OpenVPN server on Windows 7 firewall issue

[bee_grmph]

Hello,

I used to run OpenVPN server on a Windows XP Pro PC, behind a ISP box with port forwarding.

I worked just fine and I could connect from several clients running Windows XP, Windows 7 or MacOS X.

I would like to upgrade my OpenVPN server to a Windows 7 Pro PC.

The installation ran fine. So far, I launched the GUI with the "right-clic-run-as-administrator-even-if-your-account-is-administrator" weird Vista/7 new feature. (I'll explore Service option later).

The client (MacOS X) connects to the OpenVPN server with no error message. BUT (!!!), no ping nor RdP between the client and the server.

I googled and found out it was a "Public Network/default gateway/Firewall" issue but didn't find any answer which allows to run the OpenVPN server and the Windows Firewall both. (If I disable the Windows Firewall, everything just works).

I'm not found of disabling the firewall... This machine is a laptop and can travel once in a while in the wild world of access points/wifi zones and other hackers playgrounds.

Any pointer or hint would be very appreciated.

Thanx a lot in advance.

[janjust]

it works if the firewall is disabled? then it's purely a firewalling issue; try adding a rule to the windows firewall to allow incoming traffic on the tap-win32 adapter; you can even disable firewalling on the tap-win32 adapter altogether.

[bee_grmph]

Oh man ! I owe you a beer....

In the previous testings, I disabled the Firewal on the tap win32 adapter BUT in the "Private" profile...

And the tap win32 adapter is considered as belonging to "Public" profile.

I disabled the firewall on the tap win32 interface in the "Public" profile... and everything's working fine.

Sorry for the noise and thanks a lot for the tip.

I let you close the topic ?

[janjust]

awesome...
topic's closed.

[gmaydude]

An easy fix for this issue is to change the TAP-Win32 network adapter media status to "Always Connected" from the default of "Application Controlled."

Network Connections-->(Right click on TAP-Win32 network adapter) Properties-->Configure...-->Advanced-->Media Status-->Always Connected

No need to change the firewall settings.

Works on Windows 8 RP

[OPENRESEARCH]

Hi,

I had this same issue and spent several hours researching this - PITA!

gmaydude, setting the device to always connected did not work for me - I get ugly errors with this and connection does not succeed.

bee_grmph, you should not disable the firewall for the vpn - the next big virus will spread much too quickly with all ports open! Never do this, if you did this in a company network, change it quickly before you get fired!

The only (for now) working solution is to generate a dummy default gateway for the vpn network, e.g. in the server config file write:

Code: Select all

push "route-metric 512" 
push "route 0.0.0.0 0.0.0.0"

Please look at the answer given by Steffen Oppel here:
http://serverfault.com/questions/60794/ ... nge-the-un

and read the linked discussion:
http://social.technet.microsoft.com/For ... 0c244e0de7

This seems to work reliably, I did not find any problems, but I am still not 100% sure.

Please do not think of me as disrespectful, but I have passed several really dark points in my research today and just want to make you aware of them:

- Yes, of course MS again is the source of these problems, however it took me much to long to solve this issue and I was a little bit disappointed not to find the solution in any openvpn howto - all beginner tutorials fail and leave you frustrated because of this stupid Windows firewall issue not beeing mentioned. It really should be in the FAQ!

- Disabling the firewall for any adapter should not be an option - you definitely want to keep not needed ports closed also in a "trusted" vpn (whatever this means) with client-to-client configuration, especially with windows clients you do not want to spread a virus in your network because it can connect to every machine on every port via your VPN - you should not give such advise to users and it should never be written in a book.

- This forum gives no search results for the words "firewall windows 7" ("too common words") - this is another level of frustration beeing put on users trying to solve a problem and it should be changed.

- Googling for "openvpn windows 7 firewall" I get this actual thread on position three - however, when I follow the link in the google search result page I find myself logged out of the forum - when I log in again, it does not redirect me back to the article, but shows the board index - and trying to search for the topic fails again because of the issue described above - extreme patience is needed to survive such annoyances extending an already painful research to pure torture...

It would be very appreciated if openvpn experts would like to review the solution provided by Steffen Oppel and confirm. And please put it into the FAQ and into the beginner howtos and also in the other tutorials for windows 7. And please check your forum config, could be much more comfortable...

Thank you very much for your attention!
John

[Rincewindwiz]

As another OpenVPN newbie (AND an MS greenhorn - unhelpful combination!!), I'd like to second OpenResearch's comments.

I cannot believe that 'Firewall' should be considered too common (or perhaps this is because OpenVPN and Firewalls its a problem lots of people have and search for !?)

But mostly:
* everyone running a VPN would like to keep their firewall intact
* how to do this is to be polite obscure and complex
* so
- why is it not part of the standard setup tutorial?
- why is it not in FAQ?
- but most of all why is it not searchable?

Also,
Network Connections-->(Right click on TAP-Win32 network adapter) Properties-->Configure...-->Advanced-->Media Status-->Always Connected
worked for me but it would be really good to have some clue as to why it works?!
Changing the Media status seems totally unrelated to firewall rules!!!

TFAI

Oh and thanks to those experts who provided the solution

[Rincewindwiz]

Oh Dear - spoke too soon.

Some time later (after the brief success described above) which probably involved a couple of reboots of the client PC, OPENVPN will no longer connect to the server. As soon as I switch off Windows (7) firewall, it connects no problem at all.

So I guess I'll have to try the more complicated solution described above.

[dimm0k]

Thank you for this! This whole public/work/home profile thing in Windows has its positives and LOTS of annoyances...

[LFNfan]

+1 OPENRESEARCH
+1 Steffen Oppel

the OpenVPN HowTo is great, and gives a heavy hint about Windows firewall issues, but I would have been so grateful 12 hours ago for an explicit reference to the need for:

Code: Select all

push "route-metric 512" 
push "route 0.0.0.0 0.0.0.0"

in my server config.ovpn

[syncord]

Hi,

I'd like to leave my contribution. See what worked on my case ... Windows 7 and Windows 8...

I spend a lot of time with this problem of client inbound conectivity.

Disabling the TAP interface on firewall works fine, buts it's almost the same of turn off firewall in the VPN context. The VPN machines are running in different security contexts and some can affect others.

I tried the configuration of "default gateway" what recognize the network as a "Work Network" (just in Win7, not on Win8), and nevertheless did not PING!

Manually add a "*NdisDeviceType" record in the registry also not worked in Win8.

So, seeing mindfully Windows Firewall configuration I saw another scope configurations rather than just profiles, so I tried run another service rather than PING and what was my surprise when it worked properly, even in "Unidentified Networks" and "Public Profile"!

So, I tried to isolate de PING problem, and the configuration that make it works was the following: The default Windows Firewall entry thats enable outside IPv4 PING is "File and Printer Sharing (Echo Request - ICMv4-In)", so in his properties, I clicked on "Scope", and in "Remote IP Address" I changed from "Local subnet" to "Any IP address", and this did make PING work.

Thanks,

Vítor

[fourwed]

I had a similar problem but none of the above solution works.

My OpenVPN server is installed in Windows 7. I use it to create a VPN tunnel from office so that all my Internet traffic could be bypassed and no one knows what I am surfing. My office has a proxy server and it blocks many ports, therefore, I have to use the following in server.opvn:

port 21
proto tcp
dev tap

With the windows firewall turned on in my Windows 7 server, the client could connect properly. However, I could not surf the Internet because it seems the connection is frequently disconnected and connected. If I ping my server's address 192.168.10.1, it response properly, then no connection, then response properly in a cycle. I have already added the openvpn.exe and openvpnserv.exe in the exemption list of inbound rules (allowed any ports in any incoming and outgoing addresses)

It is very strangle to me, the problem will be gone if both the private and public profile of my windows firewall are disabled.

[fourwed]

I have a similar problem but none of the solutions in the above helps.

My OpenVPN server is installed in Windows 7 and I connect it from my office so that all Internet traffic could be routed to my home and undetected by the network admin. Since my office uses proxy and blocks many ports, I use the following settings in the server's config (server.opvn):

port 21
proto tcp
dev tap

I am ABLE to connect with the Windows Firewall ON / OFF in the server. However, I could not surf the Internet with the Firewall ON.

Actually, I have to disable the Windows Firewall in Private and Public profile. Adding exemption for openvpn.exe and openvpnserv.exe (Any ports and Any addresses) in Inbound Rules does not work, Disable the firewall of Tap-Win32 also does not work. When I am not able to surf, I am also get unstable ping response to my server (192.168.10.1) and the OpenVPN connection seems disconnected and reconnected frequently.

Any idea?

[bigzdog]

Sorry to bump old topic but this was top result in Google for the issue.

The posted fix did not work for me immediately. My client log showed the following errors.

Code: Select all

Wed Dec 23 21:41:07 2015 us=199231 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: “route-metric (2.3.9)
Wed Dec 23 21:41:07 2015 us=200231 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: “route (2.3.9)

It did this until I removed the quotes from server config. So my server config had the same lines posted, just with quotes removed.

Code: Select all

push route-metric 512
push route 0.0.0.0 0.0.0.0

Not sure if something changed in new version of OpenVPN, but hopefully this saves someone some time.