yet another ping works - nothing else does

[ecodex]

Sorry as this seems to be a common problem but I couldn't find anything else that was similar to my problem.

My goal is simple - I have two windows machines and a VPS running openvpn. I have it setup and semi-working. The windows clients get an IP and I can ping one windows machine from another and get a reply. I can talk via TCP to the openvpn server.

However, attempting a TCP connection from one windows machine to another doesn't work.

My goal is to basically have these two (any any number of other clients) be able to talk to each other as if they were on the same LAN.

The VPS has an IP of 10.8.0.1 and has given out 10.8.0.2 and 10.8.0.3. Everything Im reading says a firewall issue but since my firewall is completely open, I don't know whats going on.



Here is the server config

Code: Select all

local VPS.PUBLIC.IP.HERE
port 443
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/raxware.crt
key /etc/openvpn/easy-rsa/keys/raxware.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.8.0.0 255.255.255.0"
topology subnet
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
max-clients 5
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 4
mssfix 1200

iptables is installed by default and setup to be wide open (this will change once I get normal comm working)

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Sample client side config

Code: Select all

client
dev tun
dev-node TAP
proto tcp
remote VPS.PUBLIC.IP.HERE 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert me.crt
key mekey
comp-lzo
verb 3

Here is the routing table from one of the machines

Code: Select all

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.20.99.1    172.20.99.162     20
         10.8.0.0    255.255.255.0         On-link          10.8.0.3    286
         10.8.0.3  255.255.255.255         On-link          10.8.0.3    286
       10.8.0.255  255.255.255.255         On-link          10.8.0.3    286
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      172.20.99.0    255.255.255.0         On-link     172.20.99.162    276
    172.20.99.162  255.255.255.255         On-link     172.20.99.162    276
    172.20.99.255  255.255.255.255         On-link     172.20.99.162    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     172.20.99.162    276
        224.0.0.0        240.0.0.0         On-link          10.8.0.3    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     172.20.99.162    276
  255.255.255.255  255.255.255.255         On-link          10.8.0.3    286
===========================================================================

ip_forward on server

Code: Select all

root@www:/etc/openvpn# cat /proc/sys/net/ipv4/ip_forward
1
root@www:/etc/openvpn#

Any ideas?

[maikcat]

hi there,

what windows version you have?


Michael.

[ecodex]

Hi Michael,
Both clients right now are Windows 7 x64

[maikcat]

i remember that janjust mentioned that win7 place tap adapter in "public"
network.

i think thats the reason why 7 drop incoming connections...

Michael.

[ecodex]

You are correct... didn't even notice that but thank you for thinking of it.

It appears that there is no convenient way to move the network adapter from an unidentified network to a home/work network that I could see. But if you go into "Windows Firewall with Advanced Security" and then click on "Windows Firewall Properties". Click on the "Public Profile" then hit the "Customize" button next to "Protected Network Connection" and uncheck your adapter.

Worked like a champ for me - thanks again!

[maikcat]

Glad to helped

Closing topic

Michael.