Cannot browse internet push "redirect-gateway def1" WINDOWS

[xarfox]

Hello,
My background is programming, so excuse my lesser skills on the networking side...

Goal: Connect to VPN from a laptop on any network (usually corporate networks that only have port 80 and 443 open). I will connect to my network at home and do any of the following: access file shares (from the 192 subnet NOT THE 10 subnet), remote desktop, browse the internet, run email client to bypass pop3 blocking from the corporate side (my personal emails are in pst on my outlook client along with my exchange connection).

My Network: One desktop and hardware firewall. The computer is running Windows 7 x64 and the server-side of the vpn software.

OpenVpn setup: TCP port 443 (so it is not blocked by corporate). Can I switch to UDP? I think not because web browsing is TCP? This is a side question.

Current State: I can ping the vpn server via TAP address 10.8.0.1 and access shares and RDP from there. I cannot ping my subnet 192.168.x.x. I also cannot browse the internet. I need to access 192 so the laptop can access the file share the same whether im on VPN or at home on my wireless.

I tried push "redirect-gateway def1" and also tried pushing the DNS server. I tried dns servers as 10.8.0.1, 192.168.50.1, and my ISPs DNS servers, but nothing worked.

All other examples out there are for unix, but I am using windows 7. I think I have to do something on the routing side so the server's TAP knows to route my request to the router which then NATs it to the internet.

My Config:
local 192.168.50.102
port 443
proto tcp
dev tun
dev-node VPNTap
ca "C:\\Program Files (x86)\\OpenVPN\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\keys\\server.crt"
key "C:\\Program Files (x86)\\OpenVPN\\keys\\server.key" # This file should be kept secret
dh "C:\\Program Files (x86)\\OpenVPN\\keys\\dh1024.pem"
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
keepalive 10 120
tls-auth "C:\\Program Files (x86)\\OpenVPN\\keys\\ta.key" 0 # This file is secret
comp-lzo
max-clients 5
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20

[pwens]

Xarfox, did you ever figure out how to get this to work? I'm in the same boat as you with my setup and objective - I have Windows 7 as my OpenVPN server, and I want to run ALL network traffic on the client through the server.

[xarfox]

I don't think it can be done. Windows doesn't have the same clever routing capabilities that linux does. Maybe if you add some virtual adapters and a bunch of static routes, I don't really know how.

The best option is to go buy a router that supports dd-wrt and install open vpn on your router. Then ur router is ur endpoint which handles all the routing elegantly. I plan on doing this soon, but I have to buy a router with bigger flash memory space.

[Bebop]

I would start by doing this:

• Start -> Right-click My Computer -> Manage
• Services
• Right-click Routing and Remote Access -> Properties -> Automatic
• Right-click Routing and Remote Access -> Start

You have now enabled and started the routing and remote access service.

Next:

• Control Panel
• Network and Sharing Center
• Local Area Connection
• Properties
• Sharing
• Tick the box "Allow other network users to connect through this computer's Internet connection"
• From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.

Upon testing it for my self, it doesn't work yet, but its a good starting point for you to work with. With some perseverance you will get it to work.

[update]

After completing all above steps, try this too:

regedit (as admin), change the following key to '1'

Code: Select all

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

[update 2]

It does seem to be working now. Can someone else please try this.

[pwens]

[*]From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.[/list]

Drop-down list? No drop-down list is present on the Sharing Tab of a network adapter's properties. Just a couple of checkboxes.

[Bebop]

Drop-down list? No drop-down list is present on the Sharing Tab of a network adapter's properties. Just a couple of checkboxes.

If no drop-down list, just try to experiment with whatever you have got. My drop-down list is not there now for some reason. Mine looks like:



Mine actually seems to be working now. Hard to know since I'm connecting from a VM.

Actually, I am sure it is working, due to the slower download speed on the speed test, and also, the local area connection 2 is showing much traffic.

Try all above steps and I think you will get it to work.

[Bebop]

My Setup So Far

server.conf (Windows 7)

Code: Select all

port 1194
proto udp
dev tun
server 10.72.2.0 255.255.255.0

ca ca.crt
cert server_win7.crt
key server_win7.key  
dh dh1024.pem

push "redirect-gateway def1"

keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

client.conf (Windows XP)

Code: Select all

client
dev tun
proto udp
remote ip.of.win7.machine 1194 

resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60
route-method exe
route-delay 2

and then on the win7 server:

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

Next:

Control Panel
Network and Sharing Center
Local Area Connection
Properties
Sharing
Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

If someone wants to try that and report back working or not, then we can move move on.

[Bebop]

Hello,
OpenVpn setup: TCP port 443 (so it is not blocked by corporate). Can I switch to UDP? I think not because web browsing is TCP? This is a side question.

Easy answer -- from the top of the forum rules: "**Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html"

HTTP browsing wont be a problem, because the data will exit the VPN in its original form (tcp).

Current State: I can ping the vpn server via TAP address 10.8.0.1 and access shares and RDP from there. I cannot ping my subnet 192.168.x.x. I also cannot browse the internet. I need to access 192 so the laptop can access the file share the same whether im on VPN or at home on my wireless.

Well, the browsing problem should be fixed if my solution a few posts above this one works for you.

As for pinging other networks, you need know fully understand iroute and ccd.

From the openvpn example conf, these are the lines you want to know about:

Code: Select all

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:

;client-config-dir /etc/openvpn/ccd
;route 192.168.40.128 255.255.255.248

# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

[pwens]

My Setup So Far

If someone wants to try that and report back working or not, then we can move move on.

I'll see if I can give that a try Friday afternoon. If I don't have a chance then, my next one will be Monday evening (so nobody abandon this thread!)

My initial observation to your setup Bebop is that, I swear to you, on my Network Adapter's Sharing tab, there is no field to select "Local Area Connection 2" - not a drop-down list, not a text field, nothing. It's like it's completely absent from my version of windows. All I have are the 2 checkbox (also present in your screenshot).

Either way, I'll give it a try with all the other settings.

[pwens]

My Setup So Far

...

If someone wants to try that and report back working or not, then we can move move on.

Okay, I tried Bebop's latest recommended settings on my Windows 7 OpenVPN server. The result is: same behavior. I able to successfully connect to the OpenVPN server (as usual), but I am unable to receive any data packets over the virtual network adapter for HTTP attempts (evidenced by being unable to access a web page). I am however able to receive packets on the client's virtual adapter for pings to and from the OpenVPN server.

First, a copy and paste from my server config (I stuck with the static key approach to keep the authentication simpler - but I also added the additional parameters that are present in Bebop's) :

Code: Select all

dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key

push "redirect-gateway def1"

keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

Then a copy and paste from my Windows XP openVPN client config:

Code: Select all

remote [REDACTED]
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
redirect-gateway def1

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60
route-method exe
route-delay 2

Screenshot to show that I have my Routing and Remote Access service started in Windows Administrative Tools on the OpenVPN server machine (Windows 7):


Screenshot to show that I have ICS enabled on my server machine's physical networking adapter:


Screenshot of server machine's firewall disabled, just for good measure:


Screenshot of the server machine's IPenablerouter registry value (and yes, I had rebooted):


Verbose version of OpenVPN server machine's connection log:

Code: Select all

Fri Mar 18 14:59:21 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov  8 2010
Fri Mar 18 14:59:21 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Mar 18 14:59:21 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Mar 18 14:59:21 2011 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Mar 18 14:59:21 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 18 14:59:21 2011 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Mar 18 14:59:21 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 18 14:59:21 2011 LZO compression initialized
Fri Mar 18 14:59:21 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Mar 18 14:59:21 2011 TAP-WIN32 device [Virtual] opened: \\.\Global\{B85DA424-FC19-4359-8816-7986BA39B8F0}.tap
Fri Mar 18 14:59:21 2011 TAP-Win32 Driver Version 9.7 
Fri Mar 18 14:59:21 2011 TAP-Win32 MTU=1500
Fri Mar 18 14:59:21 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {B85DA424-FC19-4359-8816-7986BA39B8F0} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
Fri Mar 18 14:59:21 2011 Successful ARP Flush on interface [15] {B85DA424-FC19-4359-8816-7986BA39B8F0}
Fri Mar 18 14:59:21 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar 18 14:59:21 2011 Local Options hash (VER=V4): '4b91e501'
Fri Mar 18 14:59:21 2011 Expected Remote Options hash (VER=V4): '48593abd'
Fri Mar 18 14:59:21 2011 UDPv4 link local (bound): [undef]:1194
Fri Mar 18 14:59:21 2011 UDPv4 link remote: [undef]
Fri Mar 18 15:01:21 2011 Inactivity timeout (--ping-restart), restarting
Fri Mar 18 15:01:21 2011 TCP/UDP: Closing socket
Fri Mar 18 15:01:21 2011 SIGUSR1[soft,ping-restart] received, process restarting
Fri Mar 18 15:01:21 2011 Restart pause, 2 second(s)
Fri Mar 18 15:01:23 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Mar 18 15:01:23 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Mar 18 15:01:23 2011 Re-using pre-shared static key
Fri Mar 18 15:01:23 2011 LZO compression initialized
Fri Mar 18 15:01:23 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Mar 18 15:01:23 2011 Preserving previous TUN/TAP instance: Virtual
Fri Mar 18 15:01:23 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar 18 15:01:23 2011 Local Options hash (VER=V4): '4b91e501'
Fri Mar 18 15:01:23 2011 Expected Remote Options hash (VER=V4): '48593abd'
Fri Mar 18 15:01:23 2011 UDPv4 link local (bound): [undef]:1194
Fri Mar 18 15:01:23 2011 UDPv4 link remote: [undef]
Fri Mar 18 15:03:15 2011 Peer Connection Initiated with [CLIENT IP REDACTED]:45802
Fri Mar 18 15:03:16 2011 Initialization Sequence Completed

Connection log from OpenVPN client connection:

Code: Select all

Fri Mar 18 15:02:58 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov  8 2010
Fri Mar 18 15:02:58 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Mar 18 15:02:58 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Mar 18 15:02:58 2011 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Mar 18 15:02:58 2011 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 18 15:02:58 2011 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Mar 18 15:02:58 2011 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 18 15:02:58 2011 LZO compression initialized
Fri Mar 18 15:02:58 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Mar 18 15:02:58 2011 ROUTE default_gateway=172.16.12.1
Fri Mar 18 15:02:58 2011 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{02FAE01E-405E-48D8-8A12-3BA67E64B672}.tap
Fri Mar 18 15:02:58 2011 TAP-Win32 Driver Version 9.7 
Fri Mar 18 15:02:58 2011 TAP-Win32 MTU=1500
Fri Mar 18 15:02:58 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.252 on interface {02FAE01E-405E-48D8-8A12-3BA67E64B672} [DHCP-serv: 10.8.0.1, lease-time: 31536000]
Fri Mar 18 15:02:58 2011 Successful ARP Flush on interface [4] {02FAE01E-405E-48D8-8A12-3BA67E64B672}
Fri Mar 18 15:02:58 2011 Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar 18 15:02:58 2011 Local Options hash (VER=V4): '48593abd'
Fri Mar 18 15:02:58 2011 Expected Remote Options hash (VER=V4): '4b91e501'
Fri Mar 18 15:02:58 2011 UDPv4 link local (bound): [undef]:1194
Fri Mar 18 15:02:58 2011 UDPv4 link remote: [SERVER IP REDACTED]:1194
Fri Mar 18 15:03:06 2011 Peer Connection Initiated with [SERVER IP REDACTED]:1194
Fri Mar 18 15:03:09 2011 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Fri Mar 18 15:03:09 2011 C:\WINDOWS\system32\route.exe ADD [SERVER IP REDACTED] MASK 255.255.255.255 172.16.12.1
Fri Mar 18 15:03:10 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Fri Mar 18 15:03:10 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Fri Mar 18 15:03:10 2011 Initialization Sequence Completed

Screenshot of client machine's firewall disabled, also for good measure:


Screenshot of client machine's packet monitor on the VPN adapter, to convey the very few number of packets that are being received over the VPN adapter:


Screenshot of client machine's ip info/configuration for the VPN adapter:

[Bebop]

[update]

Confirmed working all except for DNS.

So, in other words, I tried my above setup from another laptop / another isp (I mean that my server and my test client are on separate ISPs to one-another to prove that it does in fact work), and the Windows 7 OpenVPN server tunnel is working.

The only step remaining is to add DNS. At the current moment, only browsing by IP is possible.

Also, a note:

• The above method works, but its not optimized. That means that maybe all 3 steps are not required. Experiment and report findings.

[Bebop]

Working example posted at: Board index » Server Administration » Examples topic7806.html