Windows XP pain

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.
Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Post Reply
User avatar
Iamgregor
OpenVpn Newbie
Posts: 2
Joined: Sun Oct 26, 2008 12:20 pm

Windows XP pain

Post by Iamgregor » Sun Oct 26, 2008 12:38 pm

I followed this tutorial:

http://www.itsatechworld.com/2006/01/29 ... e-openvpn/

It seems ok in that I can at least get my server-side OpenVPN to connect. When I say connect, I mean that the OpenVPN gui turns green, I get a message that it's got an IP address etc.

I've made sure that my zonealarm firewall has allowed OpenVPN on both client and server. I've set port forwarding and such on my router as described in the tutorial. The issue is that I can't get the client to connect at all. No matter what I try (putting server in DMZ, changing the port, etc), all I get is this error:

read UDPv4: Connection reset by perr (WSAECONNRESET)(code=10054)

over and over and over.

I tried using telnet to connect to my computer and the port number for the server and got this:

Connecting to (static IP of my home router) ... Could not open connection to the host, on port 1194: Connect failed

server config:

Code: Select all

local 192.168.1.150 # This is the IP address of the real network interface on the server connected to the router

port 1194 # This is the port OpenVPN is running on - make sure the router is port forwarding this port to the above IP

proto udp # UDP tends to perform better than TCP for VPN

mssfix 1400 # This setting fixed problems I was having with apps like Remote Desktop

push "dhcp-option DNS 192.168.1.1"  # Replace the Xs with the IP address of the DNS for your home network (usually your ISP's DNS)

#push "dhcp-option DNS X.X.X.X"  # A second DNS server if you have one

dev tap

#dev-node MyTap  #If you renamed your TAP interface or have more than one TAP interface then remove the # at the beginning and change "MyTAP" to its name

ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"  

cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"

key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"  # This file should be kept secret

dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"

server 192.168.10.0 255.255.255.128  # This assigns the virtual IP address and subent to the server's OpenVPN connection.  Make sure the Routing Table entry matches this.

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1"  # This will force the clients to use the home network's internet connection

keepalive 10 120

cipher BF-CBC        # Blowfish (default) encryption

comp-lzo

max-clients 100 # Assign the maximum number of clients here

persist-key

persist-tun

status openvpn-status.log

verb 1 # This sets how detailed the log file will be.  0 causes problems and higher numbers can give you more detail for troubleshooting

Client config

Code: Select all

client

dev tap

#dev-node MyTAP  #If you renamed your TAP interface or have more than one TAP interface then remove the # at the beginning and change "MyTAP" to its name

proto udp

remote 71.179.97.159 1194  #You will need to enter you dyndns account or static IP address here. The number following it is the port you set in the server's config

route 192.168.1.1 255.255.255.0 vpn_gateway 3  #This it the IP address scheme and subnet of your normal network your server is on.  Your router would usually be 192.168.1.1

resolv-retry infinite

nobind

persist-key

persist-tun

ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"

cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt" # Change the next two lines to match the files in the keys directory.  This should be be different for each client.

key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"  # This file should be kept secret

ns-cert-type server

cipher BF-CBC        # Blowfish (default) encrytion

comp-lzo

verb 1
Help?

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Post by krzee » Sun Nov 02, 2008 7:31 pm

try turning off windows firewall for the TAP device
also try --mtu-test to see if mtu is at right number

User avatar
Iamgregor
OpenVpn Newbie
Posts: 2
Joined: Sun Oct 26, 2008 12:20 pm

Post by Iamgregor » Tue Nov 04, 2008 8:11 pm

I don't use the Windows Firewall and I have tried turning off Zonealarm. What does the MTU have to do with it?

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Post by krzee » Wed Nov 05, 2008 8:19 pm

I don't use the Windows Firewall and I have tried turning off Zonealarm. What does the MTU have to do with it?
Did you double check that windows firewall is ALL THE WAY off? I don't use windows, but I hear it likes to turn itself back on. Kill zone-alarm and any other packet blockers while you are testing. A wrong MTU on some connections could make it hard to connect or keep a connection... I don't know if MTU has anything to do with it, but unless you tried what I said, neither do you. Also, you are using mssfix which modifies MTU (without --fragment i may add)...
from manual:
--mssfix and --fragment can be ideally used together, where --mssfix will try to keep TCP from needing packet fragmentation in the first place, and if big packets come through anyhow (from protocols other than TCP), --fragment will internally fragment them.
read UDPv4: Connection reset by perr (WSAECONNRESET)(code=10054)

over and over and over.

I tried using telnet to connect to my computer and the port number for the server and got this:

Connecting to (static IP of my home router) ... Could not open connection to the host, on port 1194: Connect failed
What does your telnet test have to do with anything? Telnet connects to TCP ports, your VPN is on UDP.
Also try switching to dev tun, since you are using a routed setup...
And change verb to 6 until you are done troubleshooting

What were you hoping to gain by:
route 192.168.1.1 255.255.255.0 vpn_gateway 3 #This it the IP address scheme and subnet of your normal network your server is on. Your router would usually be 192.168.1.1
??
I think that line needs to be commented out.
If you are using the default cipher, why specify it?

Post Reply