Can't see W7 machines,using OpenVPN

[vincent1975]

Hello ,
I have very interesting problem with the OpenVPN. The OpenVPN server is started on RHEL 5.5 and it works just fine. From the client connected to this VPN server I can ping/VNC/RDP machines running Windows XP or 2003 which are in the private network. But I CAN’T do the same (ping/VNC/RDC) for Windows 7 machines. The firewall of these W7 is disabled. I don’t have such a problem from the internal network, only though the OpenVPN tunnel. Do you have any idea what’s going on?

[maikcat]

hi there,

please post configs first...

second ,if you tracert from win7 to a vpn client ip,what do you see?

cheers,

michael.

[janjust]

make sure the tap-win32 adapter is not in the 'public' network ; win7 will refuse access to all kinds of services if the tap-win32 is in that network.

[maikcat]

the win7 machines you mentioned are inside your lan right?

if yes i dont think they will have tap adapter....

michael.

[vincent1975]

Hello,

Maybe I was not enough clear… The Windows 7 machines are in the internal network (192.168.1.0/24). They don’t have OpenVPN clients. The remote machine with installed OpenVPN client is somewhere else, but this machine ( actually I made try with more than one, even with iPad ) can’t reach any of Windows 7 machines – not even to ping them. In the same time from these remote machines I can reach – ping/VNC/RDC all Windows 2003 and XP machines in the internal network. With other words the problem is only between the remote workstations with OpenVPN client and the Windows 7 machines in the internal network (192.168.1.0/24).

Michael: I can’t tracert to the remote machine with OpenVPN client installed from the Win 7, because I don’t have IP address from the same network as the remote machine. But the trace to the public IP address of this remote machine is without any problem.


Server config:
-------------------


local public_ip_address_of_the_openvpn_server
port 1194

proto udp

dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.144.75.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.1.0 255.255.255.0"

keepalive 10 120

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

comp-lzo

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

log-append openvpn.log

verb 3

crl-verify /etc/openvpn/crl.pem


Client Config:
-------------------


client

dev tun

proto udp

remote public_ip_address_of_the_openvpn_server 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca "C:\\client\\ca.crt"
cert "C:\\client\\client.crt"
key "C:\\client\\client.key"

tls-auth "c:\\client\\ta.key" 1

comp-lzo

verb 3

route-method exe
route-delay 10

[maikcat]

hi vincent1975

Michael: I can’t tracert to the remote machine with OpenVPN client installed from the Win 7, because I don’t have IP address from the same network as the remote machine. But the trace to the public IP address of this remote machine is without any problem.

i think this is exactly your problem...routing problem from win 7.

win 7 pcs in your lan ,what gateway they have?
can you try adding a static route for the vpn network on them?

ps:
>local public_ip_address_of_the_openvpn_server <--you mean public ip?

michael.

[vincent1975]

Hi again,

>local public_ip_address_of_the_openvpn_server <--you mean public ip?
Yes, this is the Public IP.

I can't understand you your idea for the routing. I have

push "route 192.168.1.0 255.255.255.0" directive on the OpenVPN server, so I have to see all 192.168.1.0/24 network. And the Win 7 machines ( also XP and 2003 ) are in this 192.168.1.0/24 network.

[maikcat]

the push route sends a static route to your vpn CLIENT...

the internal network (except the vpn server itself) doesnt know anything about the
vpn network...

if you setup your pcs to have as the default gateway the vpn server its ok
(because the vpn performs routing) if you dont though you must add to your
internet router a static route for the vpn server.

michael

[vincent1975]

OK, I'll try,

but why the problem is only with the W7 machines? with XP and 2003 the problem doesn't exists. And they have the same network settings - W7, XP and 2003

[maikcat]

--local host
Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.

does your server has real ip assinged on his interface?

if not i think you should enter your private ip not the public one.

michael.

[vincent1975]

The problem was with the routings. Just on the machine where I had success with the connection (2003), the routing was already done ( not by me )
Thank you, Michael...

[maikcat]

vincent1975

you are welcome.

michael.

[Douglas]

The problem was with the routings. Just on the machine where I had success with the connection (2003), the routing was already done ( not by me )
Thank you, Michael...

Glad it's fixed!