Windows Server 2008 R2 Connecting to client has failed

Samples of working configurations.
Locked
fbs06121988
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 31, 2012 7:48 am

Windows Server 2008 R2 Connecting to client has failed

Post by fbs06121988 » Tue Jul 31, 2012 7:52 am

Hi,

I've successfully installed openvpn 2.2.2 in my Amazon EC2 Instance Windows Server 2008 R2 but when I try to connect an error encountered "Connecting to client has failed"

Tue Jul 31 15:39:12 2012 There is a problem in your selection of --ifconfig endpoints [local=xx.xx.xx.xx, remote=xx.xx.xx.xx]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.

Keys generated from the VPN Server that was put in a linux machine does not have any problem but if keys were put on a windows machine this error appears.

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Windows Server 2008 R2 Connecting to client has failed

Post by maikcat » Tue Jul 31, 2012 8:05 am

hi there,

please post configs & logs

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

fbs06121988
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 31, 2012 7:48 am

Re: Windows Server 2008 R2 Connecting to client has failed

Post by fbs06121988 » Tue Jul 31, 2012 8:20 am

Hi,

server.conf is:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.11.200.0 255.255.255.128
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 4

Client.ovpn is:

client
dev tun
proto udp
remote serverip
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert servername.crt
key servername.key
ns-cert-type server
comp-lzo
verb 3

fbs06121988
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 31, 2012 7:48 am

Re: Windows Server 2008 R2 Connecting to client has failed

Post by fbs06121988 » Tue Jul 31, 2012 8:25 am

Here are the openvpn.logs from the server side.

Tue Jul 31 16:24:20 2012 us=905515 175.41.134.248:57331 VERIFY OK: depth=0, /C=PH/ST=NCR/L=Quezon_City/O=RAMCAR_FOOD_GROUP/OU=AWS_Epos_File_Server/CN=aws-eposfs/name=AWS_EPOS_File_Server/emailAddress=sysad@foodgroup.ph
Tue Jul 31 16:24:20 2012 us=913349 175.41.134.248:57331 [aws-eposfs] Peer Connection Initiated with 175.41.134.248:57331
Tue Jul 31 16:24:20 2012 us=913543 MULTI: new connection by client 'aws-eposfs' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Tue Jul 31 16:24:20 2012 us=913620 OPTIONS IMPORT: reading client specific options from: ccd/aws-eposfs
Tue Jul 31 16:24:20 2012 us=913762 MULTI: Learn: 10.11.200.61 -> aws-eposfs/175.41.134.248:57331
Tue Jul 31 16:24:20 2012 us=913782 MULTI: primary virtual IP for aws-eposfs/175.41.134.248:57331: 10.11.200.61
Tue Jul 31 16:24:20 2012 us=913800 MULTI: internal route 10.11.200.0/25 -> aws-eposfs/175.41.134.248:57331
Tue Jul 31 16:24:20 2012 us=913818 MULTI: Learn: 10.11.200.0/25 -> aws-eposfs/175.41.134.248:57331
Tue Jul 31 16:24:23 2012 us=301718 aws-eposfs/175.41.134.248:57331 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul 31 16:24:23 2012 us=301835 aws-eposfs/175.41.134.248:57331 SENT CONTROL [aws-eposfs]: 'PUSH_REPLY,route 10.11.200.0 255.255.255.0,route 172.24.0.0 255.255.0.0,route 133.88.0.0 255.255.0.0,route 192.11.0.0 255.255.0.0,route 172.16.200.0 255.255.255.0,route 172.19.100.0 255.255.255.0,route 172.19.101.0 255.255.255.0,route 172.19.102.0 255.255.255.0,route 192.168.0.75 255.255.255.255,route 192.168.0.85 255.255.255.255,route 192.168.30.0 255.255.255.0,route 172.18.100.0 255.255.255.0,route 172.18.8.0 255.255.255.0,route 172.23.0.0 255.255.255.0,route 10.11.40.0 255.255.248.0,route 10.11.0.0 255.255.248.0,route 10.11.90.0 255.255.255.0,route 10.11.91.0 255.255.255.0,route 10.11.101.0 255.255.255.0,route 10.11.100.0 255.255.255.0,route 10.11.102.0 255.255.255.0,route 172.30.0.0. 255.255.0.0,route 10.11.24.0 255.255.252.0,route 10.11.28.0 255.255.252.0,route 10.11.32.0 255.255.252.0,route 10.11.6.0 255.255.255.0,route 10.11.22.0 255.255.255.0,route 10.11.48.0 255.255.248.0,route 10.11.120.0 255.255.248.0,topology net30,ping 10,push-continuation 2' (status=1)
Tue Jul 31 16:24:23 2012 us=301870 aws-eposfs/175.41.134.248:57331 SENT CONTROL [aws-eposfs]: 'PUSH_REPLY,ping-restart 120,ifconfig 10.11.200.61 10.11.200.1,push-continuation 1' (status=1)

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Windows Server 2008 R2 Connecting to client has failed

Post by maikcat » Tue Jul 31, 2012 8:57 am

please also post the contents of the ccd files

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

fbs06121988
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 31, 2012 7:48 am

Re: Windows Server 2008 R2 Connecting to client has failed

Post by fbs06121988 » Tue Jul 31, 2012 9:28 am

Here is the client.log output:

Tue Jul 31 17:25:40 2012 OpenVPN 2.3_alpha3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Jul 24 2012
Enter Management Password:
Tue Jul 31 17:25:40 2012 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.10:25340
Tue Jul 31 17:25:40 2012 Need hold release from management interface, waiting...
Tue Jul 31 17:25:40 2012 MANAGEMENT: Client connected from [AF_INET]127.0.0.10:25340
Tue Jul 31 17:25:40 2012 MANAGEMENT: CMD 'state on'
Tue Jul 31 17:25:40 2012 MANAGEMENT: CMD 'log all on'
Tue Jul 31 17:25:40 2012 MANAGEMENT: CMD 'hold off'
Tue Jul 31 17:25:40 2012 MANAGEMENT: CMD 'hold release'
Tue Jul 31 17:25:40 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jul 31 17:25:41 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Jul 31 17:25:41 2012 UDPv4 link local: [undef]
Tue Jul 31 17:25:41 2012 UDPv4 link remote: [AF_INET]46.137.250.40:1194
Tue Jul 31 17:25:41 2012 MANAGEMENT: >STATE:1343726741,WAIT,,,
Tue Jul 31 17:25:41 2012 MANAGEMENT: >STATE:1343726741,AUTH,,,
Tue Jul 31 17:25:41 2012 TLS: Initial packet from [AF_INET]46.137.250.40:1194, sid=8a2b13d3 6010c682
Tue Jul 31 17:25:41 2012 VERIFY OK: depth=1, C=PH, ST=NCR, L=Quezon City, O=RAMCAR FOOD GROUP, OU=IT, CN=server, name=AWS Cloud, emailAddress=system.report@qualservcentral.com
Tue Jul 31 17:25:41 2012 VERIFY OK: nsCertType=SERVER
Tue Jul 31 17:25:41 2012 VERIFY OK: depth=0, C=PH, ST=NCR, L=Quezon City, O=RAMCAR FOOD GROUP, OU=IT, CN=server, name=AWS Cloud, emailAddress=system.report@qualservcentral.com
Tue Jul 31 17:25:41 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 31 17:25:41 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 31 17:25:41 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 31 17:25:41 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 31 17:25:41 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jul 31 17:25:41 2012 [server] Peer Connection Initiated with [AF_INET]46.137.250.40:1194
Tue Jul 31 17:25:42 2012 MANAGEMENT: >STATE:1343726742,GET_CONFIG,,,
Tue Jul 31 17:25:43 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Jul 31 17:25:43 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.11.200.0 255.255.255.0,route 172.24.0.0 255.255.0.0,route 133.88.0.0 255.255.0.0,route 192.11.0.0 255.255.0.0,route 172.16.200.0 255.255.255.0,route 172.19.100.0 255.255.255.0,route 172.19.101.0 255.255.255.0,route 172.19.102.0 255.255.255.0,route 192.168.0.75 255.255.255.255,route 192.168.0.85 255.255.255.255,route 192.168.30.0 255.255.255.0,route 172.18.100.0 255.255.255.0,route 172.18.8.0 255.255.255.0,route 172.23.0.0 255.255.255.0,route 10.11.40.0 255.255.248.0,route 10.11.0.0 255.255.248.0,route 10.11.90.0 255.255.255.0,route 10.11.91.0 255.255.255.0,route 10.11.101.0 255.255.255.0,route 10.11.100.0 255.255.255.0,route 10.11.102.0 255.255.255.0,route 172.30.0.0. 255.255.0.0,route 10.11.24.0 255.255.252.0,route 10.11.28.0 255.255.252.0,route 10.11.32.0 255.255.252.0,route 10.11.6.0 255.255.255.0,route 10.11.22.0 255.255.255.0,route 10.11.48.0 255.255.248.0,route 10.11.120.0 255.255.248.0,topology net30,ping 10,push-continuation 2'
Tue Jul 31 17:25:43 2012 PUSH: Received control message: 'PUSH_REPLY,ping-restart 120,ifconfig 10.11.200.61 10.11.200.1,push-continuation 1'
Tue Jul 31 17:25:43 2012 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 31 17:25:43 2012 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 31 17:25:43 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jul 31 17:25:43 2012 MANAGEMENT: >STATE:1343726743,ASSIGN_IP,,10.11.200.61,
Tue Jul 31 17:25:43 2012 MANAGEMENT: Client disconnected
Tue Jul 31 17:25:43 2012 There is a problem in your selection of --ifconfig endpoints [local=10.11.200.61, remote=10.11.200.1]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
Tue Jul 31 17:25:43 2012 Exiting due to fatal error

fbs06121988
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 31, 2012 7:48 am

Re: Windows Server 2008 R2 Connecting to client has failed

Post by fbs06121988 » Tue Jul 31, 2012 9:29 am

ccd entry is:
ifconfig-push 10.11.200.61 10.11.200.1
iroute 10.11.200.0 255.255.255.128

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Windows Server 2008 R2 Connecting to client has failed

Post by maikcat » Tue Jul 31, 2012 9:52 am

ccd entry is:
ifconfig-push 10.11.200.61 10.11.200.1
iroute 10.11.200.0 255.255.255.128
please change your ccd to:

ifconfig-push 10.11.200.62 10.11.200.61

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

fbs06121988
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 31, 2012 7:48 am

Re: Windows Server 2008 R2 Connecting to client has failed

Post by fbs06121988 » Tue Jul 31, 2012 10:27 am

Hi Michael,

Thank You very much !! The openvpn connected successfully after I edited the ccd entry :)

May I ask the reason why need the change in the ccd entry to 10.11.200.62 so I can also explain to my team mates? Does a windows machine need a different entry for the ccd as compared to a linux? because in our linux machine we did not encounter this error.

Also, I noticed that the IP it gave to my machine is 10.11.200.62 but I need the machine to be 10.11.200.61.

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Windows Server 2008 R2 Connecting to client has failed

Post by maikcat » Tue Jul 31, 2012 10:57 am

hi there,
--topology mode
Configure virtual addressing topology when running in --dev tun mode. This directive has no meaning in --dev tap mode, which always uses a subnet topology.

If you set this directive on the server, the --server and --server-bridge directives will automatically push your chosen topology setting to clients as well. This directive can also be manually pushed to clients. Like the --dev directive, this directive must always be compatible between client and server.

mode can be one of:

net30 -- Use a point-to-point topology, by allocating one /30 subnet per client. This is designed to allow point-to-point semantics when some or all of the connecting clients might be Windows systems. This is the default on OpenVPN 2.0.

p2p -- Use a point-to-point topology where the remote endpoint of the client's tun interface always points to the local endpoint of the server's tun interface. This mode allocates a single IP address per connecting client. Only use when none of the connecting clients are Windows systems. This mode is functionally equivalent to the --ifconfig-pool-linear directive which is available in OpenVPN 2.0 and is now deprecated.

subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode allocates a single IP address per connecting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topology directive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a remote endpoint IP address.

about the iroute statement,

iroute is used for lan-to-lan connections to simply let openvpn know
who has the remote lan (also needed a route statement inside server config).

regards,

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

fbs06121988
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 31, 2012 7:48 am

Re: Windows Server 2008 R2 Connecting to client has failed

Post by fbs06121988 » Tue Jul 31, 2012 11:59 am

Sorry, I'm an openvpn newbie here. I still do not get about the

ifconfig-push 10.11.200.62 10.11.200.61

If I want my machine to have an IP of 10.11.200.63, what should be the ccd entry?
should it be

ifconfig-push 10.11.200.63 10.11.200.61?

Thanks very much for your assistance I really appreciate it.

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Windows Server 2008 R2 Connecting to client has failed

Post by maikcat » Tue Jul 31, 2012 1:40 pm

when using the default mode (net30) you can use specific ips
Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Win32 driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:

[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

you can use ips only inside the brackets..

regards

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

fbs06121988
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 31, 2012 7:48 am

Re: Windows Server 2008 R2 Connecting to client has failed

Post by fbs06121988 » Wed Aug 01, 2012 12:41 am

Thank You very much Michael for your assistance. You may now mark this post as SOLVED!

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Windows Server 2008 R2 Connecting to client has failed

Post by maikcat » Wed Aug 01, 2012 8:08 am

ok then

closing topic.

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

Locked