Mac/Tunnelblick connects, Windows OpenVPN GUI client doesn't

[batiovpn]

I have been tearing my hair out trying to solve this connection problem over the last few weeks, but no-where have I found the exact same problem.

The setup:-

• * OpenVPN server running on a Ubuntu 14.04 LTS server

• * Certificates all set up and identical client configuration (not running simultaneously)

• * A Mac client running Tunnelblick => working perfectly

• * A Windows 7 client running OpenVPN GUI client or Viscosity OpenVPN client => reports connected but NOT able to actually connect to anything (and, yes, it's running as Administrator)

• (* 1 additional complication, though I'm not convinced it's relevant: the Windows 7 client is running on a virtual machine on a Mac host – I don't have access to a stand-alone Windows machine myself, but a friend tried (remotely) and had same results with OpenVPN).

On Mac I can connect to all the clients on the remote LAN (192.168.2.0), using ping etc.

On Windows everything <i>seems</i> to connect (OpenVPN reports the connection open, the TAP interface seems to pick up a valid IP address in the range specified by server-bridge)... no actual 'connecting' can be done: i.e. the machine can't ping within the LAN, including to the OpenVPN server. Normal internet connections (outside of the VPN/LAN) are not affected.

Why might this be?

I cannot see anything obvious in the logs or client configuration except a "TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up" in the Windows version, but perhaps there is something Windows specific I have missed...

Any help gratefully received,
Bati

FURTHER DETAILS ABOUT THE SETUP

The server is running as tap, udp, 1194, and a bridge is set up.

Code: Select all

server-bridge 192.168.2.5 255.255.255.0 192.168.2.241 192.168.2.252

(Aside: when testing different options, I had server-bridge set to "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100", Mac/Tunnelblick would pick two IP addresses (apparently able to connect to the DHCP server in the remote LAN, whilst the OpenVPN client on Windows was only able to get the address from the vpn server, namely 10.8.0.51 or similar).

THE LOG ON THE WINDOWS 7 OPENVPN

Code: Select all

 
Thu Nov 27 15:18:24 2014 us=515625 MANAGEMENT: >STATE:1417094304,GET_CONFIG,,,
Thu Nov 27 15:18:25 2014 us=62500 SENT CONTROL [irerpbati]: 'PUSH_REQUEST' (status=1)
Thu Nov 27 15:18:25 2014 us=125000 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.2.5,ping 10,ping-restart 120,ifconfig 192.168.2.242 255.255.255.0'
Thu Nov 27 15:18:25 2014 us=125000 OPTIONS IMPORT: timers and/or timeouts modified
Thu Nov 27 15:18:25 2014 us=125000 OPTIONS IMPORT: --ifconfig/up options modified
Thu Nov 27 15:18:25 2014 us=125000 OPTIONS IMPORT: route-related options modified
Thu Nov 27 15:18:25 2014 us=125000 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Nov 27 15:18:25 2014 us=125000 MANAGEMENT: >STATE:1417094305,ASSIGN_IP,,192.168.2.242,
Thu Nov 27 15:18:25 2014 us=125000 open_tun, tt->ipv6=0
Thu Nov 27 15:18:25 2014 us=125000 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{DC86BF5E-8A8D-4EA4-9878-C1F6CE7523EC}.tap
Thu Nov 27 15:18:25 2014 us=125000 TAP-Windows Driver Version 9.9 
Thu Nov 27 15:18:25 2014 us=125000 TAP-Windows MTU=1500
Thu Nov 27 15:18:25 2014 us=140625 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.2.242/255.255.255.0 on interface {DC86BF5E-8A8D-4EA4-9878-C1F6CE7523EC} [DHCP-serv: 192.168.2.0, lease-time: 31536000]
Thu Nov 27 15:18:25 2014 us=140625 Successful ARP Flush on interface [14] {DC86BF5E-8A8D-4EA4-9878-C1F6CE7523EC}
Thu Nov 27 15:18:30 2014 us=171875 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Thu Nov 27 15:18:30 2014 us=171875 Initialization Sequence Completed
Thu Nov 27 15:18:30 2014 us=171875 MANAGEMENT: >STATE:1417094310,CONNECTED,SUCCESS,192.168.2.242,**.**.**.**

THE EQUIVALENT LOG FROM TUNNELBLICK

Code: Select all

 
2014-11-27 14:30:42 SENT CONTROL [irerpbati]: 'PUSH_REQUEST' (status=1)
2014-11-27 14:30:42 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.2.5,ping 10,ping-restart 120,ifconfig 192.168.2.241 255.255.255.0'
2014-11-27 14:30:42 OPTIONS IMPORT: timers and/or timeouts modified
2014-11-27 14:30:42 OPTIONS IMPORT: --ifconfig/up options modified
2014-11-27 14:30:42 OPTIONS IMPORT: route-related options modified
2014-11-27 14:30:42 TUN/TAP device /dev/tap0 opened
2014-11-27 14:30:42 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2014-11-27 14:30:42 MANAGEMENT: >STATE:1417091442,ASSIGN_IP,,192.168.2.241,
2014-11-27 14:30:42 /sbin/ifconfig tap0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2014-11-27 14:30:42 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2014-11-27 14:30:42 /sbin/ifconfig tap0 192.168.2.241 netmask 255.255.255.0 mtu 1500 up
2014-11-27 14:30:42 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -a -f -ptADGNWradsgnw tap0 1500 1574 192.168.2.241 255.255.255.0 init
                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
                                        Configuring tap DNS via DHCP asynchronously
                                        End of output from client.up.tunnelblick.sh
                                        **********************************************
2014-11-27 14:30:44 Initialization Sequence Completed
2014-11-27 14:30:44 MANAGEMENT: >STATE:1417091444,CONNECTED,SUCCESS,192.168.2.241,**.**.**.**

The client configuration:

Code: Select all

client
remote ***.***.***.***
port 1194
proto udp
dev tap
dev-type tap
#Addition settings
nobind
resolv-retry infinite
ns-cert-type server
reneg-sec 86400
persist-tun
persist-key
verb 5
keepalive 10 120
...
(server and certificate information redacted, of course)

netstat -nr output from Windows machine after connection reported as successful
(I can't see anything wrong with this)

Code: Select all

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.109     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.109    266
    192.168.1.109  255.255.255.255         On-link     192.168.1.109    266
    192.168.1.255  255.255.255.255         On-link     192.168.1.109    266
      192.168.2.0    255.255.255.0         On-link     192.168.2.242    286
    192.168.2.242  255.255.255.255         On-link     192.168.2.242    286
    192.168.2.255  255.255.255.255         On-link     192.168.2.242    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.109    266
        224.0.0.0        240.0.0.0         On-link     192.168.2.242    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.109    266
  255.255.255.255  255.255.255.255         On-link     192.168.2.242    286
===========================================================================
Persistent Routes:
  None

[maikcat]

what version is your openvpn client on win7?

Michael.

[batiovpn]

According to log...

Code: Select all

Mon Dec 01 09:20:23 2014 us=687500 OpenVPN 2.3.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
Mon Dec 01 09:20:23 2014 us=687500 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05

Can't tell if it is the l001 or l602 build from what is installed (and I have both downloads so can't tell which one I actually installed.)

Should I try uninstalling OpenVPN and TAP driver and using 2.3.2 instead?

Many thanks!

[batiovpn]

OK, just tried uninstalling current version of OpenVPN and TAP-driver and re-installing with latest build from downloads ( openvpn-install-2.3.5-I602-x86_64.exe ). Still the same problem. Everything in OpenVPN seems happy (correctly picks up an IP in the specified range from server), but can't ping within remote LAN, including OpenVPN server itself.

Thanks

[maikcat]

are you running openvpn on your 7 with admin rights?

Michael.

[batiovpn]

Yep, run with Admin rights from the beginning (it asks me on loading anyway, but tried right click on openvpn gui shortcut -> Run as Administrator just to be sure). I assume OpenVPN wouldn't get as far as reporting 'connected' unless that was the case anyway?

[batiovpn]

In case it is of any help to anyone, I tracked this down finally to a mismatched MTU, putting a...

Code: Select all

link-mtu 1574

....into the client configuration (to match the server's implicit config noted in the connection log) seemed to do the trick. What was only a 'WARNING' in the log turned out to effectively be an ERROR.

[maikcat]

(to match the server's implicit config noted in the connection log) seemed to do the trick

dont wont to be rude,was this mentioned anywhere in the posted logs?

Michael.

[Traffic]

dont wont to be rude

I would be .. the initial post was rampantly devoid of details

Like all but one line of the server config ..

[batiovpn]

@maikcat: No, you're right, there was no clue in the log I posted originally. I think (but can't confirm without reverting to original version of the client and client-config) that the 'WARNING' line about the mtu appeared earlier in the log. I had only pasted the last part in an effort to keep the question targeted and brief since it thought the problem to do with routing in Windows. I realise that people's time here is precious and did not want to waste it.

@Traffic: thanks for your, ahem, welcome and encouraging admonition...

In my defence: I had not altered OpenVPN's out-of-the-box server configs as regards to link-mtu, so why Tunnelblick should work happily without an explicit statement in the client config, and the Windows OpenVPN client should require one -- is still not clear to me.

For myself I am happy to have solved the problem and I hope that if someone else has similar problems that these notes help.

[batiovpn]

And to clarify further:

...(to match the server's implicit config noted in the connection log)...

I meant that I only learnt that there was a mismatch from this line in the client log (not from the server).