_netbits = 0
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_ipv6_remote = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 shaper = 0
Fri Sep 22 09:13:30 2017 us=269398 mtu_test = 0
Fri Sep 22 09:13:30 2017 us=269398 mlock = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 keepalive_ping = 0
Fri Sep 22 09:13:30 2017 us=269398 keepalive_timeout = 0
Fri Sep 22 09:13:30 2017 us=269398 inactivity_timeout = 0
Fri Sep 22 09:13:30 2017 us=269398 ping_send_timeout = 0
Fri Sep 22 09:13:30 2017 us=269398 ping_rec_timeout = 0
Fri Sep 22 09:13:30 2017 us=269398 ping_rec_timeout_action = 0
Fri Sep 22 09:13:30 2017 us=269398 ping_timer_remote = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 remap_sigusr1 = 0
Fri Sep 22 09:13:30 2017 us=269398 persist_tun = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 persist_local_ip = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 persist_remote_ip = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 persist_key = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 passtos = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 resolve_retry_seconds = 1000000000
Fri Sep 22 09:13:30 2017 us=269398 resolve_in_advance = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 username = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 groupname = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 chroot_dir = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 cd_dir = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 writepid = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 up_script = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 down_script = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 down_pre = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 up_restart = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 up_delay = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 daemon = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 inetd = 0
Fri Sep 22 09:13:30 2017 us=269398 log = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 suppress_timestamps = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 machine_readable_output = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 nice = 0
Fri Sep 22 09:13:30 2017 us=269398 verbosity = 4
Fri Sep 22 09:13:30 2017 us=269398 mute = 0
Fri Sep 22 09:13:30 2017 us=269398 gremlin = 0
Fri Sep 22 09:13:30 2017 us=269398 status_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 status_file_version = 1
Fri Sep 22 09:13:30 2017 us=269398 status_file_update_freq = 60
Fri Sep 22 09:13:30 2017 us=269398 occ = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 rcvbuf = 0
Fri Sep 22 09:13:30 2017 us=269398 sndbuf = 0
Fri Sep 22 09:13:30 2017 us=269398 sockflags = 0
Fri Sep 22 09:13:30 2017 us=269398 fast_io = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 comp.alg = 1
Fri Sep 22 09:13:30 2017 us=269398 comp.flags = 0
Fri Sep 22 09:13:30 2017 us=269398 route_script = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 route_default_gateway = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 route_default_metric = 0
Fri Sep 22 09:13:30 2017 us=269398 route_noexec = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 route_delay = 5
Fri Sep 22 09:13:30 2017 us=269398 route_delay_window = 30
Fri Sep 22 09:13:30 2017 us=269398 route_delay_defined = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 route_nopull = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 route_gateway_via_dhcp = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 allow_pull_fqdn = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 management_addr = '127.0.0.1'
Fri Sep 22 09:13:30 2017 us=269398 management_port = '25340'
Fri Sep 22 09:13:30 2017 us=269398 management_user_pass = 'stdin'
Fri Sep 22 09:13:30 2017 us=269398 management_log_history_cache = 250
Fri Sep 22 09:13:30 2017 us=269398 management_echo_buffer_size = 100
Fri Sep 22 09:13:30 2017 us=269398 management_write_peer_info_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 management_client_user = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 management_client_group = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 management_flags = 6
Fri Sep 22 09:13:30 2017 us=269398 shared_secret_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 key_direction = 0
Fri Sep 22 09:13:30 2017 us=269398 ciphername = 'AES-256-CBC'
Fri Sep 22 09:13:30 2017 us=269398 ncp_enabled = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Fri Sep 22 09:13:30 2017 us=269398 authname = 'SHA1'
Fri Sep 22 09:13:30 2017 us=269398 prng_hash = 'SHA1'
Fri Sep 22 09:13:30 2017 us=269398 prng_nonce_secret_len = 16
Fri Sep 22 09:13:30 2017 us=269398 keysize = 0
Fri Sep 22 09:13:30 2017 us=269398 engine = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 replay = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 mute_replay_warnings = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 replay_window = 64
Fri Sep 22 09:13:30 2017 us=269398 replay_time = 15
Fri Sep 22 09:13:30 2017 us=269398 packet_id_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 use_iv = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 test_crypto = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 tls_server = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 tls_client = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 key_method = 2
Fri Sep 22 09:13:30 2017 us=269398 ca_file = 'ca.crt'
Fri Sep 22 09:13:30 2017 us=269398 ca_path = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 dh_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 cert_file = 'Work-Laptop.crt'
Fri Sep 22 09:13:30 2017 us=269398 extra_certs_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 priv_key_file = 'Work-Laptop.key'
Fri Sep 22 09:13:30 2017 us=269398 pkcs12_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 cryptoapi_cert = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 cipher_list = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 tls_verify = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 tls_export_cert = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 verify_x509_type = 0
Fri Sep 22 09:13:30 2017 us=269398 verify_x509_name = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 crl_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 ns_cert_type = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 65535
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku[i] = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku[i] = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku[i] = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku[i] = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku[i] = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_ku[i] = 0
Fri Sep 22 09:13:30 2017 us=269398 remote_cert_eku = 'TLS Web Server Authentication'
Fri Sep 22 09:13:30 2017 us=269398 ssl_flags = 0
Fri Sep 22 09:13:30 2017 us=269398 tls_timeout = 2
Fri Sep 22 09:13:30 2017 us=269398 renegotiate_bytes = -1
Fri Sep 22 09:13:30 2017 us=269398 renegotiate_packets = 0
Fri Sep 22 09:13:30 2017 us=269398 renegotiate_seconds = 3600
Fri Sep 22 09:13:30 2017 us=269398 handshake_window = 60
Fri Sep 22 09:13:30 2017 us=269398 transition_window = 3600
Fri Sep 22 09:13:30 2017 us=269398 single_session = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 push_peer_info = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 tls_exit = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 tls_auth_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 tls_crypt_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_protected_authentication = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_private_mode = 00000000
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_cert_private = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_pin_cache_period = -1
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_id = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 pkcs11_id_management = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 server_network = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 server_netmask = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 server_network_ipv6 = ::
Fri Sep 22 09:13:30 2017 us=269398 server_netbits_ipv6 = 0
Fri Sep 22 09:13:30 2017 us=269398 server_bridge_ip = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 server_bridge_netmask = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 server_bridge_pool_start = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 server_bridge_pool_end = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_pool_defined = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_pool_start = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_pool_end = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_pool_netmask = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_pool_persist_filename = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_pool_persist_refresh_freq = 600
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_ipv6_pool_defined = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_ipv6_pool_base = ::
Fri Sep 22 09:13:30 2017 us=269398 ifconfig_ipv6_pool_netbits = 0
Fri Sep 22 09:13:30 2017 us=269398 n_bcast_buf = 256
Fri Sep 22 09:13:30 2017 us=269398 tcp_queue_limit = 64
Fri Sep 22 09:13:30 2017 us=269398 real_hash_size = 256
Fri Sep 22 09:13:30 2017 us=269398 virtual_hash_size = 256
Fri Sep 22 09:13:30 2017 us=269398 client_connect_script = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 learn_address_script = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 client_disconnect_script = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 client_config_dir = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 ccd_exclusive = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 tmp_dir = 'C:\Users\jbbas\AppData\Local\Temp\'
Fri Sep 22 09:13:30 2017 us=269398 push_ifconfig_defined = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 push_ifconfig_local = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 push_ifconfig_remote_netmask = 0.0.0.0
Fri Sep 22 09:13:30 2017 us=269398 push_ifconfig_ipv6_defined = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 push_ifconfig_ipv6_local = ::/0
Fri Sep 22 09:13:30 2017 us=269398 push_ifconfig_ipv6_remote = ::
Fri Sep 22 09:13:30 2017 us=269398 enable_c2c = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 duplicate_cn = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 cf_max = 0
Fri Sep 22 09:13:30 2017 us=269398 cf_per = 0
Fri Sep 22 09:13:30 2017 us=269398 max_clients = 1024
Fri Sep 22 09:13:30 2017 us=269398 max_routes_per_client = 256
Fri Sep 22 09:13:30 2017 us=269398 auth_user_pass_verify_script = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 auth_user_pass_verify_script_via_file = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 auth_token_generate = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 auth_token_lifetime = 0
Fri Sep 22 09:13:30 2017 us=269398 client = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 pull = ENABLED
Fri Sep 22 09:13:30 2017 us=269398 auth_user_pass_file = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 show_net_up = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 route_method = 3
Fri Sep 22 09:13:30 2017 us=269398 block_outside_dns = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 ip_win32_defined = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 ip_win32_type = 3
Fri Sep 22 09:13:30 2017 us=269398 dhcp_masq_offset = 0
Fri Sep 22 09:13:30 2017 us=269398 dhcp_lease_time = 31536000
Fri Sep 22 09:13:30 2017 us=269398 tap_sleep = 0
Fri Sep 22 09:13:30 2017 us=269398 dhcp_options = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 dhcp_renew = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 dhcp_pre_release = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 domain = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 netbios_scope = '[UNDEF]'
Fri Sep 22 09:13:30 2017 us=269398 netbios_node_type = 0
Fri Sep 22 09:13:30 2017 us=269398 disable_nbt = DISABLED
Fri Sep 22 09:13:30 2017 us=269398 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jul 14 2017
Fri Sep 22 09:13:30 2017 us=269398 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Sep 22 09:13:30 2017 us=269398 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Fri Sep 22 09:13:30 2017 us=269398 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Sep 22 09:13:30 2017 us=269398 Need hold release from management interface, waiting...
Fri Sep 22 09:13:30 2017 us=759205 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Sep 22 09:13:30 2017 us=871930 MANAGEMENT: CMD 'state on'
Fri Sep 22 09:13:30 2017 us=871930 MANAGEMENT: CMD 'log all on'
Fri Sep 22 09:13:32 2017 us=53658 MANAGEMENT: CMD 'echo all on'
Fri Sep 22 09:13:32 2017 us=58675 MANAGEMENT: CMD 'hold off'
Fri Sep 22 09:13:32 2017 us=74340 MANAGEMENT: CMD 'hold release'
Fri Sep 22 09:13:32 2017 us=158953 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Fri Sep 22 09:13:32 2017 us=158953 MANAGEMENT: >STATE:1506089612,RESOLVE,,,,,,
Fri Sep 22 09:13:32 2017 us=443066 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Sep 22 09:13:32 2017 us=443066 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Fri Sep 22 09:13:32 2017 us=443066 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Fri Sep 22 09:13:32 2017 us=443066 TCP/UDP: Preserving recently used remote address: [AF_INET]routerpublicIP:1194
Fri Sep 22 09:13:32 2017 us=443066 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Sep 22 09:13:32 2017 us=443066 UDP link local: (not bound)
Fri Sep 22 09:13:32 2017 us=443066 UDP link remote: [AF_INET]routerpublicIP:1194
Fri Sep 22 09:13:32 2017 us=443066 MANAGEMENT: >STATE:1506089612,WAIT,,,,,,
Fri Sep 22 09:13:32 2017 us=483382 MANAGEMENT: >STATE:1506089612,AUTH,,,,,,
Fri Sep 22 09:13:32 2017 us=483382 TLS: Initial packet from [AF_INET]routerpublicIP:1194, sid=25b464b8 3d9c8ed7
Fri Sep 22 09:13:32 2017 us=729317 VERIFY OK: depth=1, C=US, ST=TX, L=Dallas, O=Personal, OU=Home, CN=BassoVPN, name=VPNServer, emailAddress=emailaddr
Fri Sep 22 09:13:32 2017 us=729317 VERIFY KU OK
Fri Sep 22 09:13:32 2017 us=729317 Validating certificate extended key usage
Fri Sep 22 09:13:32 2017 us=729317 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Sep 22 09:13:32 2017 us=729317 VERIFY EKU OK
Fri Sep 22 09:13:32 2017 us=729317 VERIFY OK: depth=0, C=US, ST=TX, L=Dallas, O=Personal, OU=Home, CN=Linksys1900ACv2, name=VPNServer, emailAddress=emailaddr
Fri Sep 22 09:13:32 2017 us=893468 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Sep 22 09:13:32 2017 us=893468 [Linksys1900ACv2] Peer Connection Initiated with [AF_INET]routerpublicIP:1194
Fri Sep 22 09:13:34 2017 us=103735 MANAGEMENT: >STATE:1506089614,GET_CONFIG,,,,,,
Fri Sep 22 09:13:34 2017 us=103735 SENT CONTROL [Linksys1900ACv2]: 'PUSH_REQUEST' (status=1)
Fri Sep 22 09:13:34 2017 us=172214 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,redirect-gateway autolocal def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Fri Sep 22 09:13:34 2017 us=172214 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep 22 09:13:34 2017 us=172214 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep 22 09:13:34 2017 us=172214 OPTIONS IMPORT: route options modified
Fri Sep 22 09:13:34 2017 us=172214 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Sep 22 09:13:34 2017 us=172214 OPTIONS IMPORT: peer-id set
Fri Sep 22 09:13:34 2017 us=172214 OPTIONS IMPORT: adjusting link_mtu to 1625
Fri Sep 22 09:13:34 2017 us=172214 OPTIONS IMPORT: data channel crypto options modified
Fri Sep 22 09:13:34 2017 us=172214 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Sep 22 09:13:34 2017 us=172214 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Fri Sep 22 09:13:34 2017 us=172214 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 22 09:13:34 2017 us=172214 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 22 09:13:34 2017 us=172214 interactive service msg_channel=556
Fri Sep 22 09:13:34 2017 us=172214 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=4 HWADDR=b4:ae:2b:dd:ff:8d
Fri Sep 22 09:13:34 2017 us=189113 open_tun
Fri Sep 22 09:13:34 2017 us=189113 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{11B9EE99-28B5-4581-ACDB-669B81CCE96D}.tap
Fri Sep 22 09:13:34 2017 us=189113 TAP-Windows Driver Version 9.21
Fri Sep 22 09:13:34 2017 us=189113 TAP-Windows MTU=1500
Fri Sep 22 09:13:34 2017 us=189113 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {11B9EE99-28B5-4581-ACDB-669B81CCE96D} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Fri Sep 22 09:13:34 2017 us=189113 DHCP option string: 06080808 08080808 0404
Fri Sep 22 09:13:34 2017 us=189113 Successful ARP Flush on interface [2] {11B9EE99-28B5-4581-ACDB-669B81CCE96D}
Fri Sep 22 09:13:34 2017 us=189113 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Sep 22 09:13:34 2017 us=189113 MANAGEMENT: >STATE:1506089614,ASSIGN_IP,,10.8.0.6,,,,
Fri Sep 22 09:13:39 2017 us=871973 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Fri Sep 22 09:13:39 2017 us=871973 ROUTE remote_host is NOT LOCAL
Fri Sep 22 09:13:39 2017 us=871973 C:\WINDOWS\system32\route.exe ADD routerpublicIP MASK 255.255.255.255 192.168.1.1
Fri Sep 22 09:13:39 2017 us=871973 Route addition via service succeeded
Fri Sep 22 09:13:39 2017 us=871973 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Fri Sep 22 09:13:39 2017 us=871973 Route addition via service succeeded
Fri Sep 22 09:13:39 2017 us=871973 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Fri Sep 22 09:13:39 2017 us=871973 Route addition via service succeeded
Fri Sep 22 09:13:39 2017 us=871973 MANAGEMENT: >STATE:1506089619,ADD_ROUTES,,,,,,
Fri Sep 22 09:13:39 2017 us=871973 C:\WINDOWS\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 10.8.0.5
Fri Sep 22 09:13:39 2017 us=871973 Route addition via service succeeded
Fri Sep 22 09:13:39 2017 us=871973 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Fri Sep 22 09:13:39 2017 us=871973 Route addition via service succeeded
Fri Sep 22 09:13:39 2017 us=871973 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Sep 22 09:13:39 2017 us=871973 Initialization Sequence Completed
Fri Sep 22 09:13:39 2017 us=871973 MANAGEMENT: >STATE:1506089619,CONNECTED,SUCCESS,10.8.0.6,routerpublicIP,1194,,
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Win 10 openvpn client

Post by TinCanTech » Fri Sep 22, 2017 2:58 pm

This is completely normal and so the TUN interface IP will be used for tunnel packets.

The other interface is most likely a windows service doing something wrong.

Can you connect to your router via ssh over the tunnel at 10.8.0.1 ?
Top
jbbasso
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 22, 2017 1:24 pm

Re: Win 10 openvpn client

Post by jbbasso » Fri Sep 22, 2017 3:11 pm

it appears not. request times out and no entries in the router syslog. Same result when I try to ping 10.8.0.1 from the client. Times out with no syslog entries.

And yes, I figured it is a windows issue. Unfortunately what I really want this for is so I can work on my home linux box from work which requires me to run windows.

Appreciate your time and suggestions.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Win 10 openvpn client

Post by TinCanTech » Fri Sep 22, 2017 4:24 pm

jbbasso wrote:
Fri Sep 22, 2017 2:23 pm
 Seems to me that the client should use the VPN assigned IP (10.8.0.6) when routing traffic to the VPN.
This is down to the operating system to create the packet correctly .. but most do and only very old and unpatched windows do not, or other weird stuff ..
TinCanTech wrote:
Fri Sep 22, 2017 1:51 pm
jbbasso wrote:
Fri Sep 22, 2017 1:36 pm
 MULTI: bad source address from client [192.168.1.2], packet dropped
You can safely ignore that message.
Or you can configure an unnecessary layer for openvpn by explaining to the server where that IP address lives by reading this:
HOWTO: Expanding the scope of the VPN to include additional machines
jbbasso wrote:
Fri Sep 22, 2017 3:11 pm
 request times out and no entries in the router syslog. Same result when I try to ping 10.8.0.1 from the client. Times out with no syslog entries.
This is 99.99% a firewall problem ..

You could run wireshark on you client to see packet movement.
Top
jbbasso
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 22, 2017 1:24 pm

Re: Win 10 openvpn client

Post by jbbasso » Fri Sep 22, 2017 4:35 pm

Win 10 pro anniversary with latest updates so not old but still windows.

I tried disabling, temporarily, my firewall when I was testing the ping. I can do that again and retest ssh. If that doesn't provide any hints I'll look into wireshark. Thanks.
Top
jbbasso
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 22, 2017 1:24 pm

Re: Win 10 openvpn client

Post by jbbasso » Tue Sep 26, 2017 7:07 pm

Ok, I'm leaning towards the server firewall as the issue. I added a client ccd config as a test and the original error is gone but the ping still does not work. I also tried to temporarily disable the client firewall with no success. Then to try and isolate Windows as the issue I installed OpenVPN on my android phone. Same result, I get connected but ping does not work.

Here is /etc/config/network on my server:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd75:d44e:fb12::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'

config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'

config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 5'

config interface 'vpn0'
option proto 'none'
option auto '1'
option type 'bridge'
option _orig_ifname 'tun0'
option _orig_bridge 'true'
option ifname 'eth1 tun0'

and /etc/config/firewall on my server
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'

config zone 'vpn'
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option forward 'REJECT'

config forwarding 'vpn_forwarding_lan_in'
option src 'vpn'
option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
option src 'lan'
option dest 'vpn'

I'm pretty weak on FW rules so I tried to follow the guidance in the OpenVPN howto.

Thanks for taking a look.
Top
Post Reply

Return to “Server Administration”