Block access Windows Traffic
Posted: Fri Jun 16, 2017 9:32 am
Hello everyone,
I use OpenVPN client 2.4.2 on windows 7 and OpenVPN server 2.4.1 on CentOS.
The IP range of my LAN is 192.168.X.0/24.
There are some Windows shares on the LAN, that must be reachable for VPN users.
I block local traffic with "push "redirect-gateway def1 block-local"".
But, with Wireshark I see that SMB and NBNS traffics go locally and not through the VPN tunnel.
With a traceroute, the next hop for 192.168.X.Y is the VPN server, like expected.
My purpose is to force all traffics go through the VPN tunnel.
Any idea to resolve this problem ?
Comment : for my test, my windows computer is on the LAN 192.168.X.0/24 and so has an IP on this IP range.
My server configuration :
My client file :
I use OpenVPN client 2.4.2 on windows 7 and OpenVPN server 2.4.1 on CentOS.
The IP range of my LAN is 192.168.X.0/24.
There are some Windows shares on the LAN, that must be reachable for VPN users.
I block local traffic with "push "redirect-gateway def1 block-local"".
But, with Wireshark I see that SMB and NBNS traffics go locally and not through the VPN tunnel.
With a traceroute, the next hop for 192.168.X.Y is the VPN server, like expected.
My purpose is to force all traffics go through the VPN tunnel.
Any idea to resolve this problem ?
Comment : for my test, my windows computer is on the LAN 192.168.X.0/24 and so has an IP on this IP range.
My server configuration :
Server file
mode server
port 1196
proto udp
dev tun
tun-mtu 1500
mssfix 1300
ca cert-prod/ca.crt
cert cert-prod/server-prod.crt
key prive-prod/server-prod.key # This file should be kept secret
dh prive-prod/dh3072.pem
server 10.8.0.0 255.255.252.0
topology subnet
push "ip-win32 dynamic 0 86400"
push "redirect-gateway def1 block-local"
push "dhcp-option DNS 10.100.0.X"
push "block-outside-dns"
duplicate-cn
keepalive 10 30
push "inactive 600s"
tls-auth prive-prod/ta.key 0
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
comp-lzo
user openvpn
group openvpn
chroot /etc/openvpn/jail-prod
persist-key
reneg-sec 14400
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
script-security 1
tmp-dir /tmp
port 1196
proto udp
dev tun
tun-mtu 1500
mssfix 1300
ca cert-prod/ca.crt
cert cert-prod/server-prod.crt
key prive-prod/server-prod.key # This file should be kept secret
dh prive-prod/dh3072.pem
server 10.8.0.0 255.255.252.0
topology subnet
push "ip-win32 dynamic 0 86400"
push "redirect-gateway def1 block-local"
push "dhcp-option DNS 10.100.0.X"
push "block-outside-dns"
duplicate-cn
keepalive 10 30
push "inactive 600s"
tls-auth prive-prod/ta.key 0
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
comp-lzo
user openvpn
group openvpn
chroot /etc/openvpn/jail-prod
persist-key
reneg-sec 14400
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
script-security 1
tmp-dir /tmp
client file
client
dev tun
proto udp
tun-mtu 1500
mssfix 1300
remote myvpn.example.com 1196
port 1196
remote-cert-tls server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
cipher AES-256-CBC
auth SHA256
comp-lzo
persist-key
persist-tun
reneg-sec 0
verb 3
log-append /var/log/openvpn-client-dev.log
auth-user-pass
auth-nocache
<ca>
-----BEGIN CERTIFICATE-----
ca cert
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
private key
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
static key
</tls-auth>
dev tun
proto udp
tun-mtu 1500
mssfix 1300
remote myvpn.example.com 1196
port 1196
remote-cert-tls server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
cipher AES-256-CBC
auth SHA256
comp-lzo
persist-key
persist-tun
reneg-sec 0
verb 3
log-append /var/log/openvpn-client-dev.log
auth-user-pass
auth-nocache
<ca>
-----BEGIN CERTIFICATE-----
ca cert
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
private key
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
static key
</tls-auth>