Tunnel traffic through VPN Win7

[fr33za]

hey guys.

I'm trying to build a VPN Tunnle, so I can bypass Firewall restrictions.
I want to tunnle all the traffic through the VPN Server.
I did everything described like here: topic7806.html ..

Now my problem is that I cant access anything on the Internet when the connection ist active..
I'm using Win7 on the Client and Server, and OpenVPN 2.2.2.
Firewalls and UAC are turned off.
I can ping the Server from the Client on the VPN (10.0.0.1) and WAN IP.

Thanks a lot in advance

Server config

Code: Select all

port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.0

ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\isa.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\isa.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"

push "redirect-gateway def1"

push "dhcp-option DNS 62.2.17.61"
push "dhcp-option DNS 62.2.24.158"
push "dhcp-option DNS 62.2.17.60"
push "dhcp-option DNS 62.2.24.162"

#the following commands are optional
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

Config on Client

Code: Select all

client
dev tun
proto udp
remote 217.162.94.193 1194

resolv-retry infinite
nobind
persist-key
persist-tun


ca "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\matze.crt"
key "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\matze.key"
ns-cert-type server

register-dns
comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 5 30

Log on Server:

Code: Select all

Tue Apr 24 13:36:57 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Tue Apr 24 13:36:57 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 24 13:36:57 2012 Diffie-Hellman initialized with 1024 bit key
Tue Apr 24 13:36:57 2012 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 24 13:36:57 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 24 13:36:57 2012 ROUTE default_gateway=217.162.94.1
Tue Apr 24 13:36:57 2012 TAP-WIN32 device [LAN-Verbindung 4] opened: \\.\Global\{29293D0A-E1FB-4C73-A259-E0F7D9EA84AA}.tap
Tue Apr 24 13:36:57 2012 TAP-Win32 Driver Version 9.9 
Tue Apr 24 13:36:57 2012 TAP-Win32 MTU=1500
Tue Apr 24 13:36:57 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.1/255.255.255.252 on interface {29293D0A-E1FB-4C73-A259-E0F7D9EA84AA} [DHCP-serv: 10.0.0.2, lease-time: 31536000]
Tue Apr 24 13:36:57 2012 Sleeping for 10 seconds...
Tue Apr 24 13:37:07 2012 Successful ARP Flush on interface [27] {29293D0A-E1FB-4C73-A259-E0F7D9EA84AA}
Tue Apr 24 13:37:07 2012 C:\WINDOWS\system32\route.exe ADD 10.0.0.0 MASK 255.255.255.0 10.0.0.2
Tue Apr 24 13:37:07 2012 ROUTE: route addition failed using CreateIpForwardEntry: Das Objekt ist bereits vorhanden.   [status=5010 if_index=27]
Tue Apr 24 13:37:07 2012 Route addition via IPAPI failed [adaptive]
Tue Apr 24 13:37:07 2012 Route addition fallback to route.exe
Hinzufgen der Route fehlgeschlagen: Das Objekt ist bereits vorhanden.
Tue Apr 24 13:37:07 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr 24 13:37:07 2012 UDPv4 link local (bound): [undef]:1194
Tue Apr 24 13:37:07 2012 UDPv4 link remote: [undef]
Tue Apr 24 13:37:07 2012 MULTI: multi_init called, r=256 v=256
Tue Apr 24 13:37:07 2012 IFCONFIG POOL: base=10.0.0.4 size=62
Tue Apr 24 13:37:07 2012 Initialization Sequence Completed
Tue Apr 24 13:37:07 2012 MULTI: multi_create_instance called
Tue Apr 24 13:37:07 2012 217.162.95.79:49725 Re-using SSL/TLS context
Tue Apr 24 13:37:07 2012 217.162.95.79:49725 LZO compression initialized
Tue Apr 24 13:37:07 2012 217.162.95.79:49725 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 24 13:37:07 2012 217.162.95.79:49725 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr 24 13:37:07 2012 217.162.95.79:49725 Local Options hash (VER=V4): '530fdded'
Tue Apr 24 13:37:07 2012 217.162.95.79:49725 Expected Remote Options hash (VER=V4): '41690919'
Tue Apr 24 13:37:07 2012 217.162.95.79:49725 TLS: Initial packet from 217.162.95.79:49725, sid=730639b1 04fda61f
Tue Apr 24 13:37:07 2012 IPv6 in tun mode is not supported in OpenVPN 2.2
Tue Apr 24 13:37:07 2012 217.162.95.79:49725 VERIFY OK: depth=1, /C=CH/ST=ZH/L=Zurich/O=OpenVPN/OU=isabest/CN=nothing/name=isa/emailAddress=isa.tairi@gmx.ch
Tue Apr 24 13:37:07 2012 217.162.95.79:49725 VERIFY OK: depth=0, /C=CH/ST=ZH/L=Zurich/O=OpenVPN/OU=isabest/CN=matze/name=matze/emailAddress=isa.tairi@gmx.ch
Tue Apr 24 13:37:08 2012 217.162.95.79:49725 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 24 13:37:08 2012 217.162.95.79:49725 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 24 13:37:08 2012 217.162.95.79:49725 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 24 13:37:08 2012 217.162.95.79:49725 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 24 13:37:08 2012 217.162.95.79:49725 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr 24 13:37:08 2012 217.162.95.79:49725 [matze] Peer Connection Initiated with 217.162.95.79:49725
Tue Apr 24 13:37:08 2012 matze/217.162.95.79:49725 MULTI: Learn: 10.0.0.6 -> matze/217.162.95.79:49725
Tue Apr 24 13:37:08 2012 matze/217.162.95.79:49725 MULTI: primary virtual IP for matze/217.162.95.79:49725: 10.0.0.6
Tue Apr 24 13:37:10 2012 matze/217.162.95.79:49725 PUSH: Received control message: 'PUSH_REQUEST'
Tue Apr 24 13:37:10 2012 matze/217.162.95.79:49725 SENT CONTROL [matze]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 62.2.17.61,dhcp-option DNS 62.2.24.158,dhcp-option DNS 62.2.17.60,dhcp-option DNS 62.2.24.162,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5' (status=1)

Log on Client

Code: Select all

Tue Apr 24 13:37:00 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Tue Apr 24 13:37:00 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 24 13:37:00 2012 LZO compression initialized
Tue Apr 24 13:37:00 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 24 13:37:00 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 24 13:37:00 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr 24 13:37:00 2012 Local Options hash (VER=V4): '41690919'
Tue Apr 24 13:37:00 2012 Expected Remote Options hash (VER=V4): '530fdded'
Tue Apr 24 13:37:00 2012 UDPv4 link local: [undef]
Tue Apr 24 13:37:00 2012 UDPv4 link remote: 217.162.94.193:1194
Tue Apr 24 13:37:10 2012 TLS: Initial packet from 217.162.94.193:1194, sid=47b3c1a2 31132cdc
Tue Apr 24 13:37:10 2012 VERIFY OK: depth=1, /C=CH/ST=ZH/L=Zurich/O=OpenVPN/OU=isabest/CN=nothing/name=isa/emailAddress=isa.tairi@gmx.ch
Tue Apr 24 13:37:10 2012 VERIFY OK: nsCertType=SERVER
Tue Apr 24 13:37:10 2012 VERIFY OK: depth=0, /C=CH/ST=ZH/L=Zurich/O=OpenVPN/OU=isabest/CN=nothing/name=isa/emailAddress=isa.tairi@gmx.ch
Tue Apr 24 13:37:10 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 24 13:37:10 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 24 13:37:10 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 24 13:37:10 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 24 13:37:10 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr 24 13:37:10 2012 [nothing] Peer Connection Initiated with 217.162.94.193:1194
Tue Apr 24 13:37:12 2012 SENT CONTROL [nothing]: 'PUSH_REQUEST' (status=1)
Tue Apr 24 13:37:12 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 62.2.17.61,dhcp-option DNS 62.2.24.158,dhcp-option DNS 62.2.17.60,dhcp-option DNS 62.2.24.162,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5'
Tue Apr 24 13:37:12 2012 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 24 13:37:12 2012 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 24 13:37:12 2012 OPTIONS IMPORT: route options modified
Tue Apr 24 13:37:12 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Apr 24 13:37:12 2012 ROUTE default_gateway=192.168.0.1
Tue Apr 24 13:37:13 2012 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{38735EB6-5BE1-415B-9A43-5FFA9CEB62A0}.tap
Tue Apr 24 13:37:13 2012 TAP-Win32 Driver Version 9.9 
Tue Apr 24 13:37:13 2012 TAP-Win32 MTU=1500
Tue Apr 24 13:37:13 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.6/255.255.255.252 on interface {38735EB6-5BE1-415B-9A43-5FFA9CEB62A0} [DHCP-serv: 10.0.0.5, lease-time: 31536000]
Tue Apr 24 13:37:13 2012 Successful ARP Flush on interface [38] {38735EB6-5BE1-415B-9A43-5FFA9CEB62A0}
Tue Apr 24 13:37:18 2012 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Apr 24 13:37:18 2012 C:\WINDOWS\system32\route.exe ADD 217.162.94.193 MASK 255.255.255.255 192.168.0.1
 OK!
Tue Apr 24 13:37:18 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.0.5
 OK!
Tue Apr 24 13:37:18 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.0.5
 OK!
Tue Apr 24 13:37:18 2012 C:\WINDOWS\system32\route.exe ADD 10.0.0.1 MASK 255.255.255.255 10.0.0.5
 OK!
Tue Apr 24 13:37:18 2012 Initialization Sequence Completed
Tue Apr 24 13:37:18 2012 Start net commands...
Tue Apr 24 13:37:18 2012 C:\WINDOWS\system32\net.exe stop dnscache
The DNS Client service is stopping.
The DNS Client service was stopped successfully.
Tue Apr 24 13:37:20 2012 C:\WINDOWS\system32\net.exe start dnscache
The DNS Client service is starting.
The DNS Client service was started successfully.
Tue Apr 24 13:37:22 2012 C:\WINDOWS\system32\ipconfig.exe /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
Tue Apr 24 13:37:22 2012 C:\WINDOWS\system32\ipconfig.exe /registerdns
Windows IP Configuration
Registration of the DNS resource records for all adapters of this computer has been initiated. Any errors will be reported in the Event Viewer in 15 minutes.
Tue Apr 24 13:37:26 2012 End net commands...

[krzee]

-the server needs ip forwarding enabled.
-the server needs to NAT the vpn subnet to its usual lan ip OR this could be done on the router instead.

hope that helps

[fr33za]

-the server needs ip forwarding enabled.
-the server needs to NAT the vpn subnet to its usual lan ip OR this could be done on the router instead.

hope that helps

that should done by enabling Internet Connection Sharing on the Server and enabling it for the VPN connection.
my server is directly connected to the WAN, there isnt any router between the server and internet.

[fr33za]

can I somehow disable the DHCP in OpenVPN?
theoretictly the Internet Connection Sharing should assign an IP Address

[janjust]

set the tap-win32 adapter TCP/IPv4 properties to 'manual' - it will prevent the adapter from requesting a DHCP address.

[fr33za]

I managed to get the DHCP Settings from the Internet Connection Sharing, I can access the Internet now while the VPN is open, but somehow I think the traffic isn't going thorugh the tunnel.
When I let display my WAN IP on any Website, it's still showing the false one

I need to force the Client somehow to use the VPN Connection..
Still using Win7..

Any ideas?

Server.cfg

Code: Select all

port 1194
proto udp
dev tap0
mode server
client-to-client
tls-server

ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\isa.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\isa.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"

push "redirect-gateway def1"

#the following commands are optional
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

Client

Code: Select all

client
dev tap

proto udp
remote 217.162.94.193 1194

resolv-retry infinite
nobind
persist-key
persist-tun


ca "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\matze.crt"
key "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\matze.key"
ns-cert-type server

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60
redirect-gateway def1

route-method exe
route-delay 5 30

ifconfig 255.255.255.0 255.255.255.252
ifconfig-noexec
ifconfig-nowarn
ip-win32 dynamic

[Mimiko]

You can keep initial configuration of the OpenVPN and create another tun-adapter and share internet from wan to that new adapter. In windows, any other adapters will share internet also, even it is not specified.