Intermittent Destination Host Unreachable Message on Windows Clients

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
usfregale
OpenVpn Newbie
Posts: 2
Joined: Fri Feb 08, 2019 12:08 am

Intermittent Destination Host Unreachable Message on Windows Clients

Post by usfregale » Fri Feb 08, 2019 3:49 am

I'm having some challenges with the embedded OpenVPN server in my Asus RT-AC3100. Unfortunately, I cannot figure out how to access the server-side config file on the AC3100; however, I've included a screenshot of the configuration GUI within the router. I've also included a copy of my client configuration below. All of the clients are running Windows.

The problem is intermittent and I haven't yet figured out what is triggering it; however, it does appear to be partially related to when the client computer changes locations, though I have also experienced the problem with stationary clients, but their WAN IP addresses are dynamic and may be being reassigned. The problem can be corrected by a server-side computer sending files/pings to the impacted client, by another client hairpinning, or a client at another location initiating a client-to-client connection. All of our clients are intermittently experiencing the problem.

When the problem manifests, host names resolve to IP addresses across the VPN and the gateway (the RT-AC3100) can be successfully pinged over the VPN; however, specific computers on the server side of the VPN cannot be pinged using their host name or IP address. When the problem is taking place, one computer on the server side may be accessible while the one next to it is not. In Windows, when attempting to ping and the problem is occurring I receive an error message indicating a Reply from the local client IP and "Destination host unreachable." A tracert at the at the same time will also fail with the same error message.

I thought the problem was that for some reason packets were not being directed out over the VPN appropriately since the reply is from the client itself and added "route 192.168.1.0 255.255.255.0 192.168.1.1" to the client config to attempt to correct the problem; however, it has not been successful as the problem continues to manifest intermittently.

Any help or other insights that anyone can provide are greatly appreciated.

Here is a screenshot of my OpenVPN server config GUI in my Asus RT-AC3100:

https://www.screencast.com/t/d51t5VPKAJg

Here is the client config:

remote ******* 1194
float
nobind
proto udp
dev tap

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node NETGEAR-VPN

sndbuf 0
rcvbuf 0
keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA1
cipher AES-128-CBC
ns-cert-type server
route-gateway 192.168.1.1
route 192.168.1.0 255.255.255.0 192.168.1.1

<ca>
********
-----END CERTIFICATE-----

</ca>

<cert>
********

</cert>

<key>
********
</key>

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5319
Joined: Fri Jun 03, 2016 1:17 pm

Re: Intermittent Destination Host Unreachable Message on Windows Clients

Post by TinCanTech » Fri Feb 08, 2019 11:17 am

usfregale wrote:
Fri Feb 08, 2019 3:49 am
Any help or other insights that anyone can provide are greatly appreciated
OK
usfregale wrote:
Fri Feb 08, 2019 3:49 am
Here is the client config:

remote ******* 1194
float
nobind
proto udp
dev tap

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node NETGEAR-VPN

sndbuf 0
rcvbuf 0

keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA1
cipher AES-128-CBC
ns-cert-type server
route-gateway 192.168.1.1
route 192.168.1.0 255.255.255.0 192.168.1.1
dev tap -- I don't know how an Asus router handles --dev tap but the recommended dev is tun .. unless you know why you need tap and the subsequent consequences.
https://community.openvpn.net/openvpn/w ... bridgedVPN

sndbuf/rcvbuf -- This is usually best left to the OS.

192.168.0.0/24 & .1.0/24 -- These are the two worse subnets you can use .. change them.

And there is almost no reason at all to put these directives into the client config, the correct directives should be pushed from the server automatically.

I suggest you study the Howto and also see viewtopic.php?f=30&t=22603

usfregale
OpenVpn Newbie
Posts: 2
Joined: Fri Feb 08, 2019 12:08 am

Re: Intermittent Destination Host Unreachable Message on Windows Clients

Post by usfregale » Fri Feb 08, 2019 2:52 pm

Thanks for your help. I removed sndbuf and rcvbuf from the client config, but unfortunately the underlying problem remains.

In terms of the tap vs. tun issue, from my reading in the documentation, I need a tap configuration because the main application I'm running over the VPN relies on network broadcasts so the different versions of the application can detect each other on the various clients. My understanding is that tap will increase the volume of traffic moving back and forth over the VPN rather substantially, but heretofore the increased bandwidth usage itself has not inhibited performance or at least I don't think it is. Could that be causing the problem this post is about?

The subnet was selected because the subnets at the client locations are beyond my control and I was trying deliberately to avoid conflicts. One location is using 10.154.x.x, another is using 10.150.x.x, and one is using 192.168.0.x, so that seemed to leave for the server-side 192.168.1.0 as the logical subnet. I'll change it to a 172.x.x.x configuration and see if that helps with this issue. I was specifically avoiding 10.x.x.x because the Regus virtual office company uses those subnets and as our personnel move around from their location to location I anticipate they will encounter other subnets beyond just 10.154 and 10.150.

Post Reply