Cannot ping LAN IPs with OpenVPN running on Windows Server

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
cbraxton
OpenVPN User
Posts: 21
Joined: Wed Feb 10, 2021 5:11 am

Cannot ping LAN IPs with OpenVPN running on Windows Server

Post by cbraxton » Fri Mar 12, 2021 5:50 pm

Recently we replaced a 10-year-old Linux fileserver with a Windows Server Essentials 2019 server. We are continuing to use OpenVPN on the Windows server. However, with the new configuration it is not possible to connect to IP addresses on the LAN (172.16.1.0/24), it is only possible to connect to the server itself on 10.8.0.1. (Previously connecting to the LAN worked.) There is a return route in the internet gateway, and the client routing table shows the LAN subnet being routed through the OpenVPN tunnel. However it is not possible to ping any of the LAN addresses, not even the OpenVPN server machine itself. The only connectivity is to the tunnel endpoint address. For test purposes the Windows firewall is disabled on both ends.

Configurations are as follows, is there some setting that needs to be added, removed, or changed to access IP addresses on the LAN? (I tried using the oconf BB tag as indicated in the forum rules but it did not seem to work in the preview so I used code instead.)

SERVER CONFIGURATION:

Code: Select all

port 1194
proto udp4
dev tap
ca   C:\\OpenVPN\\easy-rsa\\pki\\ca.crt
cert C:\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt
key  C:\\OpenVPN\\easy-rsa\\pki\\private\\server.key
tls-auth C:\\OpenVPN\\easy-rsa\\pki\\ta.key 0
tap-sleep 3
route-delay 1 3
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
topology subnet
management localhost 7505
push "route 172.16.1.0 255.255.255.0"
keepalive 10 120
comp-lzo no
tls-server #tls-client on the client
cipher AES-128-GCM #Data channel cipher
tls-version-min 1.2
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
dh none #disable static Diffie-Hellman parameters since we're using ECDHE
ecdh-curve secp384r1 # use the NSA's recommended curve
status openvpn-status.log
mute 20
CLIENT CONFIGURATION:

Code: Select all

remote <remote-ip-address>
nobind
float
dev tap
proto udp4
pull
tls-client
remote-cert-tls server
cipher AES-128-GCM
key-direction 1
comp-lzo no
auth-nocache
resolv-retry infinite

<key>
-----BEGIN PRIVATE KEY-----
<CLIENT KEY DATA>
-----END PRIVATE KEY-----
</key>

<cert>
Certificate:
<CERTIFICATE DATA>
-----END CERTIFICATE-----
</cert>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
<TLS-AUTH KEY DATA>
-----END OpenVPN Static key V1-----
</tls-auth>

# ca.crt (Same for all clients)
<ca>
-----BEGIN CERTIFICATE-----
<CA DATA>
-----END CERTIFICATE-----
</ca>
CLIENT IPV4 ROUTING TABLE WITH OPENVPN CONNECTION UP:

Code: Select all

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1   192.168.10.109     25
         10.8.0.0    255.255.255.0         On-link          10.8.0.2    281
         10.8.0.2  255.255.255.255         On-link          10.8.0.2    281
       10.8.0.255  255.255.255.255         On-link          10.8.0.2    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
       172.16.1.0    255.255.255.0         10.8.0.1         10.8.0.2    281
     192.168.10.0    255.255.255.0         On-link    192.168.10.109    281
   192.168.10.109  255.255.255.255         On-link    192.168.10.109    281
   192.168.10.255  255.255.255.255         On-link    192.168.10.109    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    192.168.10.109    281
        224.0.0.0        240.0.0.0         On-link          10.8.0.2    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    192.168.10.109    281
  255.255.255.255  255.255.255.255         On-link          10.8.0.2    281
===========================================================================
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot ping LAN IPs with OpenVPN running on Windows Server

Post by TinCanTech » Fri Mar 12, 2021 6:41 pm

Enable IP forwarding..
Top
cbraxton
OpenVPN User
Posts: 21
Joined: Wed Feb 10, 2021 5:11 am

Re: Cannot ping LAN IPs with OpenVPN running on Windows Server

Post by cbraxton » Fri Mar 12, 2021 6:59 pm

TinCanTech wrote:
Fri Mar 12, 2021 6:41 pm
 Enable IP forwarding..
D'oh! I finally remembered that on my own, enabled IP forwarding on the Windows Server NIC and it's working - came back here to say "Never mind!". I'm more used to working with Linux systems but looked up how to easily enable forwarding on Windows using Powershell. For future reference if anyone else searches for this issue:

https://serverfault.com/questions/92908 ... on-windows

(Unlike enabling forwarding via the registry, using Powershell does not require a reboot.)
Top
Post Reply

Return to “Configuration”