[Solved]Problem connecting to local resources from a laptop

[dave2ic]

An OpenVPN newbie here, so please excuse my rather basic line of questioning, but I am hoping someone can put me on the right track. I have the OpenVPN server running on a Windows Server 2008 computer, and want to connect to local resources on the server through the OpenVPN client running on a laptop (in particular RDP port 3389). I have used the following guide successfully to setup the server and client connection:
https://community.openvpn.net/openvpn/w ... dows_Guide

I can successfully establish the OpenVPN connection from the laptop to the server. However, while I can ping the OpenVPN server (10.8.0.1) from the laptop, I can’t ping the Windows Server (192.168.128.2). I understand the reason for this – when I ping the server (192.168.128.2) from the laptop, it doesn’t know to send those packets down the VPN tunnel (a tracert shows this). I have had a look at the following article and understand that I need a static route on the laptop to direct traffic destined for the server down the VPN tunnel:
topic9465.html

So from the client side, what I understand from this article I will need something like this on my laptop:
route add 192.168.128.0 mask 255.255.255.0 gw 10.8.0.6

However, this article deals with sites where 2 LAN’s have known IP subnets. It seems I will also need a route from the host side to the client too – is this even possible given that my laptop’s LAN IP address will be changing depending on the wireless network it is connected to?

I’d appreciate it if someone can please point me in the right direction to a solution - thanks in advance for any assistance.

My client and server config files are unchanged from the guide I used to successfully establish the VPN connection:

Server

proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Client

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\config\\laptop.crt"
key "C:\\Program Files (x86)\\OpenVPN\\config\\laptop.key"
ns-cert-type server
comp-lzo
verb 3

[maikcat]

So from the client side, what I understand from this article I will need something like this on my laptop:
route add 192.168.128.0 mask 255.255.255.0 gw 10.8.0.6

add this to your server config:

Code: Select all

push "route 192.168.128.0 255.255.255.0"

also your openvpn server must has ip forwarding enabled , then you must allow traffic coming from
your openvpn range to your windows server.

and reconnect..

Michael.

[Traffic]

Also, see this HOWTO:
HOWTO: Expanding the scope of the VPN to include additional machines

[dave2ic]

So from the client side, what I understand from this article I will need something like this on my laptop:
route add 192.168.128.0 mask 255.255.255.0 gw 10.8.0.6

add this to your server config:

Code: Select all

push "route 192.168.128.0 255.255.255.0"

also your openvpn server must has ip forwarding enabled , then you must allow traffic coming from
your openvpn range to your windows server.

and reconnect..

Michael.

Thanks for your feedback.

I've added a route on the laptop as follows (as it's Windows I had the incorrect syntax - I didn't need the 'gw'):

Code: Select all

route add 192.168.128.0 mask 255.255.255.0 10.8.0.6

I've added your code to the server.ovpn file on the server:

Code: Select all

push "route 192.168.128.0 255.255.255.0"

From what I can find, to enable IP forwarding on Windows I just set the following in the registry and restart:

Code: Select all

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter=1

You also say "then you must allow traffic coming from your openvpn range to your windows server". I don't have a firewall on the server, if that's what you mean.

Now if I try a Tracert from the laptop to the server, it looks like it's at least trying to go down the tunnel but I still don't get a response:

Code: Select all

Tracing route to 192.168.128.2 over a maximum of 30 hops
  1  Laptop [10.8.0.6]  reports: Destination host unreachable.

Thanks again for your help, but do you have any further advice on what the problem is here?

[maikcat]

is your win server using the openvpn server as it default gateway?

Michael.

[dave2ic]

is your win server using the openvpn server as it default gateway?

Michael.

No. The Windows server's IP address is 192.168.128.2, and its default Gateway is the router on the LAN, which is 192.168.128.254.

[maikcat]

add a static route to your windows so that traffic destined to your vpn network
flows via openvpn servers lan ip.

Michael.

[dave2ic]

add a static route to your windows so that traffic destined to your vpn network
flows via openvpn servers lan ip.

Michael.

I'm not sure what the static route would be in this case.

From the laptop to the server it's straight forward enough. We know the LAN IP address of the Windows server (which is the same physical computer as the OpenVPN server) is 192.168.128.2, so we can add a static route to send traffic destined for 192.168.128.2 to the OpenVPN client at 10.8.0.6:

Code: Select all

route add 192.168.128.0 mask 255.255.255.0 10.8.0.6

But from the server to the laptop is not so straight forward, as the laptop will be connecting from any IP address.

So what I think is happening is the if the laptop is on a LAN IP of 10.0.0.2, for example, connects to the VPN and pings the server, the packets are routed down the tunnel ok. But when the server receives those packets from 10.0.0.2, it has no way of knowing to send the reply down the VPN tunnel. And I can't do a static route, because the laptop will be connecting from different IP addresses depending on where it is.

From what I am reading, this is possibly where IP masquerading comes in. I need to make any packets coming down the VPN tunnel to the Windows server appear like it's coming from the VPN tunnels IP address of 10.8.0.1. Then it will know to respond to anything from the tunnel by sending it back through the tunnel.

Is this correct? Even if it is I have no idea how to go about achieving this, so I'd appreciate any guidance.

Thanks for all your assistance.

[Traffic]

Just to clarify some points:

I've added a route on the laptop as follows
Code:
route add 192.168.128.0 mask 255.255.255.0 10.8.0.6

You do not need above, all you need is below:

I've added your code to the server.ovpn file on the server:
Code:
push "route 192.168.128.0 255.255.255.0"

Now can you ping the server 192.168.128.2 from the client ?

given that my laptop’s LAN IP address will be changing depending on the wireless network it is connected to?

This should not make any difference if you only connect to the server LAN from the client .. Obviously resources on the client LAN will not be available to your server but you do not require this in your setup.

[dave2ic]

It works! Thank you so much!

I've been trying to get this to work for a week now, so I'm very grateful for the assistance.

So in summary, I did not need the static route on the laptop - just this on the server .ovpn config file:

Code: Select all

push "route 192.168.128.0 255.255.255.0"

And presumably this registry key on the (Windows) server to enable IP forwarding:

Code: Select all

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter=1

As you say, this will only allow me to access server resources from the laptop. It won't allow me to access laptop resources from the server, but I don't need that anyway.

Thanks again.