VPN Server Configuration Question

[KonstantinK]

Hi,

I have been struggling to configure an OpenVPN server for some days.

The server is behind NAT i.e. it is connect via LAN cable after the router.

Basically what I am trying to achieve is the following - I want to set up a VPN server using OpenVPN and EasyRSA 3.0 on a Windows Server 2016 computer. I would like to access the server remotely i.e. access the server from another network in another city.

I followed a tutorial for Windows but unfortunately I cannot connect remotely to the server.

This the tutorial I followed: Tutorial

Below is my client configuration file. I placed the public IP of the server computer here, all the certificates needed and the port.

I allowed the Inbound Traffic in the firewall on port 1175 on the server.

I port forwarded port 1175 to the local IP of the server.

Code: Select all

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
remote #.#.#.# 1175 # Public IP of the server

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

# Verify server certificate by checking that the
# certificate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
key-direction 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the data-ciphers option in the manpage
cipher AES-256-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

<ca>
#### Code Here
</ca>

<cert>
#### Code Here
</cert>

<key>
#### Code Here
</key>

<tls-auth>
#### Code Here
</tls-auth>

The procedure I follow when trying to connect remotely is the following - I start the OpenVPN GUI on my Windows Server computer. I have the server configuration file in my

Code: Select all

config

folder, therefore I start the server by pressing

Code: Select all

connect

and then type my password. Everything is fine and I receive an IP in the format

Code: Select all

10.x.x.x

I am not sure what to write in this section of the server configuration file. Do I have to write my public IP there?

Code: Select all

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

Then I try to connect remotely, from another network, with the client configuration imported via the OpenVPN GUI.

Log file of the client.

Code: Select all

Tue Mar 30 09:58:25 2021 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Mar 30 09:58:25 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Mar 30 09:58:25 2021 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Tue Mar 30 09:58:25 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Tue Mar 30 09:58:25 2021 Need hold release from management interface, waiting...
Tue Mar 30 09:58:25 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Tue Mar 30 09:58:25 2021 MANAGEMENT: CMD 'state on'
Tue Mar 30 09:58:25 2021 MANAGEMENT: CMD 'log all on'
Tue Mar 30 09:58:25 2021 MANAGEMENT: CMD 'echo all on'
Tue Mar 30 09:58:25 2021 MANAGEMENT: CMD 'bytecount 5'
Tue Mar 30 09:58:25 2021 MANAGEMENT: CMD 'hold off'
Tue Mar 30 09:58:25 2021 MANAGEMENT: CMD 'hold release'
Tue Mar 30 09:58:27 2021 MANAGEMENT: CMD 'password [...]'
Tue Mar 30 09:58:27 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Mar 30 09:58:27 2021 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 30 09:58:27 2021 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 30 09:58:27 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]79.134.183.3:1175
Tue Mar 30 09:58:27 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Mar 30 09:58:27 2021 UDP link local: (not bound)
Tue Mar 30 09:58:27 2021 UDP link remote: [AF_INET]79.134.183.3:1175
Tue Mar 30 09:58:27 2021 MANAGEMENT: >STATE:1617087507,WAIT,,,,,,
Tue Mar 30 09:59:27 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 30 09:59:27 2021 TLS Error: TLS handshake failed
Tue Mar 30 09:59:27 2021 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 30 09:59:27 2021 MANAGEMENT: >STATE:1617087567,RECONNECTING,tls-error,,,,,
Tue Mar 30 09:59:27 2021 Restart pause, 5 second(s)
Tue Mar 30 09:59:30 2021 SIGTERM[hard,init_instance] received, process exiting
Tue Mar 30 09:59:30 2021 MANAGEMENT: >STATE:1617087570,EXITING,init_instance,,,,,

Best Regards

[KonstantinK]

Unfortunately no reply.

Well, I got some progress, I started all over and managed to start the server and connected with the client configuration created.

I tried to access the server computer from the client and the client computer from the server by typing the IP assigned by the VPN in the Network Wizard but I cannot connect to the any of the two sides.

I type this but it shows and error message and a Diagnose button.

Code: Select all

\\10.8.0.6

Some more info is that I can ping both sides and the subnet mask of the VPN Server is

Code: Select all

255.255.255.252

while the subnet mask of my local network is

Code: Select all

255.255.255.0

I also enabled the

Code: Select all

IPEnableRouter

in the registry.

Also when I check if the port

Code: Select all

1175

is opened, it tells me that it is not. I am doing this when I am connected to the VPN Server.

I will explain a bit more in detail what I need the VPN Server for - we have a Network Attached Storage (NAS) at work (it is the Windows Server computer), I would like to be able to access it through the VPN Server. I am planning to install a License Server on our Windows Server computer at work and I would like to connect to the VPN Server from home and still be able to use the license. And off course, I should be able to access the shared folders of the computers at work remotely.

From what I have read about the topic the VPN Server allows you to connect to a local network, as if you are part of the local network, I mean as if you are physically connected to the local network. I do not pretend that this is correct.

Could it be possible to help me solve this issue?

Best Regards

[TinCanTech]

So, you are following a random blog on the internet to do your job of setting up a VPN..

Edit: Random and out-of-date.

[KonstantinK]

So, you are following a random blog on the internet to do your job of setting up a VPN..

Edit: Random and out-of-date.

Well, it describes a problem that I am interested in, therefore I decided to look at it.

I had a look at the official wiki page and it also has tutorials that are out of date, for example, the tutorials for EasyRSA versions lower than version 3.0.

It does not matter what I followed to start my configuration, I am stating my progress and configuration, and explaining in details what I have done. The link is just for reference.

And why would it be outdated as it is configured with EasyRSA 3.0?

OK, enough off topic!

What do you suggest to look at?

Best Regards

[TinCanTech]

What do you suggest to look at?

the subnet mask of the VPN Server is

Code: Select all

255.255.255.252

while the subnet mask of my local network is

Code: Select all

255.255.255.0

Learn how subnet masks work.

But also see --topology in the manual.

[KonstantinK]

Learn how subnet masks work.

But also see --topology in the manual.

Well, I read some articles and watched some videos about Subnet Mask.

I also found useful explanation on the wiki page.

But still I cannot figure out why my client receives the VPN IP

Code: Select all

10.8.0.6

with Subnet Mask

Code: Select all

255.255.255.252

I did the bitwise AND operation and it turns out that the VPN client IP sould be

Code: Select all

10.8.0.4

as it is stated in the

Code: Select all

ipp.txt

The bitwise AND works with the server IP though.

Code: Select all

10.8.0.1			0000 1010.0000 1000.0000 0000.0000 0001 Server
255.255.255.252			1111 1111.1111 1111.1111 1111.1111 1100
AND				0000 1010.0000 1000.0000 0000.0000 0001 = 10.8.0.1

10.8.0.6			0000 1010.0000 1000.0000 0000.0000 0110 Client
255.255.255.252			1111 1111.1111 1111.1111 1111.1111 1100
AND				0000 1010.0000 1000.0000 0000.0000 0100 = 10.8.0.4

In this link GettingStartedwithOVPN I found the following explanation about accessing hosts behind the VPN.

Code: Select all

At this point, it should be possible to start up both the server and client. They should be able to connect and from the VPN client you should be able to ping 10.8.0.1 and from the server side you should be able to ping 10.8.0.2.

If you want to access particular network resources on other IP addresses via the VPN tunnel, you need to add network routes. A network route tells your operating system where it needs to send the network traffic when you want to access certain resources. An operating system can handle multiple routes via multiple gateways at the same time. So if you have a server on 192.168.1.10 behind your VPN server and you want to access this server via the VPN, you need to tell OpenVPN to configure a route for either a specific host or a network range to go via the tunnel.

So to configure this, you need to add one line in the server configuration and restart server and client.

push "route 192.168.1.0 255.255.255.0"

Since I can successfully ping the devices, I should add the local IP addresses of all devices that I want to access remotely in the server configuration files as stated above.

Best Regards

[TinCanTech]

we have a Network Attached Storage (NAS) at work (it is the Windows Server computer)

But you don't know how to use an IPv4 netmask...

If you are in charge of the network then you need to learn a lot more about networking
or call the person who is responsible for it.

As you apparently did not read or understand what the manual explained about --topology,
as a hint, you should explicitly use --topology subnet.

[KonstantinK]

But you don't know how to use an IPv4 netmask...

If you are in charge of the network then you need to learn a lot more about networking
or call the person who is responsible for it.

As you apparently did not read or understand what the manual explained about --topology,
as a hint, you should explicitly use --topology subnet.

I am not in charge of the network at work, this setup is only for the people in my department and I did not want to bother the network guy with this. This is also a possibility for me to learn this.

A bit of progress, I added the

Code: Select all

topology subnet

and

Code: Select all

push "route 192.168.1.0 255.255.255.0"

to my server configuration and I managed to connect successfully to the server computer from the client computer and vice versa.

Now I get client subnet

Code: Select all

255.255.255.0

and client VPN IP

Code: Select all

10.8.0.4

as calculated in my previous post.

Now the next problem is that I cannot access other machines on the server-side LAN.

But according to the guidance in the OpenVPN Wiki page, if I add this line

Code: Select all

push "route 192.168.1.0 255.255.255.0"

I should be able to access any device in the server-side LAN. But apparently I cannot access any device, since I cannot reach a computer with a local IP

Code: Select all

192.168.1.10

To solve this problem I think I should use this tutorial Expanding the scope of the VPN to include additional machines

It does not make sense for me since it says

Code: Select all

If you want to access particular network resources on other IP addresses via the VPN tunnel, you need to add network routes. A network route tells your operating system where it needs to send the network traffic when you want to access certain resources. An operating system can handle multiple routes via multiple gateways at the same time. So if you have a server on 192.168.1.10 behind your VPN server and you want to access this server via the VPN, you need to tell OpenVPN to configure a route for either a specific host or a network range to go via the tunnel.

So to configure this, you need to add one line in the server configuration and restart server and client.

push "route 192.168.1.0 255.255.255.0"

When the client now connects, the server tells the VPN client that it should route all traffic for IP addresses in the 192.168.1.XXX scope via the VPN connection.

The conclusion is even the wiki pages could be misleading or probably they are outdated.

I am not sure what to do now, probably I should set up what they suggest on the page explaining expanding VPN network.

EDIT:

I looked at tutorial for expanding the VPN to access multiple machines on the server side but it looks exactly the same as what I have added to my server config with respect to the other tutorial.

I added

Code: Select all

topology subnet

and

Code: Select all

pull

in the client configuration. Could it be that the position of these two lines matters in the client configuration file?

And I do not understand why in the tutorial they say

Code: Select all

For the purpose of this example, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24

How can

Code: Select all

10.66.0.0/24

be the server-side LAN, should it not be, for example?

Code: Select all

192.168.x.x/24

Best Regards

[KonstantinK]

Really, no response.

I think that somebody should have done this configuration. It should be a pretty basic configuration for a VPN.

In the forum description it said that

Code: Select all

Need help configuring your VPN? Just post here and you'll get that help.

Best Regards

[TinCanTech]

I am not in charge of the network at work, this setup is only for the people in my department and I did not want to bother the network guy with this

I am available for hire: tincantech <at> protonmail dot com

[KonstantinK]

I am available for hire: tincantech <at> protonmail dot com

This is funny and ridiculous. At least you could have written your e-mail properly.

The forum is supposed to be for helping each other, not charging people.

Apparently nobody else is active on this forum, only one guy is active who is telling people to read manuals and trying to charge people.

Anyway, I will hopefully figure this out on my own. It is probably some quite small adjustments that I have to make to the configurations file.

Best Regards

[TinCanTech]

In fact, you need a class in networking in order to understand how to administer a network.

I help people with getting openvpn working, after that I don't see any problem in offering my help for a small fee.

Especially to people who need somebody to do their job for them.

[KonstantinK]

In fact, you need a class in networking in order to understand how to administer a network.

I help people with getting openvpn working, after that I don't see any problem in offering my help for a small fee.

Especially to people who need somebody to do their job for them.

I am trying to understand networking out of curiosity, it is not directly related to my job.

It is good to know as much as possible about everything but if you do not practice what you know regularly, you will most likely forget it.

Well, I think I did 90% of the work, I set up the server, all certificates, port forwarding and traffic rules.

You said to follow the wiki and read manuals, I am following the wiki and manuals but no results.

I just need this small hint about what to adjust and I will probably figure it out.

Best Regards

[TinCanTech]

If you want professional help to do the job that you are paid to do then you can always contact me.

[KonstantinK]

If you want professional help to do the job that you are paid to do then you can always contact me.

As I told you before, nobody is paying me to do this network.

I am trying to establish the network in order to facilitate my work.

Actually, all the hardware for this configuration I brought from home.

I still do not understand why you do not want to help solve this issue, since from what I can see on the forum, you are telling most of the people what to do to solve their issues.

All the detailed description I wrote about my setup I guess is sufficient to understand what I am trying to achieve.

Most of the people who are asking for help will not make the effort to describe what they want in details and most likely the first comment is something like

"We cannot read your mind, post more detailed explanation of what you want"

Best Regards

[KonstantinK]

My configuration works flawlessly now.

All the consistent efforts gave pretty good results.

Best Regards