Same config that worked for years on Server 2008 R2 doesn't on 2016

[Mastiff]

I have a cabin by the sea and a house. I'm a freelancer, so I can work any of the places, with broadband on both. And I have kept an always on tunnel with OpenVPN for at least five years, often transfering work files up to 10 gigabyte, and I have never had any problems.. In that time I've been running Server 2008 on both sides, and I've had no problems at all. But with the new installation, which has the exact same version of OpenVPN, 2.4.3.0 (dated 14th of july 2017), I get dropouts. From a few minutes and up to 15-20, and then it drops. And when it connects again, ping to the server does not work for a long time, or not at all until I do a manual disconnction and reconnection. And I changed nothing, I just installed the same version that I was using and copied over the certificates, config and so on. I have tried to uninstall and install again, but nothing seems to help.

The server side hasn't changed yet (I'm planning to go to 2016 this weekend, my servers has identical hardware), so only the client has gone from Windows Server 2008 R2 to Windows Server 2016 Datacenter (not because I need it in my personal setup, but because I wanted to). This is the client side config:

View Originalclient.ovpn

## ##
client
proto udp
dev tap
remote my.address 11720
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
ca ca.crt
cert my.crt
key my.key
comp-lzo
verb 3

And the server side is like this:

View Originalserver.ovpn

## ##
port 11720
proto udp
dev tap
ca ca.crt
cert my.crt
key my.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN mydomain.no"
keepalive 5 10
comp-lzo
max-clients 1
persist-key
persist-tun
status openvpn-status.log
verb 3

I get this in the client log when it breaks:

Code: Select all

Tue Aug 07 16:02:16 2018 [Server] Inactivity timeout (--ping-restart), restarting
Tue Aug 07 16:02:16 2018 SIGUSR1[soft,ping-restart] received, process restarting
Tue Aug 07 16:02:16 2018 MANAGEMENT: >STATE:1533650536,RECONNECTING,ping-restart,,,,,
Tue Aug 07 16:02:16 2018 Restart pause, 5 second(s)

Code: Select all

Tue Aug 07 16:02:12 2018 client/IP [Client] Inactivity timeout (--ping-restart), restarting
Tue Aug 07 16:02:12 2018 Client/IP SIGUSR1[soft,ping-restart] received, client-instance restarting
Tue Aug 07 16:02:23 2018 109.247.22.62 TLS: Initial packet from [AF_INET6]::ffff:IP:32009, sid=64f646c6 44c858d9

I am aware that I'm not using the latest version, and that I'm not using the standard port (due to hammering on my first setup many years ago), but should that matter at all when it has been working perfectly up to now? And could somebody please give me a hint as to what this can be?

[TinCanTech]

the client has gone from Windows Server 2008 R2 to Windows Server 2016 Datacenter

I believe there is currently some problem with the TAP adapter and Windows Server 2016. The devs are trying to get a fully M$ certified TAP driver but the process is long and extremely difficult.

I suggest you go back to your previous OS for the time being and watch for announcements.

Out of curiosity, did you experience anything unusual when you installed to 2016 OS ?

(Do you really need --dev-type tap as you are not using --server-bridge ? .. you could also try --dev-type tun)

[Mastiff]

Aha, well that wouldn't surprise me. Most things with M$ (I often use the same spelling, even if I use their O$ on servers, PC's and most everything except for firewalls, which are pfSense) take time. And I know there was a reason for me to go for tap, but I believe that was on Server 2003! So I can try to change that and see if that helps, thanks!

[Mastiff]

Oh, btw is it possible to use the tun as I'm using tap, which is to join my 192.168.0.0 network (home) and 192.168.2.0 network (cabin) so I can log on to any computer, ip cam and so on any of the places no matter where I am?

[TinCanTech]

OpenVPN would not be much use if you could not connect networks over the VPN.

There are, however, some caveats to that.

You need to understand the difference between:

• --dev-type tun is OSI Layer 3 -- TCP/IP routed network (preferred)
  This is the preferred method because it is more efficient.
• --dev-type tap is OSI Layer 2 -- Ethernet frames
  This is useful for passing non-IP traffic (eg. IPX) or broadcast packets.
  It is worth reading this

Some applications require Broadcast packets (eg. Some Security-cam management systems / Network games)

One application which requires Broadcasts packets for full functionality is M$ Networking / Samba ..
But we do not provide support for that .. I never use it.


However, your cerrent setup will not pass broadcasts because you are not using --server-bridge.
(See that link above)

So, if I were you, I would try --dev-type tun and learn how to route it properly.

If you do, one helpful tip is for mapping Windows network shares is:

Code: Select all

C:\> net use x: \\windows.host.ip.address\sharename

The choice is yours ..

[Mastiff]

Thanks! : I have used the Hosts file on the computers in the network to add the shares, since I only have shares on the two servers. So that has not really been a problem. But I will try to get it working. Since I unfortunately don't have much time to spend on this because of computer work that I actually make money on I will probably tro to find some sneak way to route it with a bit of googling...

But I think there's something else going on here than the TAP problem you're mentioning. Because I went back a few images (I do images for every group of changes when installing a computer), and for some reason that worked without the timeout problem. I installed what was after that, and it still worked. But I have some rather labour intensive changes on the branch that didn't work which I would like to keep (again the time problem) so I'm going to do a few tests with TUN now and see what happens.

[Mastiff]

Of course it's not that easy... I think I found just about the correct way to to do it, only it doesn't work... I googled to this:

https://serverfault.com/questions/65396 ... er-2012-r2

Server config:

[oconf=]
## server.ovpn ##
port 11720
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-config-dir ccd
route 192.168.0.0 255.255.255.0 10.8.0.1
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
[/oconf]

Client:
[oconf=]
## Client.ovpn ##
client
dev tun
proto udp
remote my IP 11720
resolv-retry infinite
nobind
persist-key
persist-tun
iroute 192.168.2.0 255.255.255.0
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3[/oconf]

But the iroute throws an error:

Code: Select all

Options error: option 'iroute' cannot be used in this context (client.ovpn)
Use --help for more information.

Can you see why? I have spent an hour now, and I'm getting absolutely nowhere.

[Mastiff]

Code: Select all

Oh, and I'm going berzerk trying to get the IP to the client working again... I haved been running ifconfig-pool-persist ipp.txt and then ClientName,10.8.0.4 before, and now suddenly it won't do that. I have also tried this:

Code: Select all

client-config-dir "C:\\Program Files\\OpenVPN\\client-ccd"

And then a file called client1 in that directory, with the contents:

Code: Select all

ifconfig-push 10.8.0.4 255.255.255.0

Still I get the IP address .6 instead of .4 Should there be a file extension on the file?

[TinCanTech]

Read through this:
https://github.com/OpenVPN/openvpn/blob ... erver.conf

[Mastiff]

OK, so I have changed the config directory to be named CCD and be a subdirectory ofthe openvpn\config There I have put these lines:

Code: Select all

ifconfig-push 10.8.0.4 10.8.0.5
iroute 192.168.2.0 255.255.255.0

But I get an error:

Code: Select all

Wed Aug 08 13:41:52 2018 There is a problem in your selection of --ifconfig endpoints [local=10.8.0.4, remote=10.8.0.5].  The local and remote VPN endpoints cannot use the first or last address within a given 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver. 

And that I don't understand, since .4 and .5 can't possible be the first or last in the subnet, and I don't understand what it means by local and remote.

[TinCanTech]

This is --topology net30

See --topology in The Manual v24x for an explanation.

The simple solution is to use --topology subnet and specify IP/mask in your CCD file:

Code: Select all

ifconfig-push 10.8.0.11 255.255.255.0

.11 is just an example ..

[Mastiff]

Thanks! That helped a lot! Now I can ping the remote OpenVPN server/client from any computer on the opposite network. What I can't do is ping any computer from the any computer on the opposite network, or ping any computer on the opposite network from the OpenVPN client/server. Is that because I am missing a route or something? I am using Routing and remote access on my Windows Servers, and I have always been using a static route in RRAS, like this:

Destination: 192.168.2.0, Mask: 255.255.255.0, Gateway: 10.8.0.4, interface: OpenWPN

That has allowed me to ping everything before. But I'm guessing this is because TUN works differently from TAP in that respect. It's a bit over my head, I'm not a network tech by any means. This is my client setup now:

View Originalclient

## client.ovpn ##
client
proto udp
dev tun
remote my IP 11720
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
ca ca.crt
cert My.crt
key My.key
comp-lzo
verb 3

And server:

View Originalserver

## server.ovpn ##
port 11720
proto udp
dev tun
ca ca.crt
cert my.crt
key my.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-config-dir ccd
topology subnet
route 192.168.0.0 255.255.255.0 10.8.0.1
keepalive 10 120
comp-lzo
max-clients 1
persist-key
persist-tun
status openvpn-status.log
verb 3

Mind you I did have more in the server side before:

[oconf=]push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN mydomain.no"[/oconf]

Should I put those back in?

Oh, and why aren't the oconf tags working for me? They did on the first post.

Edit: My tag, "OpenVPN newbie" is really true, even after more than ten years (I think) using it!

[TinCanTech]

First, using 192.168.0.0/24 for your server LAN is a bad idea because you will often run into routing conflicts.

You log will even warn you with this message:

• NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

So I would sort that out.

For connecting LANs, please read this carefully:
HOWTO: Expanding the scope of the VPN to include additional machines

There is also information here:
https://community.openvpn.net/openvpn/w ... rversubnet.

It looks like a lot but it is worth your time.

Oconf= goes like this:

Code: Select all

[oconf=server]
* your config file *
[/oconf]

I put it in a code block so you can see the syntax, don't use a code block for real.

Example:

View Originalserver

* server config *

A brief warning, don't push a DNS server address to a client if that address is not a DNS server ..
Is your server really a DNS server as well ? (push googles 8.8.8.8 or something like that)

If all else fails going back to --dev-type tap is not so bad.

[Mastiff]

Thanks! The tags understood and fixed in the previous post. As for the IP's that's not a problem. I ONLY use this to connect the two internal LANs 192.168.0.0 and 192.168.0.2, and I have no other networks with the same series at my two places (the external networks (outside the servers, but inside the pfSense firewall) are 10.0.x.0). The few times a year I need to connect from the road (vacation or something) I just use the built in PPTP in RRAS to the server I need to get into, and only from my phone's shared network, I don't use any free or hotel wifi for my computer or phone.

Both my servers are working DNS servers, and I started on this because I coldn't not get tap to work on my new 2016 server setup. So that's unfortunately not an option.

And being worth my time, it's only to get this configuration up and running, I really don't need to understand it at all if it works. Then I can probably keep this same setup for the next ten years or so without bugging you or anybody else. I'm pretty sure it would take you only a minute to write down the code I need in the configs, and that would be so much better for me if you could please just do that, instead of this pedagogical route. If not, I'll try to read and understand the howto.

It's sort of like my Volvo, I use it, but don't need to know why it works.

[TinCanTech]

Sorry, but I don't know "exactly" what command you need .. everybody's setup is unique.

If this all seems too much then you can contact me privately: tincanteksup <at> gmail

[Mastiff]

OK, thanks! I will make a valiant attempt and only mail you if necessary.

[Mastiff]

I have gone through the setup, but I really can't get it to work. Something strange: When I try to ping something on the server network, except for the server itself, it doesn't work. Except for a few seconds while the client connects. It looks like this, pinging 192.168.0.100:

Time out.
Reply from 10.8.0.4 bytes:32 Time:0,74ms TTL:128
Reply from 10.8.0.4 bytes:32 Time:0,71ms TTL:128
Reply from 10.8.0.4 bytes:32 Time:0,72ms TTL:128
Reply from 10.8.0.4 bytes:32 Time:0,53ms TTL:128
Reply from 10.8.0.4 bytes:32 Time:0,46ms TTL:128
Reply from 10.8.0.4 bytes:32 Time:0,52ms TTL:128
Time out.
Time out.
So the answer comes from the client OpenVPN. That should as far as I could think mean that the 192.168.0.0 net is routed correctly to the OpenVPN tun connection (with a static route in Routing and Remote Access it's routed to the OpenVPN server, without that the ping doesn't even reach the server computer). In that setup there was nothing about any rooting taking place on the client's config file. Does that tell you anything?