See all machines on the servers network?

[charmander]

Hello,

I have successfully setup openvpn server on a second computer, I could never get it to work on a ddwrt router. Anyway, I am able to make the connection successfully from a client, but now I am trying to make it possible to see all machines on the servers network, as well as have all traffic pass through the VPN.

I am trying the following to achieve this-

push "redirect-gateway def1"
and - push route "192.168.1.0 255.255.255.0" - (servers network)


I have used the directions on the openvpn site http://openvpn.net/index.php/open-sourc ... html#scope.

Still not working.

Here is my server config:

Code: Select all

proto udp
dev tun
ca "C:\\program files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\program files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\program files\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\program files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push route "192.168.1.0 255.255.255.0"
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

This is my client config:

Code: Select all

client
dev tun
proto udp
remote xxxx.xxxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"
ns-cert-type server
comp-lzo
verb 5

Do I need to setup a static route in the router?
I tried bridging the local area connection with the TAP vpn interface, but that didn't work at all.

Any suggestions would be much appreciated.

[maikcat]

your server is windows based,

did you enabled ip forwarding on it?
is RAS enabled?

Do I need to setup a static route in the router?

you need to add a static route for the vpn subnet to the device which is used
as the default gateway to your lan pcs.

Michael.

[charmander]

Thanks for your reply.

The server is a Windows XP pro computer, there is no RAS.
I have a port forward rule in the router to direct port 1194 to this computer.
The VPN connection is successful, I just can't see the machines on the servers network, or get the traffic to go through the VPN tunnel.

Here is what I will attempt at the static route:

Code: Select all

Route Name - DDWRT

Metric - 0

Destination LAN NET - 10.8.0.0 (vpn subnet)

Subnet Mask - 255.255.255.0

Gateway -

Interface - LAN & WLAN
choices - LAN & WLAN, WAN, ANY, eth0, eth1, vlan0

Code: Select all

Should the gateway be the server LAN gateway?

Thanks for your help

[maikcat]

you didnt answer me this:

did you enabled ip forwarding on it?

Michael.

[charmander]

Do you mean port forwarding? I have port 1194 pointing to the vpn server through the router.
If not, do you mean something like this: net.ipv4.ip_forward = 1. If so, no I don't.
Would I set this up as startup item?

[maikcat]

If not, do you mean something like this: net.ipv4.ip_forward = 1. If so, no I don't.

yes...

in windows ip forwarding is controlled by registry key. (your server config is windows based).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1

Michael.

[charmander]

I tried this quickly, didn't have time to really test it thoroughly. It didn't work. Will have more time this weekend.

Would these choice make any difference in the static route setup?

Interface - LAN & WLAN (currently using)
choices - LAN & WLAN, WAN, ANY, eth0, eth1, vlan0

[maikcat]

did you rebooted the server after the registry addition?

verify that for testing firewall is off on your openvpn server & clients

routing is next..

Michael.

[charmander]

Server has been rebooted after the registry change.
No firewall running on server or client.

[maikcat]

try a tracert from a vpn client to one of your server side pcs
and post the output.

Michael.

[charmander]

Here is the tracert from a connected client to a lan side pc, also, here are results from the vpn software log. There are errors regarding the route.

Tracing route to 192.168.1.105 over a maximum of 30 hops

1 laptop.isp.net. [192.168.1.121] reports: Destination host unreachable.

Trace complete.

Sat Oct 12 13:46:31 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat Oct 12 13:46:31 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Sat Oct 12 13:46:31 2013 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=14]
Sat Oct 12 13:46:31 2013 Route addition via IPAPI failed [adaptive]
Sat Oct 12 13:46:31 2013 Route addition fallback to route.exe
Sat Oct 12 13:46:31 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Oct 12 13:46:31 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat Oct 12 13:46:31 2013 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Sat Oct 12 13:46:31 2013 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=14]
Sat Oct 12 13:46:31 2013 Route addition via IPAPI failed [adaptive]
Sat Oct 12 13:46:31 2013 Route addition fallback to route.exe
Sat Oct 12 13:46:31 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Oct 12 13:46:31 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat Oct 12 13:46:31 2013 MANAGEMENT: >STATE:1381599991,ADD_ROUTES,,,
Sat Oct 12 13:46:31 2013 C:\Windows\system32\route.exe ADD 192.168.1.1 MASK 255.255.255.0 10.8.0.5
Sat Oct 12 13:46:31 2013 Warning: address 192.168.1.1 is not a network address in relation to netmask 255.255.255.0
Sat Oct 12 13:46:31 2013 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=14]
Sat Oct 12 13:46:31 2013 Route addition via IPAPI failed [adaptive]
Sat Oct 12 13:46:31 2013 Route addition fallback to route.exe
Sat Oct 12 13:46:31 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Oct 12 13:46:31 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat Oct 12 13:46:31 2013 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sat Oct 12 13:46:31 2013 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=14]
Sat Oct 12 13:46:31 2013 Route addition via IPAPI failed [adaptive]
Sat Oct 12 13:46:31 2013 Route addition fallback to route.exe
Sat Oct 12 13:46:31 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Oct 12 13:46:31 2013 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat Oct 12 13:46:31 2013 Initialization Sequence Completed
Sat Oct 12 13:46:31 2013 MANAGEMENT: >STATE:1381599991,CONNECTED,SUCCESS

[charmander]

New development!!!

I just tried running the OpenVPN gui as administrator, and now I can ping the server from the client, and the client from the server, using the vpn subnet of 10.x.x.x. But still can't see the other machines.

[charmander]

Also can't connect to the internet........

[maikcat]

for internet access you must enable RAS on your windows server (to perform NAT)

user bebop has written a very detailed howto on this....

Michael.

[charmander]

Ok, so I looked at Bebop's howto.

I enabled RAS and did the registry fix that you suggested. I also turned on Internet Connection Sharing on the Local area connection, all of this on the server.

The problem is, where he says to enable ICS and then click the drop-down and choose the vpn interface, there is no drop down on Windows xp, only on 7. So that part I'm not sure what to do. Instead, there is a box:

https://www.google.com/search?q=interne ... B363%3B445

You have to click add, and you are asked for description, ip address, and port numbers. I'm not sure what goes here.

But as a side note, when I have RAS enabled, I can no longer ping the server from the client, and client from the server. I also lose internet on the client. As soon as I disable RAS, these functions come back.

[charmander]

Update:

So now I can connect to the VPN, as well as connect to all of the machines on the server LAN.

This is working without enabling routing in the registry, or running the RAS service. I couldn't get anything to work with those options enabled. The local area connection of the server is shared.

The only thing I can't do is ping or connect to these machines by name. But strangely, if I ping them with the -a switch, the name is given:

C:\Windows\System32>ping -a 192.168.1.106

Pinging SERVER [192.168.1.106] with 32 bytes of data:
Reply from 192.168.1.106: bytes=32 time<1ms TTL=128
Reply from 192.168.1.106: bytes=32 time<1ms TTL=128
Reply from 192.168.1.106: bytes=32 time<1ms TTL=128
Reply from 192.168.1.106: bytes=32 time<1ms TTL=128

I also can't ping a client from the server, but can ping and connect to the server from a client, move files back and forth.
The
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220" is enabled in the server config.