Vpn clients not pushing (lan) route from server

Samples of working configurations.
Post Reply
freshtechs
OpenVpn Newbie
Posts: 5
Joined: Thu Dec 11, 2014 4:04 am

Vpn clients not pushing (lan) route from server

Post by freshtechs » Thu Dec 11, 2014 4:39 am

Both server and client are connected successfully, server is running on Windows 7 64bit, client Windows 8.1 Pro 64bits, they pull ips according to the config files (10.8.0.1 server and 10.8.0.6 client). But they cannot ping each other if Windows Firewall Protection is turn on. However, after turning off Windows firewall they can ping each other over the Virtual Network (10.8.0.0 255.255.255.0)... Server private ip is 192.168.1.2 and have other 3 pcs on that lan including the DD-WRT gateway(192.168.1.1) nevertheless the client cannot "know/see"(ping) that (192.168.1.0 255.255.255.0) LAN on the server-side... Push route is uncommented in server config file, tried adding "route 192.168.1.0" on the .ovpn client config file but didn't work. What else should i try or do?

Server .ovpn config file:

Code: Select all

port 1194
proto udp
dev tun

ca ca.crt
cert fresh-server.crt
key fresh-server.key 

dh dh1024.pem
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"

keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Client .ovpn config file:

Code: Select all

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind

persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
#This line was added as last option--> route 192.168.1.0
On the DD-WRT gateway i added this rules:

Code: Select all

iptables -I INPUT 1 -p udp -dport=1194 -j ACCEPT
iptables -I FORWARD 1 -source=192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Server Status Log:

Code: Select all

OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Enter Management Password:
 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
 Need hold release from management interface, waiting...
 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
MANAGEMENT: CMD 'state on'
 MANAGEMENT: CMD 'log all on'
 MANAGEMENT: CMD 'hold off'
 MANAGEMENT: CMD 'hold release'
 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
 Diffie-Hellman initialized with 1024 bit key
 Socket Buffers: R=[8192->8192] S=[8192->8192]
 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
 MANAGEMENT: >STATE:1418268946,ASSIGN_IP,,10.8.0.1,
 open_tun, tt->ipv6=0
 TAP-WIN32 device [Conexión de área local 4] opened: \\.\Global\{A6871623-E6E7-4F92-AAEB-EFC29A39558E}.tap
 TAP-Windows Driver Version 9.21 
 Sleeping for 10 seconds...
 Successful ARP Flush on interface [26] {A6871623-E6E7-4F92-AAEB-EFC29A39558E}
 MANAGEMENT: >STATE:1418268956,ADD_ROUTES,,,
 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
 Route addition via IPAPI succeeded [adaptive]
 UDPv4 link local (bound): [undef]
 UDPv4 link remote: [undef]
 MULTI: multi_init called, r=256 v=256
 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
 ifconfig_pool_read(), in='client1,10.8.0.4', TODO: IPv6
 succeeded -> ifconfig_pool_set()
 IFCONFIG POOL LIST
 client1,10.8.0.4
Initialization Sequence Completed
MANAGEMENT: >STATE:1418268956,CONNECTED,SUCCESS,10.8.0.1,
xxx.x.xxx:56342 TLS: Initial packet from [AF_INET]200.71.174.134:56342, sid=4297471e a29cf5eb
xxx.x.xxx:56342 VERIFY OK: depth=0, C=xx, ST=xx, L=xx, O=xx, OU=changeme, CN=client1, name=changeme, emailAddress=xxx@xx
xxx.x.xxx:56342 VERIFY OK: depth=0, C=xx, ST=xx, L=xx, O=xx, OU=changeme, CN=client1, name=changeme, emailAddress=xxx@xx
xxx.x.xxx:56342 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
xxx.x.xxx:56342 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
xxx.x.xxx:56342 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
xxx.x.xxx:56342 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
xxx.x.xxx:56342 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
xxx.x.xxx:56342 [client1] Peer Connection Initiated with [AF_INET]200.71.174.134:56342
 client1/200.71.174.134:56342 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
 client1/200.71.174.134:56342 MULTI: Learn: 10.8.0.6 -> client1/200.71.174.134:56342
client1/200.71.174.134:56342 MULTI: primary virtual IP for client1/200.71.174.134:56342: 10.8.0.6
client1/200.71.174.134:56342 PUSH: Received control message: 'PUSH_REQUEST'
client1/200.71.174.134:56342 send_push_reply(): safe_cap=940
client1/200.71.174.134:56342 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)



Client Log status:

Code: Select all

 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
  library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Enter Management Password:
 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
 Need hold release from management interface, waiting...
 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
 MANAGEMENT: CMD 'state on'
 MANAGEMENT: CMD 'log all on'
 MANAGEMENT: CMD 'hold off'
 MANAGEMENT: CMD 'hold release'
 Socket Buffers: R=[65536->65536] S=[65536->65536]
 MANAGEMENT: >STATE:1418269162,RESOLVE,,,
 UDPv4 link local: [undef]
 UDPv4 link remote: [AF_INET]xxx.x.xxx:1194
 MANAGEMENT: >STATE:1418269162,WAIT,,,
 MANAGEMENT: >STATE:1418269163,AUTH,,,
 TLS: Initial packet from [AF_INET]xxx.x.xxx:1194, sid=c1bd3be9 2e7a38b2
 VERIFY OK: depth=1, C=VE, ST=ZU, L=Maracaibo, O=FreshTechs, OU=changeme, CN=freshserver, name=changeme, emailAddress=info@freshtechs.com.ve
 Validating certificate key usage
 ++ Certificate has key usage  00a0, expects 00a0
 VERIFY KU OK
 Validating certificate extended key usage
 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
 VERIFY EKU OK
 VERIFY OK: depth=0, C=VE, ST=ZU, L=Maracaibo, O=FreshTechs, OU=changeme, CN=fresh-server, name=changeme, emailAddress=info@freshtechs.com.ve
 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
 [fresh-server] Peer Connection Initiated with [AF_INET]xxx.x.xxx:1194
 MANAGEMENT: >STATE:1418269185,GET_CONFIG,,,
 SENT CONTROL [fresh-server]: 'PUSH_REQUEST' (status=1)
 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
 OPTIONS IMPORT: timers and/or timeouts modified
 OPTIONS IMPORT: --ifconfig/up options modified
 OPTIONS IMPORT: route options modified
 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
 MANAGEMENT: >STATE:1418269186,ASSIGN_IP,,10.8.0.6,
 open_tun, tt->ipv6=0
 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{D4CA51F9-E2D3-4C6F-A9BA-E9AF254F9BB8}.tap
 TAP-Windows Driver Version 9.21 
 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {D4CA51F9-E2D3-4C6F-A9BA-E9AF254F9BB8} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
 Successful ARP Flush on interface [25] {D4CA51F9-E2D3-4C6F-A9BA-E9AF254F9BB8}
 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
 MANAGEMENT: >STATE:1418269191,ADD_ROUTES,,,
 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.255 10.8.0.5
 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
 Route addition via IPAPI succeeded [adaptive]
 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.5
 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
 Route addition via IPAPI succeeded [adaptive]
C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
 Initialization Sequence Completed
 MANAGEMENT: >STATE:1418269191,CONNECTED,SUCCESS,10.8.0.6,201.249.23.117

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Vpn clients not pushing (lan) route from server

Post by maikcat » Thu Dec 11, 2014 6:44 am

did you enabled ip forwarding on your openvpn server?

Michael.

freshtechs
OpenVpn Newbie
Posts: 5
Joined: Thu Dec 11, 2014 4:04 am

Re: Vpn clients not pushing (lan) route from server

Post by freshtechs » Thu Dec 11, 2014 10:27 pm

Yes, and i did it in both machines server and client: Going to regedit, change the value of "IPEnableRouter" DGWORD to "1"; and starting the following services: "Remote Access Auto Conection Manager, Remote Access Conection Manager, Routing and Remote Access"

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Vpn clients not pushing (lan) route from server

Post by maikcat » Fri Dec 12, 2014 6:47 am

leave RRAS off for now,

also disable ANY firewalls running for testing,

what lan ip address your client has?
if you do a tracert 192.168.1.x (x is your openvpn's SERVERs LAN ip)
what it shows?

Michael.

freshtechs
OpenVpn Newbie
Posts: 5
Joined: Thu Dec 11, 2014 4:04 am

Re: Vpn clients not pushing (lan) route from server

Post by freshtechs » Mon Dec 15, 2014 2:13 am

Thanks for answering maikcat, i did 2 traceroutes, first to the server and then to its LAN gateway:

Code: Select all

>tracert 192.168.1.2

Tracing route to FRAN8 [192.168.1.2] ##Ovpnserver hostname and private IP
over a maximum of 30 hops:

 1     *        *        *     Request timed out.
 2   497 ms   252 ms   468 ms  FRAN8 [192.168.1.2]

Code: Select all

>tracert 192.168.1.1 

Tracing route to 10.6.5.1 over a maximum of 30 hops ## Router Gateway private IP

  1  1410 ms  1256 ms   815 ms  FRAN8 [10.8.0.1]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5    ****************
  *
  *

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Vpn clients not pushing (lan) route from server

Post by maikcat » Mon Dec 15, 2014 7:06 am

Tracing route to 10.6.5.1 over a maximum of 30 hops ## Router Gateway private IP
what is 10.6.5.1...? :?

also try to ping a pc which uses as default gateway your openvpn server,

you will need to add a static route to your router for 10.8.0.0/24 network.

Michael.

freshtechs
OpenVpn Newbie
Posts: 5
Joined: Thu Dec 11, 2014 4:04 am

Re: Vpn clients not pushing (lan) route from server

Post by freshtechs » Mon Dec 15, 2014 4:09 pm

what is 10.6.5.1...? :?
Sorry i modified the valued so you would understand my environment. But true is that ip is 192.168.1.1 (Server LAN Gateway)
also try to ping a pc which uses as default gateway your openvpn server
The server can ping the clients over the 10.8.0.0/24 network.

I also tried adding the static route 10.8.0.0/24 default gateway 10.8.0.1 on the router (192.168.1.1 which is the gateway for the server ); and didn´t work. I forgot to mention that router is a Tplink WRT741ND.

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Vpn clients not pushing (lan) route from server

Post by maikcat » Tue Dec 16, 2014 6:36 am

I also tried adding the static route 10.8.0.0/24 default gateway 10.8.0.1 on the router (192.168.1.1 which is the gateway for the server ); and didn´t work. I forgot to mention that router is a Tplink WRT741ND.
When adding a route is usually for a network you DONT know where it is but the purpose of it
is to send packets for it to a host you DO know where it is,

so you need to add a static route for 10.8.0.0/24 network and use as a gateway your openvpn servers LAN ip.

Michael.

freshtechs
OpenVpn Newbie
Posts: 5
Joined: Thu Dec 11, 2014 4:04 am

Re: Vpn clients not pushing (lan) route from server

Post by freshtechs » Wed Dec 17, 2014 1:37 am

Fine. How and Where should i add it in the client's config file? Server's?

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Vpn clients not pushing (lan) route from server

Post by maikcat » Thu Dec 18, 2014 5:31 pm

on your tplink add a static route like this:

route add 10.8.0.0 mask 255.255.255.0 gw 192.168.1.2

or you can add a similar entry to your pcs as well.

Michael.

Post Reply