Access computers behind the openVPN Server

[marc_al]

Hello,

I am trying to install a VPN Server on one computer.
I want to be able to access every computer in the network on the VPN Server from one computer.

Here is an example of the network with the server
Network mask 255.255.255.0
VPN Server
192.168.123.25
Other computers in the network (only some of them as a lot of them are virtualised) :
192.168.123.30
192.168.123.44

On the second network (home) I have one computer with an IP adress of 192.168.1.3 (throught a router)
I want my computer 192.168.1.3 to be able to access any computer behind the vpn (so 192.168.123.25, but also 192.168.123.30 (44, 50...)
The computer 192.168.123.25 is a domain controler so it is also a DHCP / DNS Server. Is it also possible to forward the DNS information to the client?
The tunel is created but I have no access to the network 192.168.123.0/255.255.255.0
What am I missing?
Thank you
Marc

Here are my config files (I have removed every commented line with #and I have let the ones with ;

Server :
;local a.b.c.d

port 1194

proto udp

dev tun

;dev-node MyTap

ca ca.crt
cert server.crt
key server.key # This file should be kept secret

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;server-bridge

push "route 192.168.123.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

;client-to-client

;duplicate-cn

keepalive 10 120

tls-auth ta.key 0 # This file is secret

;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

comp-lzo

;max-clients 100

;user nobody
;group nobody

persist-key
persist-tun

status openvpn-status.log

;log openvpn.log
;log-append openvpn.log

verb 3

;mute 20


Client :
client

;dev tap
dev tun

;dev-node MyTap

proto udp

remote SERVERIP_Adress 1194
;remote my-server-2 1194

;remote-random

resolv-retry infinite

nobind

persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

;mute-replay-warnings

ca ca.crt
cert client.crt
key client.key

ns-cert-type server

tls-auth ta.key 1

;cipher x

comp-lzo

verb 3

;mute 20

[Mimiko]

Please show routing table from client when VPN is connected. Also show a tracert to 192.168.123.30.
Which windows run's for OpenVPN server?

[marc_al]

Hello,

Thank you for your time

The server is a 2008Server R2 (x64)
For the tracert I have nothing :
C:\Users\Marc>tracert 192.168.123.30

Détermination de l'itinéraire vers 192.168.123.30 avec un maximum de 30 sauts.

1 * * * Délai d'attente de la demande dépassé.
2 * * * Délai d'attente de la demande dépassé.
3 * * * Délai d'attente de la demande dépassé.
4 * * * Délai d'attente de la demande dépassé.
5 ^C
C:\Users\Marc>tracert 192.168.123.25

Détermination de l'itinéraire vers 192.168.123.25 avec un maximum de 30 sauts.

1 * * * Délai d'attente de la demande dépassé.
2 * * * Délai d'attente de la demande dépassé.
3 * * * Délai d'attente de la demande dépassé.
4 * *



Here is the iptable


C:\Users\Marc>netstat -rn
===========================================================================
Liste d'Interfaces
18...00 ff ed 0f 94 11 ......TAP-Win32 Adapter V9
11...00 1e 8c 5c ec af ......Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Contr
oller
16...08 00 27 00 94 03 ......VirtualBox Host-Only Ethernet Adapter
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Carte Microsoft ISATAP
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Carte Microsoft ISATAP #2
17...00 00 00 00 00 00 00 e0 Carte Microsoft ISATAP #3
===========================================================================

IPv4 Table de routage
===========================================================================
Itinéraires actifs :
Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 10
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30
10.8.0.4 255.255.255.252 On-link 10.8.0.6 286
10.8.0.6 255.255.255.255 On-link 10.8.0.6 286
10.8.0.7 255.255.255.255 On-link 10.8.0.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.3 266
192.168.1.3 255.255.255.255 On-link 192.168.1.3 266
192.168.1.255 255.255.255.255 On-link 192.168.1.3 266
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
192.168.123.0 255.255.255.0 10.8.0.5 10.8.0.6 30
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 192.168.1.3 266
224.0.0.0 240.0.0.0 On-link 10.8.0.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 192.168.1.3 266
255.255.255.255 255.255.255.255 On-link 10.8.0.6 286
===========================================================================
Itinéraires persistants :
Adresse réseau Masque réseau Adresse passerelle Métrique
212.71.0.11 255.255.255.255 192.168.123.254 1
212.71.16.196 255.255.255.255 192.168.123.254 1
===========================================================================

IPv6 Table de routage
===========================================================================
Itinéraires actifs :
If Metric Network Destination Gateway
1 306 ::1/128 On-link
16 276 fe80::/64 On-link
11 266 fe80::/64 On-link
18 286 fe80::/64 On-link
18 286 fe80::dcdf:220b:2faa:f054/128
On-link
11 266 fe80::e9a1:4185:2390:22f1/128
On-link
16 276 fe80::f512:5428:d506:28a1/128
On-link
1 306 ff00::/8 On-link
16 276 ff00::/8 On-link
11 266 ff00::/8 On-link
18 286 ff00::/8 On-link
===========================================================================
Itinéraires persistants :
Aucun

C:\Users\Marc>

[Mimiko]

I see. First, disable completly firewall on tun adapter on server and client.
On windows 2008 you must enable forwarding:

In Registry Editor, locate the following registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value Name: IPEnableRouter
Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1
A value of 1 enables TCP/IP forwarding for all network connections that are installed and used by this computer.

[marc_al]

Hello,

I have tried with the parameter IPEnableRouter to 1 and after that I have restarted the computer (virtual machine) and I have disabled the firewall for this interface (and completely in my computer) and it didn't work (after that I have disabled completely the firewall on the server too and it still didn't work. Even a tracert on 10.8.0.1 and 10.8.0.5 had the same result. Only 10.8.0.6 is working (my assigned IP adress on the workstation) so it seems that the packed isn't leaving my computer at all.


Thank you
Marc

[Mimiko]

How about:
ping 10.8.0.1 ?
What virtualization tehnology you use?

[marc_al]

Hello,

I use Hyper-V and I have made other tests and it seems that it is a problem with the tracert because I can directly RDP the IP 192.168.123.25 (it is the computer that has OpenVPN installed as a server)(I was not able to do it before). For the ping, the first packet is always lost, but the other ones are fine.

But I can still not ping / rdp / tracert any computer behing the OpenVPN Server (so it seems to me that the parameter IPEnableRouter is either not working or not enough with Win 2008R2

EDIT :
I have made a test with
netsh interface ipv4 show interface l=verbose
and my 2 interfaces are enabled for the forward

Thank you
Marc

[Mimiko]

With you can enter remotely to 192.168.123.25, could you ping from it other servers?
I can test the setup only in monday.

[marc_al]

Hello,

I can ping with no problem from 192.168.123.25 (by RDP) to my other server (or any workstation behind), < 1 ms.

When I want to do a rdp 192.168.123.25, sometimes it doesn't work and I have to restart the RDP server.
Perhaps it is because when I need to access another computer, I use a PPTP connection as open vpn doesn't work corretly at the moment. I have also seen that Enabling the service "Routing and Remote Access" doesn't help (but it is normal as it is said that there is a problem with this service and openvpn)

If you want to do some tests, the two servers (the real one 192.168.123.30 is also the hyper-v host).
The OpenVPN Server 192.168.123.25 is the Domain controler and is virtual.
The firewalls have been desactivated for the tests
Marc

[janjust]

if RDP over OpenVPN over UDP does not work then try adding

Code: Select all

fragment 1300

to both client and server configs; restart the server and client and then try again.
If that works then you increase the 'fragment' parameter again (1300->1350->1400 etc) to optimize your VPN throughput

[Mimiko]

Try these command:

Code: Select all

netsh interface ipv4 set int "{interface name}" forwarding=enabled

{interface name} is i.e. "Local Area Connection", and set this for tun adapter and LAN adapter.
Disable any antivirus you have, maybe it have another firewall.
Searc internet on completly disabling firewall on Win 2008.
Also disable firewall from console on Hyper-V system .30
In Windows 2008 disable Routing and Remote access service - its incompatible with OpenVPN.

[marc_al]

Hello,

I have used the command with no change

I have used the command netsh advfirewall set Allprofiles state off
Nothing changed too.

When I put the line fragment 1300, the connection has a stability problem and I can't rdp (the MTU is still 1500 in the log). I have restarted the server and after that the connection.
The service is disabled (it was only for a test that I put it on).
There is no antivirus on the servers

EDIT : For Hyper-v I see no parameter for firewall

Thank you again for your time
Marc

[Mimiko]

Oke. It's a routing problem not on OpenVPN server, but on LAN PCs including Hyper-V. It's because OpenVPN server is not default GW for LAN computers. Read these two topics and find the answer:
topic8877.html
topic8922.html

[janjust]

When I put the line fragment 1300, the connection has a stability problem and I can't rdp (the MTU is still 1500 in the log)

with 'fragment 1300' the connection is *LESS* stable? that is very odd; the MTU will remain 1500 in this case. If you want to change the MTU you would use

Code: Select all

tun-mtu 1400

but on Windows Vista/7 you also need to set the adapter MTU using

Code: Select all

netsh interface ipv4 set subinterface "<NUM>" mtu=1400

where "NUM" is the number of the tap-win32 subinterface. You can list the subinterfaces using

Code: Select all

netsh interface ipv4 show subinterfaces

[marc_al]

Hello,

Thanks a lot you are right it is a problem with the routing on the server side.

I have tried at first (for the computers with a fixed ip route add -p 10.8.0.0 mask 255.255.255.0 192.168.123.25)

and it is working. I will do a test later to see if it is fine when the computer restarts.

For the computers with DHCP enabled, I have added a router option in the DHCP server so I have 192.168.123.254 (the default one for Internet) and also 192.168.123.25 (in case I try to contro it by RDP or anything else)
I have also added a static route (option 121 because the 249 is not enabled in 2008R2).
I am restarting the main server so in something like 30-40 minutes I will be able to see if it is persistant.
After that I will do a test without the static route, only with a second gateway.


EDIT : The Router parameter is useless. I had to add a static route 10.8.0.0 mask 255.255.255.0 192.168.123.25 (I did not need to check the box in the option).
I have added the static route in the server options and in the scope options
Thanks again you a lot
Marc

[Mimiko]

route add -p 10.8.0.0 mask 255.255.255.0 192.168.123.25

Yes, it will persist on restarts. But I will go configuring not the indual PCs, but default GW.

For the computers with DHCP enabled, I have added a router option in the DHCP server so I have 192.168.123.254 (the default one for Internet) and also 192.168.123.25 (in case I try to contro it by RDP or anything else)

I would like to see how you did this step by step. Because as I know, IP assigning by DHCP server does not imply setting routes on clients by some options.

[marc_al]

Hello,

I have been looking for on internet and I have seen this guide

http://tmgblog.richardhicks.com/2009/01 ... ic-routes/

If you can't read the link, I can create a document with print screens and send it to you.
My default gateway is the box of my ISP so I am not sure at all if I can change it. That is why I have chosen the DHCP path

Marc