[Resolved] n00b with standard problems!

[jamwatn]

Hi!
I'm a total n00b with OpenVPN. It's taken a good week or so to actually get to the stage where I have sort of started to understand it! Believe it or not there are many guides but not greatly descriptive ones.
Anyway I'm using OpenVPN with the GUI and I've got to the stage where both Client and server are connecting.
However I cannot ping from either system.
I appreciate there must be many many threads like this I just dont know where to start?

Log from Client is the only one with errors:

Thu Sep 19 19:39:56 2013 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Enter Management Password:
Thu Sep 19 19:39:56 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Sep 19 19:39:56 2013 Need hold release from management interface, waiting...
Thu Sep 19 19:39:56 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Sep 19 19:39:56 2013 MANAGEMENT: CMD 'state on'
Thu Sep 19 19:39:56 2013 MANAGEMENT: CMD 'log all on'
Thu Sep 19 19:39:56 2013 MANAGEMENT: CMD 'hold off'
Thu Sep 19 19:39:56 2013 MANAGEMENT: CMD 'hold release'
Thu Sep 19 19:39:56 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Sep 19 19:39:56 2013 UDPv4 link local: [undef]
Thu Sep 19 19:39:56 2013 UDPv4 link remote: [AF_INET]86.3.21.92:1194
Thu Sep 19 19:39:56 2013 MANAGEMENT: >STATE:1379615996,WAIT,,,
Thu Sep 19 19:39:56 2013 MANAGEMENT: >STATE:1379615996,AUTH,,,
Thu Sep 19 19:39:56 2013 TLS: Initial packet from [AF_INET]86.3.21.92:1194, sid=e0cfad21 10f7aada
Thu Sep 19 19:39:56 2013 VERIFY OK: depth=1, C=UK, ST=SU, L=IPSWICH, O=OpenVPN, OU=changeme, CN=changeme, name=changeme, emailAddress=xxxxxxx@gmail.com
Thu Sep 19 19:39:56 2013 VERIFY OK: nsCertType=SERVER
Thu Sep 19 19:39:56 2013 VERIFY OK: depth=0, C=UK, ST=SU, L=IPSWICH, O=OpenVPN, OU=changeme, CN=changeme, name=changeme, emailAddress=xxxxxxx@gmail.com
Thu Sep 19 19:39:57 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 19 19:39:57 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 19 19:39:57 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 19 19:39:57 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 19 19:39:57 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Sep 19 19:39:57 2013 [changeme] Peer Connection Initiated with [AF_INET]86.3.21.92:1194
Thu Sep 19 19:39:58 2013 MANAGEMENT: >STATE:1379615998,GET_CONFIG,,,
Thu Sep 19 19:39:59 2013 SENT CONTROL [changeme]: 'PUSH_REQUEST' (status=1)
Thu Sep 19 19:39:59 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Thu Sep 19 19:39:59 2013 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 19 19:39:59 2013 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 19 19:39:59 2013 OPTIONS IMPORT: route options modified
Thu Sep 19 19:39:59 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Sep 19 19:39:59 2013 MANAGEMENT: >STATE:1379615999,ASSIGN_IP,,10.8.0.6,
Thu Sep 19 19:39:59 2013 open_tun, tt->ipv6=0
Thu Sep 19 19:39:59 2013 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{8DC9538B-03FC-40D1-9EB6-9242100DE563}.tap
Thu Sep 19 19:39:59 2013 TAP-Windows Driver Version 9.9
Thu Sep 19 19:39:59 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {8DC9538B-03FC-40D1-9EB6-9242100DE563} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Sep 19 19:39:59 2013 NOTE: FlushIpNetTable failed on interface [20] {8DC9538B-03FC-40D1-9EB6-9242100DE563} (status=5) : Access is denied.
Thu Sep 19 19:40:04 2013 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Sep 19 19:40:04 2013 MANAGEMENT: >STATE:1379616004,ADD_ROUTES,,,
Thu Sep 19 19:40:04 2013 C:\windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Thu Sep 19 19:40:04 2013 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=20]
Thu Sep 19 19:40:04 2013 Route addition via IPAPI failed [adaptive]
Thu Sep 19 19:40:04 2013 Route addition fallback to route.exe
Thu Sep 19 19:40:04 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Sep 19 19:40:04 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Sep 19 19:40:04 2013 Initialization Sequence Completed
Thu Sep 19 19:40:04 2013 MANAGEMENT: >STATE:1379616004,CONNECTED,SUCCESS,10.8.0.6,86.3.21.92

Hope someone can help! Please ask for more info!

[jamwatn]

Just an Update..I can now Ping the server! And the client from the server..I just cant see the network on either client or server machine?
The Client is 192.168.0.x and server the same...do I have issues because Im not pushing things onto it from 10.8.0.x?

[raptorjp]

Route addition failed?
Try running the server/client as admin

[jamwatn]

I've run it in admin and corrected that error.
How do I see shares on each machine? I can ping from each end but not seem to get the networks to talk?

[jamwatn]

Another update.. I can get through the tunnel with VNC where I have set up a server to use the machine remotely. So it can't be a problem with connectivity because it works fine it just must be the different networks not being able to see each other..any ideas??

[jamwatn]

Is it because both networks on either side of the tunnel have the same 192.168.0.X setup??

[jamwatn]

Replying to myself here haha!
To combat possible conflicts etc etc i've given
server network Ip's: 192.168.0.X
Server ovpn IP: 10.8.0.1
client network ip's: 192.168.10.X
client ovpn ip: 10.8.0.6

might help diagnose? I cant ping the server network Ip from client side of the tunnel

[raptorjp]

I've run it in admin and corrected that error.
How do I see shares on each machine? I can ping from each end but not seem to get the networks to talk?

It depends if you have your vpn setup in bridge mode (dev tap) or tunnel mode (dev tun). Bridging will allow the shares to become immediately available with little setup as it puts your clients on the same subnet as the server.

Tunneling requires that you push routes (or manually create them) on both ends. Then you only have access via ip addresses of your shares not DNS names (that is a separate push).

[raptorjp]

Is it because both networks on either side of the tunnel have the same 192.168.0.X setup??

This can cause issues (at least I have found). I always give every local and vpn a different subnet. If I connecting two remote subnets via a vpn then I make sure that one is something like 192.168.1.0/24 and the other is 192.168.2.0/24 and the vpn is 192.168.3.0/24, etc.

That way there is no confusion when a client tries to communicate which network it is intended for.

[raptorjp]

Replying to myself here haha!
To combat possible conflicts etc etc i've given
server network Ip's: 192.168.0.X
Server ovpn IP: 10.8.0.1
client network ip's: 192.168.10.X
client ovpn ip: 10.8.0.6

might help diagnose? I cant ping the server network Ip from client side of the tunnel

My guess it is a firewall or a routing issue.

Are you trying to ping just the server or another machine on the server's network with the client?

[jamwatn]

Right thanks for the replies! I've managed to access the shares but with using the IP of the server on the OpenVPN rather than its address on the other network.
Is Bridged more difficult to set up than routed because that sounds appealing if you easily see all the shares.

[raptorjp]

Right thanks for the replies! I've managed to access the shares but with using the IP of the server on the OpenVPN rather than its address on the other network.
Is Bridged more difficult to set up than routed because that sounds appealing if you easily see all the shares.

It sounds like you need to set up routing on the tunnel.

So you are doing something like this \\myopevpnserverip\shared_folder?

Both end points need a route back to each other, either on the individual machines or on the routers.

For instance, I use the push directive in my server config to add the route on the client machine when it connects
;push "route 192.168.10.0 255.255.255.0"
where 192.168.10.0/24 is your servers local ip address
You can achieve the same effect by adding the route directly (e.g., route add 192.168.10.0 ...) on the client

Then I add a static route on the server's router (10.0.8.0/24 with the gateway pointing to the openvpn server machine). You can do this on each individual client as well separately. But if you add it on the router, every machine on the network will use that route back to the client.

You also need to make sure that the openvpn server machine is setup for ip forwarding/routing. In windows it is a registry setting.

You combine this with a firewall to prevent access to and from certain machines (on the vpn server).

Bridging is fairly easy to setup (dev tap) and if you are the only one using the vpn network sometimes it is the easiest to use (e.g., you are connecting to your home network). It basically assigns your remote client an ip address from the same network as your server.