VPN server behind NAT ?

[LesleyChao]

I am newbie to VPN servers, but i want to setup VPN server on Windows box behind NAT and to connect from external PC to the server to route all the traffic.
Is it possible to create such setup without editing router and firewall settings ?

Thanks in advance.

[maikcat]

hello there,

but i want to setup VPN server on Windows box behind NAT

so you have a device (router?) which performs NAT and you want to setup a vpn server ....

Is it possible to create such setup without editing router and firewall settings ?

without editing router settings?

you do have to forward a port from your router to openvpn server you know...

& to configure firewall on it accordingly...

Michael.

[binx]

hello there,

but i want to setup VPN server on Windows box behind NAT

so you have a device (router?) which performs NAT and you want to setup a vpn server ....

Is it possible to create such setup without editing router and firewall settings ?

without editing router settings?

you do have to forward a port from your router to openvpn server you know...

& to configure firewall on it accordingly...

Michael.

May You help me? I have same problem. My OpenVPN server is placed behind router. I have forwarded corresponding port. But client can not conect to server.
configuration On the server

Code: Select all

#dev tun
dev tap
dev-node tap-bridge
#proto tcp-server
proto udp

port 1194
tls-server
#server 192.168.2.100 255.255.255.0
server-bridge 192.168.2.0 255.255.255.0 192.168.2.240 192.168.2.254
push "route 0.0.0.0 255.255.255.255 net_gateway"
comp-lzo

I put most essential part of configuration

Code: Select all

dev tap 
# dev-node "OpenVPN"  
proto udp
#remote 	62.220.59.181 1194
#remote 80.234.33.207 1194  
#remote 192.168.1.100 1194  
route-method  exe
route-delay 3  
client  
tls-client  
ns-cert-type server  
nobind

ca C:\\OpenVPN\\ssl\\ca.crt  
cert C:\\OpenVPN\\ssl\\client1.crt  
key C:\\OpenVPN\\ssl\\client1.key  
tls-auth C:\\OpenVPN\\ssl\\ta.key 1  
comp-lzo  
tun-mtu 1500  
tun-mtu-extra 32  
mssfix 1450  
ping-restart 60  
ping 10  
status C:\\OpenVPN\\log\\openvpn-status.log  
log C:\\OpenVPN\\log\\openvpn.log  
verb 3

Tue Oct 22 16:37:02 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Tue Oct 22 16:37:02 2013 Need hold release from management interface, waiting...
Tue Oct 22 16:37:02 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Tue Oct 22 16:37:02 2013 MANAGEMENT: CMD 'state on'
Tue Oct 22 16:37:02 2013 MANAGEMENT: CMD 'log all on'
Tue Oct 22 16:37:02 2013 MANAGEMENT: CMD 'hold off'
Tue Oct 22 16:37:02 2013 MANAGEMENT: CMD 'hold release'
Tue Oct 22 16:37:05 2013 MANAGEMENT: CMD 'password [...]'
Tue Oct 22 16:37:05 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 22 16:37:05 2013 Control Channel Authentication: using 'C:\OpenVPN\ssl\ta.key' as a OpenVPN static key file
Tue Oct 22 16:37:05 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 22 16:37:05 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 22 16:37:05 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Oct 22 16:37:05 2013 UDPv4 link local: [undef]
Tue Oct 22 16:37:05 2013 UDPv4 link remote: [AF_INET]62.220.59.181:1194
Tue Oct 22 16:37:05 2013 MANAGEMENT: >STATE:1382445425,WAIT,,,
Tue Oct 22 16:37:05 2013 MANAGEMENT: >STATE:1382445425,AUTH,,,
Tue Oct 22 16:37:05 2013 TLS: Initial packet from [AF_INET]62.220.59.181:1194, sid=69af57b2 48adafc0
Tue Oct 22 16:37:05 2013 VERIFY OK: depth=1, C=RU, ST=Samara, L=Samara, O=Promsensor, CN=server, emailAddress=n.bil@promsensor.ru
Tue Oct 22 16:37:05 2013 VERIFY OK: nsCertType=SERVER
Tue Oct 22 16:37:05 2013 VERIFY OK: depth=0, C=RU, ST=Samara, O=Promsensor, CN=server, emailAddress=n.bil@promsensor.ru
Tue Oct 22 16:37:05 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Oct 22 16:37:05 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 22 16:37:05 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Oct 22 16:37:05 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 22 16:37:05 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Oct 22 16:37:05 2013 [server] Peer Connection Initiated with [AF_INET]62.220.59.181:1194
Tue Oct 22 16:37:06 2013 MANAGEMENT: >STATE:1382445426,GET_CONFIG,,,
Tue Oct 22 16:37:07 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 22 16:37:07 2013 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 255.255.255.255 net_gateway,route 192.168.2.0 255.255.255.0,route 192.168.1.0 255.255.255.0,route 192.168.2.100 255.255.255.255,route-gateway 192.168.2.0,ping 10,ping-restart 120,ifconfig 192.168.2.240 255.255.255.0'
Tue Oct 22 16:37:07 2013 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 22 16:37:07 2013 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 22 16:37:07 2013 OPTIONS IMPORT: route options modified
Tue Oct 22 16:37:07 2013 OPTIONS IMPORT: route-related options modified
Tue Oct 22 16:37:07 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Oct 22 16:37:07 2013 MANAGEMENT: >STATE:1382445427,ASSIGN_IP,,192.168.2.240,
Tue Oct 22 16:37:07 2013 open_tun, tt->ipv6=0
Tue Oct 22 16:37:07 2013 TAP-WIN32 device [openvpn] opened: \\.\Global\{E7B024E3-2BDC-4907-9DA8-3A3E810E61DA}.tap
Tue Oct 22 16:37:07 2013 TAP-Windows Driver Version 9.9
Tue Oct 22 16:37:07 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.2.240/255.255.255.0 on interface {E7B024E3-2BDC-4907-9DA8-3A3E810E61DA} [DHCP-serv: 192.168.2.0, lease-time: 31536000]
Tue Oct 22 16:37:07 2013 Successful ARP Flush on interface [22] {E7B024E3-2BDC-4907-9DA8-3A3E810E61DA}
Tue Oct 22 16:37:10 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:10 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:13 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:13 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:14 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:14 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:15 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:15 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:16 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:16 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:17 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:17 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:18 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:18 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:19 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:19 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:20 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:20 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:21 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:21 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:22 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:22 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:23 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:23 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:24 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:24 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:25 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:25 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:26 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Tue Oct 22 16:37:26 2013 Route: Waiting for TUN/TAP interface to come up...
Tue Oct 22 16:37:26 2013 Closing TUN/TAP interface
Tue Oct 22 16:37:26 2013 SIGTERM[hard,] received, process exiting
Tue Oct 22 16:37:26 2013 MANAGEMENT: >STATE:1382445446,EXITING,SIGTERM,,

What do I have a problem?

[alexev]

May You help me? I have same problem. My OpenVPN server is placed behind router. I have forwarded corresponding port. But client can not conect to server.
configuration On the server

If your OPenVPN is placed behind a router you need to open the necesary ports in the router configuration, your server may be listening at 1195 port but the incomming conections will go first to the router that needs to allow those conections and forward/nat to your OPenVPN server.

[binx]

May You help me? I have same problem. My OpenVPN server is placed behind router. I have forwarded corresponding port. But client can not conect to server.
configuration On the server

If your OPenVPN is placed behind a router you need to open the necesary ports in the router configuration, your server may be listening at 1195 port but the incomming conections will go first to the router that needs to allow those conections and forward/nat to your OPenVPN server.

But how can I recognize ports that needs for new connections from clients? May be is there any options in client configuration or server configuration?

[alexev]

May You help me? I have same problem. My OpenVPN server is placed behind router. I have forwarded corresponding port. But client can not conect to server.
configuration On the server

If your OPenVPN is placed behind a router you need to open the necesary ports in the router configuration, your server may be listening at 1195 port but the incomming conections will go first to the router that needs to allow those conections and forward/nat to your OPenVPN server.

But how can I recognize ports that needs for new connections from clients? May be is there any options in client configuration or server configuration?

Your config says the server is listening on port 1194, but unless the server itself has an 1to1 ip adressing, your clients are going to conect to the public IP of the router asking for tat port.

Your router needs to know that when he receives an incoming conection to (for example) 65.40.50.4:1194 he must pass it (nated) to your OPenVPN server to the same port.

I do not have much experiencie configuring such things in Windows enviroments so i cannot tell you exactly how to do it (IP tables FTW)

[binx]

If your OPenVPN is placed behind a router you need to open the necesary ports in the router configuration, your server may be listening at 1195 port but the incomming conections will go first to the router that needs to allow those conections and forward/nat to your OPenVPN server.[/quote]
But how can I recognize ports that needs for new connections from clients? May be is there any options in client configuration or server configuration?[/quote]

Your config says the server is listening on port 1194, but unless the server itself has an 1to1 ip adressing, your clients are going to conect to the public IP of the router asking for tat port.

Your router needs to know that when he receives an incoming conection to (for example) 65.40.50.4:1194 he must pass it (nated) to your OPenVPN server to the same port.

I do not have much experiencie configuring such things in Windows enviroments so i cannot tell you exactly how to do it (IP tables FTW)[/quote]
Yes I have done it I customs my router that it forwards incoming packets to openserver in the 1194 port. but I think the packets don't go to him. I don't know why.