Windows 7 64bit Client to Windows 2008 64bit server

[bradrhod]

I am trying to get Openvpn server running on one of two hosted servers. I have JJK OpenVpn 2 Cookbook and I have read every post possible. I know windows networking pretty well and can usually get openvpn up and running quickly. For this setup I an issue that I cannot solve.

First my network.
Server Windows 2008 64bit Client Windows 7 64bit
173.XXX.80.34 <====> 192.168.1.125
VPN VPN
10.130.243.9 10.130.243.10

All firewalls are turned off. The network comes up fine and 10.130.243.9 pings from the client fine. But I cannot get packets to route to 173.XXX.80.34 over the vpn connection.

Code: Select all

>ping 173.XXX.80.34 /S 10.130.243.10
Pinging 173.XXX.80.34 from 10.130.243.10 with 32 bytes of data:
Request timed out.
Request timed out.

I have replicated my setup to a virtual machine. The odd thing is that on the vm everything works fine.
I went ahead and set up client and server config files that are very simplified and the problem still reproduces. This is basically the Routing recipe in Chapter 1 from OpenVPN 2 Cookbook.

Here is my Server Config:

Code: Select all

ifconfig 10.130.243.10 10.130.243.11
dev tun
auth none

Here is my Client Config:

Code: Select all

ifconfig 10.130.243.10 10.130.243.9
route-delay 30
dev tun
auth none
remote 173.XXX.80.34
verb 4

I went ahead and updated to 2.2RC2 2011.03.25 to see if that was any better, but it did not help. I have tried rout-delay 30, and route-method-exe settings. I have also verifed both client and server are running as administrators (UAC turned off, windows Compatbility setting to run as administrator). I have also tried setting compatbility to Vista SP1 and XP Sp3. With no luck.

I am using the route add command:

Code: Select all

>route add 173.204.80.0 mask 255.255.255.0 10.130.243.10 metric 1
 OK!

Wireshark shows that the icmp packet is never hitting the TAP interface at all. I have ipenablerouter set to true and have verified that in netsh. I have gone through everything in netsh int dump and there are no real differences. Ipenablerouter is enabled on both servers and on the client. I have disabled isatap and ipv6 interfaces.

When connecting to the hosted server, I see that windows is actually sending an ARP request for 173.XXX.80.34. But no one is replying to that ARP request.

When testing on the VM environment the icmp packet never hits the vpn network, but the reply shows up there and ping is happy with that. I have tried everything using netcat/netcapture nc.exe and verfied that the network is not routing packets.

I have gone through the logs in extensive detail and they are identical. I can post them if they would help.

It just seems that windows does not like this route in any way or form.

What can i do to further debug this issue? Any help is greatly appreciated.

Thanks
Brad

route print for the failing hosted server:
===========================================================================
Interface List
18...00 ff a5 b5 91 e9 ......TAP-Win32 Adapter V9
11...6c f0 49 57 68 c8 ......Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (ND
IS 6.20) #2
10...6c f0 49 56 d0 0c ......Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (ND
IS 6.20)
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.151 60
10.130.243.8 255.255.255.252 On-link 10.130.243.10 286
10.130.243.10 255.255.255.255 On-link 10.130.243.10 286
10.130.243.11 255.255.255.255 On-link 10.130.243.10 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 192.168.1.151 31
169.254.0.0 255.255.0.0 On-link 10.130.243.10 306
169.254.255.255 255.255.255.255 On-link 192.168.1.151 286
169.254.255.255 255.255.255.255 On-link 10.130.243.10 286
173.204.80.0 255.255.255.0 On-link 10.130.243.10 31
173.204.80.255 255.255.255.255 On-link 10.130.243.10 286
192.168.1.0 255.255.255.0 On-link 192.168.1.151 286
192.168.1.151 255.255.255.255 On-link 192.168.1.151 286
192.168.1.255 255.255.255.255 On-link 192.168.1.151 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.151 286
224.0.0.0 240.0.0.0 On-link 10.130.243.10 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.151 286
255.255.255.255 255.255.255.255 On-link 10.130.243.10 286
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.0.0 255.255.0.0 192.168.1.151 1
169.254.0.0 255.255.0.0 192.168.96.1 1
169.254.0.0 255.255.0.0 192.168.244.1 1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
10 4116 ::/0 fe80::c2c1:c0ff:fe51:4c0
1 306 ::1/128 On-link
16 58 2001::/32 On-link
16 306 2001:0:4137:9e76:813:1ed:b3e3:644a/128
On-link
10 28 2002:4c1c:9bb5::/64 On-link
10 276 2002:4c1c:9bb5:0:2c6c:97b1:b8e2:9a8f/128
On-link
10 276 2002:4c1c:9bb5:0:610c:6890:6e99:50b4/128
On-link
10 276 fe80::/64 On-link
18 286 fe80::/64 On-link
16 306 fe80::/64 On-link
16 306 fe80::813:1ed:b3e3:644a/128
On-link
10 276 fe80::610c:6890:6e99:50b4/128
On-link
18 286 fe80::a8f7:bd93:9e80:998f/128
On-link
1 306 ff00::/8 On-link
16 306 ff00::/8 On-link
10 276 ff00::/8 On-link
18 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None


route print for the working vm server:

Code: Select all

>route print
===========================================================================
Interface List
 18...00 ff a5 b5 91 e9 ......TAP-Win32 Adapter V9
 11...6c f0 49 57 68 c8 ......Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (N
IS 6.20) #2
 10...6c f0 49 56 d0 0c ......Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (N
IS 6.20)
  1...........................Software Loopback Interface 1
 16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.151     60
     10.130.243.8  255.255.255.252         On-link     10.130.243.10    286
    10.130.243.10  255.255.255.255         On-link     10.130.243.10    286
    10.130.243.11  255.255.255.255         On-link     10.130.243.10    286
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link     192.168.1.151     31
      169.254.0.0      255.255.0.0         On-link     10.130.243.10    306
  169.254.255.255  255.255.255.255         On-link     192.168.1.151    286
  169.254.255.255  255.255.255.255         On-link     10.130.243.10    286
      192.168.1.0    255.255.255.0         On-link     192.168.1.151    286
    192.168.1.125  255.255.255.255         On-link     10.130.243.10     31
    192.168.1.151  255.255.255.255         On-link     192.168.1.151    286
    192.168.1.255  255.255.255.255         On-link     192.168.1.151    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.151    286
        224.0.0.0        240.0.0.0         On-link     10.130.243.10    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.151    286
  255.255.255.255  255.255.255.255         On-link     10.130.243.10    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      169.254.0.0      255.255.0.0    192.168.1.151       1
      169.254.0.0      255.255.0.0     192.168.96.1       1
      169.254.0.0      255.255.0.0    192.168.244.1       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 10   4116 ::/0                     fe80::c2c1:c0ff:fe51:4c0
  1    306 ::1/128                  On-link
 16     58 2001::/32                On-link
 16    306 2001:0:4137:9e76:813:1ed:b3e3:644a/128
                                    On-link
 10     28 2002:4c1c:9bb5::/64      On-link
 10    276 2002:4c1c:9bb5:0:2c6c:97b1:b8e2:9a8f/128
                                    On-link
 10    276 2002:4c1c:9bb5:0:610c:6890:6e99:50b4/128
                                    On-link
 10    276 fe80::/64                On-link
 18    286 fe80::/64                On-link
 16    306 fe80::/64                On-link
 16    306 fe80::813:1ed:b3e3:644a/128
                                    On-link
 10    276 fe80::610c:6890:6e99:50b4/128
                                    On-link
 18    286 fe80::a8f7:bd93:9e80:998f/128
                                    On-link
  1    306 ff00::/8                 On-link
 16    306 ff00::/8                 On-link
 10    276 ff00::/8                 On-link
 18    286 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

[janjust]

hi,

first of all, thx for buying my book

second, your client/server configs have the wrong IP addresses. Try using this for the server

Code: Select all

ifconfig 10.130.243.10 10.130.243.11

and then reverse the addresses for the client:

Code: Select all

ifconfig 10.130.243.11 10.130.243.10

[bradrhod]

The book is great, I recommend it for anyone using OpenVpn, beginners and experts.

I tried those initially, I get this error:

Code: Select all

:
Tue Apr 05 09:58:29 2011 us=459000 There is a problem in your selection of --ifc
onfig endpoints [local=10.130.243.10, remote=10.130.243.11].  The local and remo
te VPN endpoints cannot use the first or last address within a given 255.255.255
.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 dri
ver.  Try 'openvpn --show-valid-subnets' option for more info.
Tue Apr 05 09:58:29 2011 us=475000 Exiting
:

Research of this error led me to using using 10.130.243.9 and 10.130.243.10 . The .9 and .10 work fully on my vm setup. Also, I can ping the .9 and .10 addresses on the hosted servers. I am just not able to get packets to route when using the hosted servers.

[janjust]

ah doh - I should have realized that .10+.11 is not valid ... glad you sorted that one out.

As for routing:
* make sure IP forwarding is enabled on both windows machines (this is done using a registry key)
* use the 'route' statement inside the openvpn configuration, e.g.

Code: Select all

route 173.204.80.0 255.255.255.0

[bradrhod]

I have iprouteenabled on both the client and the server. I am using the route command as described in my initial message. The routes are in the routing table fine. Just windows does not like to use them for some reason.

Again the lack of routing is only happening when the same client is connected to my hosted server. When that client is connected to my vm server it works. The lack of routing is happening on the client side, verified with wireshark.

[bradrhod]

Can anyone recommend someone I could hire to help out?

[janjust]

please try using the openvpn "route" method - I would like to rule out the case where you're using the wrong GW address for your routes. IIRC you need to specify a weird GW IP Address to get stuff to route via the VPN. When using the openvpn 'route' method this is done for you automatically.

[bradrhod]

When I use the openvpn route command I get a constant stream of fragmented packets. Here is how wireshark shows this:

Wireshark will eventually crash, I suspect as it is trying to buffer the packets for reassembly later, that never happens.

Again here are my very simple control files:
Server:

Code: Select all

ifconfig 10.130.243.9 10.130.243.10
dev tun
auth none
verb 4
route 192.168.1.0 255.255.255.0

Client:

Code: Select all

ifconfig 10.130.243.10 10.130.243.9
route-method exe
route-delay 30
dev tun
auth none
remote src.emortal.com
verb 4
route 173.204.80.34 255.255.255.255

Thanks for your help.

[janjust]

you don't mention the type of protocol (udp or tcp) ; if it's udp then try adding

Code: Select all

fragment 1300

to both sides to see if it makes a difference.

[bradrhod]

Great. That took care of the fragmented packets.

There still seems to be a service or application that is hitting the vpn network. First packet looks like this:

Code: Select all

0000  00 ff a6 b5 91 e9 00 ff  a5 b5 91 e9 08 00 45 00   ........ ......E.
0010  00 7a 38 3a 00 00 80 11  06 be 0a 82 f3 0a ad cc   .z8:.... ........
0020  50 22 04 aa 04 aa 00 66  89 62 00 00 00 00 60 00   P".....f .b....`.
0030  00 00 00 32 11 01 fe 80  00 00 00 00 00 00 a8 f7   ...2.... ........
0040  bd 93 9e 80 99 8f ff 02  00 00 00 00 00 00 00 00   ........ ........
0050  00 00 00 01 00 03 f3 77  14 eb 00 32 3d 64 9a 27   .......w ...2=d.'
0060  00 00 00 01 00 00 00 00  00 00 03 32 35 33 01 30   ........ ...253.0
0070  01 30 03 32 32 34 07 69  6e 2d 61 64 64 72 04 61   .0.224.i n-addr.a
0080  72 70 61 00 00 0c 00 01                            rpa.....         

Second is the same with some additional bytes in the packet:

Code: Select all

0000  00 ff a6 b5 91 e9 00 ff  a5 b5 91 e9 08 00 45 00   ........ ......E.
0010  00 da 38 3d 00 00 80 11  06 5b 0a 82 f3 0a ad cc   ..8=.... .[......
0020  50 22 04 aa 04 aa 00 c6  f5 c5 00 00 00 00 45 00   P"...... ......E.
0030  00 ba 38 3c 00 00 80 11  06 7c 0a 82 f3 0a ad cc   ..8<.... .|......
0040  50 22 04 aa 04 aa 00 a6  f5 e5 00 00 00 00 45 00   P"...... ......E.
0050  00 9a 38 3b 00 00 80 11  06 9d 0a 82 f3 0a ad cc   ..8;.... ........
0060  50 22 04 aa 04 aa 00 86  f6 05 00 00 00 00 45 00   P"...... ......E.
0070  00 7a 38 3a 00 00 80 11  06 be 0a 82 f3 0a ad cc   .z8:.... ........
0080  50 22 04 aa 04 aa 00 66  89 62 00 00 00 00 60 00   P".....f .b....`.
0090  00 00 00 32 11 01 fe 80  00 00 00 00 00 00 a8 f7   ...2.... ........
00a0  bd 93 9e 80 99 8f ff 02  00 00 00 00 00 00 00 00   ........ ........
00b0  00 00 00 01 00 03 f3 77  14 eb 00 32 3d 64 9a 27   .......w ...2=d.'
00c0  00 00 00 01 00 00 00 00  00 00 03 32 35 33 01 30   ........ ...253.0
00d0  01 30 03 32 32 34 07 69  6e 2d 61 64 64 72 04 61   .0.224.i n-addr.a
00e0  72 70 61 00 00 0c 00 01                            rpa.....         

Then this continues with the packet growing length. For instance the 20th packet looks like

Code: Select all

0000  00 ff a6 b5 91 e9 00 ff  a5 b5 91 e9 08 00 45 00   ........ ......E.
0010  03 3a 38 50 00 00 80 11  03 e8 0a 82 f3 0a ad cc   .:8P.... ........
0020  50 22 04 aa 04 aa 03 26  f3 65 00 00 00 00 45 00   P".....& .e....E.
0030  03 1a 38 4f 00 00 80 11  04 09 0a 82 f3 0a ad cc   ..8O.... ........
0040  50 22 04 aa 04 aa 03 06  f3 85 00 00 00 00 45 00   P"...... ......E.
0050  02 fa 38 4e 00 00 80 11  04 2a 0a 82 f3 0a ad cc   ..8N.... .*......
0060  50 22 04 aa 04 aa 02 e6  f3 a5 00 00 00 00 45 00   P"...... ......E.
0070  02 da 38 4d 00 00 80 11  04 4b 0a 82 f3 0a ad cc   ..8M.... .K......
0080  50 22 04 aa 04 aa 02 c6  f3 c5 00 00 00 00 45 00   P"...... ......E.
0090  02 ba 38 4c 00 00 80 11  04 6c 0a 82 f3 0a ad cc   ..8L.... .l......
00a0  50 22 04 aa 04 aa 02 a6  f3 e5 00 00 00 00 45 00   P"...... ......E.
00b0  02 9a 38 4b 00 00 80 11  04 8d 0a 82 f3 0a ad cc   ..8K.... ........
00c0  50 22 04 aa 04 aa 02 86  f4 05 00 00 00 00 45 00   P"...... ......E.
00d0  02 7a 38 4a 00 00 80 11  04 ae 0a 82 f3 0a ad cc   .z8J.... ........
00e0  50 22 04 aa 04 aa 02 66  f4 25 00 00 00 00 45 00   P".....f .%....E.
00f0  02 5a 38 49 00 00 80 11  04 cf 0a 82 f3 0a ad cc   .Z8I.... ........
0100  50 22 04 aa 04 aa 02 46  f4 45 00 00 00 00 45 00   P".....F .E....E.
0110  02 3a 38 48 00 00 80 11  04 f0 0a 82 f3 0a ad cc   .:8H.... ........
0120  50 22 04 aa 04 aa 02 26  f4 65 00 00 00 00 45 00   P".....& .e....E.
0130  02 1a 38 47 00 00 80 11  05 11 0a 82 f3 0a ad cc   ..8G.... ........
0140  50 22 04 aa 04 aa 02 06  f4 85 00 00 00 00 45 00   P"...... ......E.
0150  01 fa 38 46 00 00 80 11  05 32 0a 82 f3 0a ad cc   ..8F.... .2......
0160  50 22 04 aa 04 aa 01 e6  f4 a5 00 00 00 00 45 00   P"...... ......E.
0170  01 da 38 45 00 00 80 11  05 53 0a 82 f3 0a ad cc   ..8E.... .S......
0180  50 22 04 aa 04 aa 01 c6  f4 c5 00 00 00 00 45 00   P"...... ......E.
0190  01 ba 38 44 00 00 80 11  05 74 0a 82 f3 0a ad cc   ..8D.... .t......
01a0  50 22 04 aa 04 aa 01 a6  f4 e5 00 00 00 00 45 00   P"...... ......E.
01b0  01 9a 38 43 00 00 80 11  05 95 0a 82 f3 0a ad cc   ..8C.... ........
01c0  50 22 04 aa 04 aa 01 86  f5 05 00 00 00 00 45 00   P"...... ......E.
01d0  01 7a 38 42 00 00 80 11  05 b6 0a 82 f3 0a ad cc   .z8B.... ........
01e0  50 22 04 aa 04 aa 01 66  f5 25 00 00 00 00 45 00   P".....f .%....E.
01f0  01 5a 38 41 00 00 80 11  05 d7 0a 82 f3 0a ad cc   .Z8A.... ........
0200  50 22 04 aa 04 aa 01 46  f5 45 00 00 00 00 45 00   P".....F .E....E.
0210  01 3a 38 40 00 00 80 11  05 f8 0a 82 f3 0a ad cc   .:8@.... ........
0220  50 22 04 aa 04 aa 01 26  f5 65 00 00 00 00 45 00   P".....& .e....E.
0230  01 1a 38 3f 00 00 80 11  06 19 0a 82 f3 0a ad cc   ..8?.... ........
0240  50 22 04 aa 04 aa 01 06  f5 85 00 00 00 00 45 00   P"...... ......E.
0250  00 fa 38 3e 00 00 80 11  06 3a 0a 82 f3 0a ad cc   ..8>.... .:......
0260  50 22 04 aa 04 aa 00 e6  f5 a5 00 00 00 00 45 00   P"...... ......E.
0270  00 da 38 3d 00 00 80 11  06 5b 0a 82 f3 0a ad cc   ..8=.... .[......
0280  50 22 04 aa 04 aa 00 c6  f5 c5 00 00 00 00 45 00   P"...... ......E.
0290  00 ba 38 3c 00 00 80 11  06 7c 0a 82 f3 0a ad cc   ..8<.... .|......
02a0  50 22 04 aa 04 aa 00 a6  f5 e5 00 00 00 00 45 00   P"...... ......E.
02b0  00 9a 38 3b 00 00 80 11  06 9d 0a 82 f3 0a ad cc   ..8;.... ........
02c0  50 22 04 aa 04 aa 00 86  f6 05 00 00 00 00 45 00   P"...... ......E.
02d0  00 7a 38 3a 00 00 80 11  06 be 0a 82 f3 0a ad cc   .z8:.... ........
02e0  50 22 04 aa 04 aa 00 66  89 62 00 00 00 00 60 00   P".....f .b....`.
02f0  00 00 00 32 11 01 fe 80  00 00 00 00 00 00 a8 f7   ...2.... ........
0300  bd 93 9e 80 99 8f ff 02  00 00 00 00 00 00 00 00   ........ ........
0310  00 00 00 01 00 03 f3 77  14 eb 00 32 3d 64 9a 27   .......w ...2=d.'
0320  00 00 00 01 00 00 00 00  00 00 03 32 35 33 01 30   ........ ...253.0
0330  01 30 03 32 32 34 07 69  6e 2d 61 64 64 72 04 61   .0.224.i n-addr.a
0340  72 70 61 00 00 0c 00 01                            rpa.....     

Again this continues until wireshark crashes.

[janjust]

it looks like a multicast service, such as SSDP . I wasn't aware that wireshark could crash because of them. Try disabling the local link discovery services etc. Apart from wireshark, what is now happening with routing? is anything being routed at all? what happens if you ping the LAN address of the server from the client?

[bradrhod]

I will try disabling local link services. I cannot ping either side of the gateway. It looks like the vpn is so flooded with these packets that the pings are timing out. The packets just keep going and going, as fast as wireshark can scroll them until it crashes.

I will make sure that local link services is turned off and test again.

[bradrhod]

I have disabled the SSDP Discovery Service, UPnP Device Host Service, Media Center Extender Service. No help.
I have uninstalled Apache, disabled iis, exited msn messenger. I have disabled the Link-Layer Topology Discovery Mapper I/O Driver and the Link-Layer Topology Discovery Responder on the Network connections on this machine.

I cannot find out who is sending these packets. They appear to be coming from Openvpn.exe. I brought up two Resource Monitors, one on network and one on cpu. Any process that touches the network, like svchost.exe(LocalServicePeerNet) and svchost.exe(netsvcs), I suspend them. Yet these packets continue.

Thanks for all the help.

[janjust]

don't know if this works on 64bit windows, but I've found the APORTS.EXE tool to be pretty useful for this....

[bradrhod]

I believe that I am down to the issue at hand.

First, Aports.exe does not work on 64bit windows. There is a better tool. CurrPorts http://www.nirsoft.net/utils/cports.html is a free tools from Nirsoft.

My problem seems to be that my server has one ip address that I connect to. I want to connect to that address and have all further packets to that ip address now go over the vpn.

For the configuration that works. I use vmware to create a server only virtual network 192.168.244.0.

The client config is:

Code: Select all

ifconfig 10.200.0.2 10.200.0.1
route-method exe
route-delay 30
dev tun
auth none
remote 192.168.1.112
verb 4
route 192.168.244.0 255.255.255.0
fragment 1300

and the server:

Code: Select all

ifconfig 10.200.0.1 10.200.0.2
route-method exe
route-delay 30
dev tun
auth none
verb 4
route 192.168.244.0 255.255.255.0
fragment 1300

I would like for the server to only have the one ip address, the public one. In other words, I do not have a private subnet on the server side. So I change the client configs route to:
route 192.168.1.112 255.255.255.255
and the server config route to:
route 192.168.1.0 255.255.255.0
When this happens, I get the packets endlessly flowing as I described above.

So my question is, when your server only has the one public ip address and that is the only ip address you have, how can you set up an openvpn route to that server?

I want to do this as I would firewall all the dangerous protocols (netbios file sharing etc) over the public route, but enable those over the vpn connection.

I will share a couple of notes on Windows 7. When you enable/disable file sharing (Start->Network->Properties->Advanced Sharing Settings) you are turning on the Advanced firewall. It appears the only way to turn off file sharing, netbios name services, netbios-dgm services is by turning on the firewal. Once you turn on the firewall, ICMP, openvpn will be blocked. So save yourself some trouble. Turn on the firewal, open the ports for openvpn and icmp.

[janjust]

if you have only a single public IP then you must use the VPN IP to connect securely. In the concept of a VPN you have traffic which is outside of the tunnel and which is inside. The traffic to the VPN server itself is always outside the tunnel, as otherwise the VPN tunnel would be encrypting the traffic and then feeding that into the same tunnel again , causing a loop.