OpenVPN Newbie, configuration questions.

[aquila]

Hello,

I am new to openvpn, I have successfully managed to build a vpn server, and have a few clients connected to it running windows 7. Server is a MS Win2k3 std.

I have tried to get a client connected that is running MS Win2k3 Std, however when I tried to connect it kept timing out with "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)", which I thought was a firewall issue, so I checked my cisco firewall, added some rules and still it kept coming back with the same error.

Anyway after some head scratching I noticed that MS Routing and Remote Access was enabled, if I disable MS R&R then my openvpn client connects up and gets an IP address, but I cannot ping the vpn server or any other clients and the server cannot ping that client, but can all others.

Please can you help.

Thanks in advance

Derek

Server Config
local x.x.x.x
port 1701
proto udp
dev tun
;dev-node MyTap
ca "C:\\OpenVPN\\Config\\ca.crt"
cert "C:\\OpenVPN\\Config\\xxx.crt"
key "C:\\OpenVPN\\Config\\xxx.key" # This file should be kept secret
dh "C:\\OpenVPN\\Config\\dh1024.pem"
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20

Client Config

client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote x.x.x.x 1701
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca "C:\\Program Files\\OpenVPN\\Config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\Config\\xxx.crt"
key "C:\\Program Files\\OpenVPN\\Config\\xxx.key"
ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20

Client Log
Fri Mar 23 15:40:36 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Fri Mar 23 15:40:36 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Mar 23 15:40:37 2012 LZO compression initialized
Fri Mar 23 15:40:37 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Mar 23 15:40:37 2012 Socket Buffers: R=[8192->8192] S=[64512->64512]
Fri Mar 23 15:40:37 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar 23 15:40:37 2012 Local Options hash (VER=V4): '41690919'
Fri Mar 23 15:40:37 2012 Expected Remote Options hash (VER=V4): '530fdded'
Fri Mar 23 15:40:37 2012 UDPv4 link local: [undef]
Fri Mar 23 15:40:37 2012 UDPv4 link remote: x.x.x.x:1701
Fri Mar 23 15:40:37 2012 TLS: Initial packet from x.x.x.x:1701, sid=474ba389 a9e2c6a5
Fri Mar 23 15:40:37 2012 VERIFY OK: depth=1, /C=UK/ST=abc/L=abc/O=abc/OU=abc/CN=abc/name=abc/emailAddress=abc@abc.co.uk
Fri Mar 23 15:40:37 2012 VERIFY OK: nsCertType=SERVER
Fri Mar 23 15:40:37 2012 VERIFY OK: depth=0, /C=UK/ST=abc/L=abc/O=ac/OU=abc/CN=abc/name=abc/emailAddress=abc@abc.co.uk
Fri Mar 23 15:40:38 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Mar 23 15:40:38 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 23 15:40:38 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Mar 23 15:40:38 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Mar 23 15:40:38 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Mar 23 15:40:38 2012 [abc] Peer Connection Initiated with x.x.x.x:1701
Fri Mar 23 15:40:40 2012 SENT CONTROL [abc]: 'PUSH_REQUEST' (status=1)
Fri Mar 23 15:40:40 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.22 10.10.10.21'
Fri Mar 23 15:40:40 2012 OPTIONS IMPORT: timers and/or timeouts modified
Fri Mar 23 15:40:40 2012 OPTIONS IMPORT: --ifconfig/up options modified
Fri Mar 23 15:40:40 2012 OPTIONS IMPORT: route options modified
Fri Mar 23 15:40:40 2012 ROUTE default_gateway=10.0.4.101
Fri Mar 23 15:40:40 2012 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{4CB9FF3D-20C3-452E-BF11-B5B2CC07E1FE}.tap
Fri Mar 23 15:40:40 2012 TAP-Win32 Driver Version 9.9
Fri Mar 23 15:40:40 2012 TAP-Win32 MTU=1500
Fri Mar 23 15:40:40 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.10.22/255.255.255.252 on interface {4CB9FF3D-20C3-452E-BF11-B5B2CC07E1FE} [DHCP-serv: 10.10.10.21, lease-time: 31536000]
Fri Mar 23 15:40:40 2012 Successful ARP Flush on interface [196610] {4CB9FF3D-20C3-452E-BF11-B5B2CC07E1FE}
Fri Mar 23 15:40:45 2012 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Fri Mar 23 15:40:45 2012 C:\WINDOWS\system32\route.exe ADD 10.10.10.0 MASK 255.255.255.0 10.10.10.21
Fri Mar 23 15:40:45 2012 Route addition via IPAPI succeeded [adaptive]
Fri Mar 23 15:40:45 2012 Initialization Sequence Completed

[maikcat]

hi there,

are you starting openvpn with admin rights?

if you issue a netstat -nr do you see the appropriate routes?

Michael.