Guidance needed on windows setup please

[chrisatwork]

This is my first attempt, and more by luck than judgement I have got a partly working vpn. Now I need to know how to do it properly...

Remote site: workgroup lan on 192.168.0.x. 4 x xp pro boxes with static ip's. BT Homehub2 router is the lan gateway with DHCP disabled. Dynamic WAN ip tracked by dynamic DNS account. Could change the 0.x to something else if necessary.

192.168.0.240 is running Openvpn 2.0.9 GUI server, dev: tun and proto: udp on 1194, and WM Encoder generating a broadcast audio stream on 8080. Server virtual address 10.8.0.1. Not (yet) set up as service.

Ca.crt, ta.key and several client(n) .crt & .key files generated & distributed.

Local site A: client local lan workgroup on 192.168.3.x 2 xp boxes on static ip's behind pix501 and vigor 2800 router on static WAN ip. DHCP enabled from pix, range outside static ip's in use. (Ignore the pix, just provides a permanent hardware ipsec tunnel to a different remote site)

Open vpn gui client on one box 192.168.3.2. as a test setup.

Connects to remote site ok with virtual ip 10.8.0.6. Can RD into server through the vpn and can pull audio stream from encoder.

Would like up to 4 other clients to concurrently connect to pull the stream on 8080 from the vpn server and also to RD into another machine on the remote lan on static ip 192.168.0.13, but not to be able to RD into the vpn server box. (Only Site A to do this).

No requirement for the 5 clients to see one another and no (current) requirement to access any client lan from the server end lan.

Reading all the material on the openvpn site have got confused as to what I need to do to reach beyond the vpn server on its local lan to get to the other box(es). Don't want to experiment without advice as it's a 20 mile round trip to get to the vpn server if I crash it!

Config files

Server:

;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
dev-node vpnTap
ca "<pathtofile>\\ca.crt"
cert "<pathtofile>\\server.crt"
key "<pathtofile>\\server.key" # This file should be kept secret
dh "<pathtofile>\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
push "route 192.168.0.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth "<pathtofile>\\ta.key" 0 # This file is secret
cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20


Client1:


client
;dev tap
dev tun
dev-node vpnTap
;proto tcp
proto udp
remote <path to dynamic dns host> 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca "<pathtofile>\\ca.crt"
cert "<pathtofile>\\client1.crt"
key "<pathtofile>\\client1.key"
ns-cert-type server
tls-auth "<pathtofile>\\ta.key" 1
cipher BF-CBC
comp-lzo
verb 3
mute 20


Any guidance you can give would be gratefully received!

Christopher

[janjust]

looks like you're almost there...

if the openvpn clients need to reach a machine on the server-side LAN two things are needed:
* a "push route 192.168.0.0 255.255.255.0" in your setup, which you have
* on the server-side LAN the local router/GW needs to have a route back to the openvpn server , e.g. route add -net 10.8.0.0/24 gw <server-IP>

as otherwise the other machines on the server-side LAN will not know where to return traffic to for packets with source address 10.8.0.X/24

As for restricting access: that is , generally speaking, not something that OpenVPN provides; this needs to be configured using firewalling software or iptables on the server side.

[chrisatwork]

Thank you Jan, that makes sense. I can't find anywhere in the setup for the BT home Hub 2 to set up static routes - the GW only seems to have port forwarding, so I will be swapping it out for a Netgear DG834G which does appear to allow that. If I have problems I will come back.

Just a couple of queries, the vpn tunnel is to allow client initiated remote desktop traffic on port 3389 and the audio stream on 8080. On the server lan gateway router (which is not the vpn server box) do I need to enable these ports or just 1194 for the vpn traffic on the 10.8.0.x subnet to the server.

The other point is: when multiple clients connect, does the one instance of openvpn on the server handle them all, or must I set up a seperate instance for each individual client.

Many thanks

Christopher

[janjust]

the vpn tunnel is to allow client initiated remote desktop traffic on port 3389 and the audio stream on 8080. On the server lan gateway router (which is not the vpn server box) do I need to enable these ports or just 1194 for the vpn traffic on the 10.8.0.x subnet to the server.

the GW only forwards VPN traffic to the VPN server, hence only port 1194 is needed ; the VPN server needs to handle queries to ports 3389 and 8080

when multiple clients connect, does the one instance of openvpn on the server handle them all, or must I set up a seperate instance for each individual client.

in client/server mode (when using certificates and the option 'server' and 'client') a single server instance can handle multiple clients.

[chrisatwork]

Hi Jan

I am still struggling with connection issues on xp pro boxes.

I changed the lan on which the server sits to 192.168.10.x from 0.x to avoid possible conflicts and can RD into the server, both on the tunnel IP of 10.8.0.1 and the server's lan address of 192.168.10.240 from client1 on a remote lan IP of 192.168.3.2

I can then, from within the RD session, invoke another RD session on the server box to get to a machine on the 192.168.10.x lan.

I can also pull through the tunnel an audio stream on port 8080 originating from the server box.

From the client I can ping the server on the tunnel IP and on the server lan IP but cannot ping any other machines on the server lan

The gateway for the server lan is a netgear DG834G v4 router on 192.168.10.254 and I have set up port forwarding of 1194 for udp and a static route with destination address of 10.8.0.0, mask of 255.255.255.0 and gateway address of 192.168.10.240 metric 2. There are no persistent routes set up on the server box.

What I need is for up to 4 clients, each with their own keys and certificates to be able to RD into either the server or other machines on the 192.168.10.x lan, and also pull a stream on port 8080 from one other lan machine as well as the stream on the server.

I tried putting push "redirect gateway", client-config-dir"<pathtodir>" and route 192.3.0 255.255.255.0 into the server config and created a ccd directory and client1 file containing one line: iroute 192.168.3.0 255.255.255.0, but this didn't work as I obviously have misunderstood what I have to do. (I tried to use the instructions from your cookbook, but as the examples are based around a linux os I guess I haven't got it right!).

Could you explain what I have to put in the server config, the client(s) configs, the gateway router and the individual machine route commands to get this to work. It is nearly there, but I am getting both "MULTI: bad source address from client..." and "Replay-window backtrack..." errors in the server log, which are meaningless to me.

Many thanks

Christopher

[janjust]

I don't think you need 'client-config-dir' or 'iroute' to achieve what you want : the LANs behind the clients do not need to be visible to the server-side LAN.

Did you enable IP forwarding/routing on the (windows?) server; this can be done by setting the registry key

Code: Select all

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter:DWORD =1