OpenVPN different routes when using GUI or Service on MS Windows

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Syping
OpenVpn Newbie
Posts: 2
Joined: Sat Nov 04, 2017 10:20 pm

OpenVPN different routes when using GUI or Service on MS Windows

Post by Syping » Sat Nov 04, 2017 10:33 pm

Hi, i configured a OpenVPN Server with IPv6 and it's working fine mostly, just my problem is that i can't ping and reach the Server itself with IPv6 when i use the OpenVPNService and/or OpenVPN Legacy Service configuration under MS Windows. But it works fine when i use the GUI.

Routes from GUI

Code: Select all

===========================================================================
Interface List
  5...00 ff e8 b4 88 e5 ......TAP-Windows Adapter V9
  3...08 00 27 62 68 34 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
  4...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  3    266 ::/0                     fe80::3681:c4ff:fe3a:c875
  5    276 ::/3                     fe80::8
  1    306 ::1/128                  On-link
  5    276 2000::/3                 fe80::8
  5    276 2000::/4                 fe80::8
  5     20 2001:db8:0:88::/64       fe80::8
  5    276 2001:db8:0:88::30/128    On-link
  3    266 2001:16b8:4067:8600::/56 fe80::3681:c4ff:fe3a:c875
  3    266 2001:16b8:4067:8600::/64 On-link
  3    266 2001:16b8:4067:8600:207e:8a7f:b195:b34/128
                                    On-link
  3    266 2001:16b8:4067:8600:5992:e915:4dc8:a100/128
                                    On-link
  3     11 2a01:4f8:212:2f1d::2/128 fe80::3681:c4ff:fe3a:c875
  5    276 3000::/4                 fe80::8
  5    276 fc00::/7                 fe80::8
  3    266 fe80::/64                On-link
  5    276 fe80::/64                On-link
  3    266 fe80::5992:e915:4dc8:a100/128
                                    On-link
  5    276 fe80::d024:f037:4824:f353/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    266 ff00::/8                 On-link
  5    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
Routes from Service

Code: Select all

===========================================================================
Interface List
  5...00 ff e8 b4 88 e5 ......TAP-Windows Adapter V9
  3...08 00 27 62 68 34 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
  4...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  3    266 ::/0                     fe80::3681:c4ff:fe3a:c875
  5    276 ::/3                     fe80::8
  1    306 ::1/128                  On-link
  5    276 2000::/3                 fe80::8
  5    276 2000::/4                 fe80::8
  5    276 2001:db8:0:88::/64       On-link
  5    276 2001:db8:0:88::/64       fe80::8
  5    276 2001:db8:0:88::30/128    On-link
  3    266 2001:16b8:4067:8600::/56 fe80::3681:c4ff:fe3a:c875
  3    266 2001:16b8:4067:8600::/64 On-link
  3    266 2001:16b8:4067:8600:207e:8a7f:b195:b34/128
                                    On-link
  3    266 2001:16b8:4067:8600:5992:e915:4dc8:a100/128
                                    On-link
  3    266 2a01:4f8:212:2f1d::2/128 fe80::3681:c4ff:fe3a:c875
  5    276 3000::/4                 fe80::8
  5    276 fc00::/7                 fe80::8
  3    266 fe80::/64                On-link
  5    276 fe80::/64                On-link
  3    266 fe80::5992:e915:4dc8:a100/128
                                    On-link
  5    276 fe80::d024:f037:4824:f353/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    266 ff00::/8                 On-link
  5    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
The obvious difference is there, at the GUI it's not there as On-link like on Service

Code: Select all

  5    276 2001:db8:0:88::/64       On-link
Edit:
server.conf
port 1194
proto udp6
dev tun0
iproute /usr/local/sbin/unpriv-ip
tun-ipv6
push tun-ipv6
ca *
cert *
key *
dh *
server 192.168.88.0 255.255.255.0
server-ipv6 2001:db8:0:88::/64
ifconfig-ipv6 2001:db8:0:88::1 2001:db8:0:88::2
push "route-ipv6 2000::/3 2001:db8:0:88::1 1"
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.88.1"
push "dhcp-option DNS 213.133.99.99"
push "dhcp-option DNS6 2001:db8:0:88::1"
push "dhcp-option DNS6 2a01:4f8:0:a0a1::add:1010"
client-to-client
keepalive 5 60
user vpn
group vpn
persist-key
persist-tun
status openvpn-status.log
verb 3
sndbuf 0
rcvbuf 0

Can i prevent it with any kind of server configuration? Or it's a possible bug in the Windows Service of OpenVPN or a possible mistake in my Server configuration which the GUI ignores?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN different routes when using GUI or Service on MS Windows

Post by TinCanTech » Mon Nov 06, 2017 2:04 am

The GUI uses files in \user home directory\openvpn
The Service uses files in \Program Files\openvpn

Syping
OpenVpn Newbie
Posts: 2
Joined: Sat Nov 04, 2017 10:20 pm

Re: OpenVPN different routes when using GUI or Service on MS Windows

Post by Syping » Mon Nov 06, 2017 3:35 am

the Gui uses \Program Files\openvpn aswell in my case, when the GUI is starting at startup then it's adding

Code: Select all

  5    276 2001:db8:0:88::/64       On-link
aswell, but not after time a certain time after login, in 1 of 10 cases the Service don't add the On-link route and allow me as Client to communicate to 2001:db8:0:88::1, it's probably kinda sort of bug which add the dead route, could be Windows only issue, i got a workaround for that.

Edit: Service and GUI are same OS just for be clear.

My workaround is to route the Server IP through the Server IP

Code: Select all

push "route-ipv6 2001:db8:0:88::1/128 2001:db8:0:88::1 1"
So i can ping and reach 2001:db8:0:88::1 always even when the dead route got added at the OpenVPN connect step.

server.conf
port 1194
proto udp6
dev tun0
iproute /usr/local/sbin/unpriv-ip
tun-ipv6
push tun-ipv6
ca *
cert *
key *
dh *
server 192.168.88.0 255.255.255.0
server-ipv6 2001:db8:0:88::/64
push "route-ipv6 2000::/3 2001:db8:0:88::1 1"
push "route-ipv6 2001:db8:0:88::1/128 2001:db8:0:88::1 1"
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
script-security 2
client-connect "/etc/openvpn/server-clientconnect.sh"
client-disconnect "/etc/openvpn/server-clientdisconnect.sh"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.88.1"
push "dhcp-option DNS6 2001:db8:0:88::1"
push "block-outside-dns"
client-to-client
keepalive 5 60
user vpn
group vpn
persist-key
persist-tun
status openvpn-status.log
verb 3
sndbuf 0
rcvbuf 0


So this config is working for me fine 100%, but it's kinda weird that some times the On-link route is getting added or not from the Client.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN different routes when using GUI or Service on MS Windows

Post by TinCanTech » Mon Nov 06, 2017 12:31 pm

If you check your logs (at verb 4) you will probably be able to see what is changing ..

Post Reply