I managed to install OpenVPN and got a Windows client to connect to it, but I am having a really tough time PINGING any other device on the internal LAN.
Here is my current set up:
Internal LAN: 10.70.0.0 (255.255.252.0)
10.70.0.1 = NetGear Gateway/Router SRX5308
10.70.0.2 - 10.70.0.254 = internal servers, 10.70.0.50 is the actual OpenVPN server
10.70.1.1 - 10.70.1.254 = internal workstations (DHCP controlled by NetGear)
10.70.2.1 - 10.70.2.254 = reserved for VPN clients
OpenVPN: /etc/network/interfaces
Code: Select all
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 10.70.0.50
netmask 255.255.252.0
gateway 10.70.0.1
bridge_ports eth0 tap0
bridge_fd 9 ## from the libvirt docs (forward delay time)
bridge_hello 2 ## from the libvirt docs (hello time)
bridge_maxage 12 ## from the libvirt docs (maximum message age)
bridge_stp off ## from the libvirt docs (spanning tree protocol)
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE up promisc on
down ip link set $IFACE down promisc off
down ifconfig $IFACE down
Code: Select all
mode server
tls-server
local 10.70.0.50 ## ip/hostname of server
port 1194 ## default openvpn port
proto udp
#bridging directive
dev tap0
script-security 2
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-key
persist-tun
#certificates and encryption
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 10.70.0.50 255.255.252.0 10.70.2.1 10.70.2.254
push "dhcp-option DNS 10.70.0.10"
push "dhcp-option DNS 10.70.0.11"
max-clients 254
#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 5
Code: Select all
client
dev tap
remote [REMOVED] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 5
Code: Select all
Sun Sep 13 21:31:59 2015 pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_protected_authentication = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_private_mode = 00000000
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_cert_private = DISABLED
Sun Sep 13 21:31:59 2015 pkcs11_pin_cache_period = -1
Sun Sep 13 21:31:59 2015 pkcs11_id = '[UNDEF]'
Sun Sep 13 21:31:59 2015 pkcs11_id_management = DISABLED
Sun Sep 13 21:31:59 2015 server_network = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_network_ipv6 = ::
Sun Sep 13 21:31:59 2015 server_netbits_ipv6 = 0
Sun Sep 13 21:31:59 2015 server_bridge_ip = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_bridge_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_bridge_pool_start = 0.0.0.0
Sun Sep 13 21:31:59 2015 server_bridge_pool_end = 0.0.0.0
Sun Sep 13 21:31:59 2015 ifconfig_pool_defined = DISABLED
Sun Sep 13 21:31:59 2015 ifconfig_pool_start = 0.0.0.0
Sun Sep 13 21:31:59 2015 ifconfig_pool_end = 0.0.0.0
Sun Sep 13 21:31:59 2015 ifconfig_pool_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015 ifconfig_pool_persist_filename = '[UNDEF]'
Sun Sep 13 21:31:59 2015 ifconfig_pool_persist_refresh_freq = 600
Sun Sep 13 21:31:59 2015 ifconfig_ipv6_pool_defined = DISABLED
Sun Sep 13 21:31:59 2015 ifconfig_ipv6_pool_base = ::
Sun Sep 13 21:31:59 2015 ifconfig_ipv6_pool_netbits = 0
Sun Sep 13 21:31:59 2015 n_bcast_buf = 256
Sun Sep 13 21:31:59 2015 tcp_queue_limit = 64
Sun Sep 13 21:31:59 2015 real_hash_size = 256
Sun Sep 13 21:31:59 2015 virtual_hash_size = 256
Sun Sep 13 21:31:59 2015 client_connect_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015 learn_address_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015 client_disconnect_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015 client_config_dir = '[UNDEF]'
Sun Sep 13 21:31:59 2015 ccd_exclusive = DISABLED
Sun Sep 13 21:31:59 2015 tmp_dir = 'C:\Users\ASLIVI~1.UNI\AppData\Local\Temp\'
Sun Sep 13 21:31:59 2015 push_ifconfig_defined = DISABLED
Sun Sep 13 21:31:59 2015 push_ifconfig_local = 0.0.0.0
Sun Sep 13 21:31:59 2015 push_ifconfig_remote_netmask = 0.0.0.0
Sun Sep 13 21:31:59 2015 push_ifconfig_ipv6_defined = DISABLED
Sun Sep 13 21:31:59 2015 push_ifconfig_ipv6_local = ::/0
Sun Sep 13 21:31:59 2015 push_ifconfig_ipv6_remote = ::
Sun Sep 13 21:31:59 2015 enable_c2c = DISABLED
Sun Sep 13 21:31:59 2015 duplicate_cn = DISABLED
Sun Sep 13 21:31:59 2015 cf_max = 0
Sun Sep 13 21:31:59 2015 cf_per = 0
Sun Sep 13 21:31:59 2015 max_clients = 1024
Sun Sep 13 21:31:59 2015 max_routes_per_client = 256
Sun Sep 13 21:31:59 2015 auth_user_pass_verify_script = '[UNDEF]'
Sun Sep 13 21:31:59 2015 auth_user_pass_verify_script_via_file = DISABLED
Sun Sep 13 21:31:59 2015 client = ENABLED
Sun Sep 13 21:31:59 2015 pull = ENABLED
Sun Sep 13 21:31:59 2015 auth_user_pass_file = '[UNDEF]'
Sun Sep 13 21:31:59 2015 show_net_up = DISABLED
Sun Sep 13 21:31:59 2015 route_method = 0
Sun Sep 13 21:31:59 2015 ip_win32_defined = DISABLED
Sun Sep 13 21:31:59 2015 ip_win32_type = 3
Sun Sep 13 21:31:59 2015 dhcp_masq_offset = 0
Sun Sep 13 21:31:59 2015 dhcp_lease_time = 31536000
Sun Sep 13 21:31:59 2015 tap_sleep = 0
Sun Sep 13 21:31:59 2015 dhcp_options = DISABLED
Sun Sep 13 21:31:59 2015 dhcp_renew = DISABLED
Sun Sep 13 21:31:59 2015 dhcp_pre_release = DISABLED
Sun Sep 13 21:31:59 2015 dhcp_release = DISABLED
Sun Sep 13 21:31:59 2015 domain = '[UNDEF]'
Sun Sep 13 21:31:59 2015 netbios_scope = '[UNDEF]'
Sun Sep 13 21:31:59 2015 netbios_node_type = 0
Sun Sep 13 21:31:59 2015 disable_nbt = DISABLED
Sun Sep 13 21:31:59 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015
Sun Sep 13 21:31:59 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Sun Sep 13 21:31:59 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Sep 13 21:31:59 2015 Need hold release from management interface, waiting...
Sun Sep 13 21:32:00 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Sep 13 21:32:00 2015 MANAGEMENT: CMD 'state on'
Sun Sep 13 21:32:00 2015 MANAGEMENT: CMD 'log all on'
Sun Sep 13 21:32:01 2015 MANAGEMENT: CMD 'hold off'
Sun Sep 13 21:32:01 2015 MANAGEMENT: CMD 'hold release'
Sun Sep 13 21:32:01 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Sep 13 21:32:01 2015 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sun Sep 13 21:32:01 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:01 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:01 2015 LZO compression initialized
Sun Sep 13 21:32:01 2015 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:3 ]
Sun Sep 13 21:32:01 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Sep 13 21:32:01 2015 MANAGEMENT: >STATE:1442176321,RESOLVE,,,
Sun Sep 13 21:32:02 2015 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:143 ET:32 EL:3 AF:3/1 ]
Sun Sep 13 21:32:02 2015 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep 13 21:32:02 2015 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep 13 21:32:02 2015 Local Options hash (VER=V4): '13a273ba'
Sun Sep 13 21:32:02 2015 Expected Remote Options hash (VER=V4): '360696c5'
Sun Sep 13 21:32:02 2015 UDPv4 link local: [undef]
Sun Sep 13 21:32:02 2015 UDPv4 link remote: [AF_INET][REMOVED]:1194
Sun Sep 13 21:32:02 2015 MANAGEMENT: >STATE:1442176322,WAIT,,,
Sun Sep 13 21:32:02 2015 MANAGEMENT: >STATE:1442176322,AUTH,,,
Sun Sep 13 21:32:02 2015 TLS: Initial packet from [AF_INET][REMOVED], sid=b6d47657 fd2e7180
Sun Sep 13 21:32:07 2015 VERIFY OK: depth=1, C=GB, ST=LON, L=London, O=[REMOVED], OU=MyOrganizationalUnit, CN=[REMOVED], name=server, emailAddress=[REMOVED]
Sun Sep 13 21:32:07 2015 VERIFY OK: depth=0, C=GB, ST=LON, L=London, O=[REMOVED], OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=[REMOVED]
Sun Sep 13 21:32:11 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 13 21:32:11 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:11 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 13 21:32:11 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 13 21:32:12 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Sep 13 21:32:12 2015 [server] Peer Connection Initiated with [AF_INET][REMOVED]:1194
Sun Sep 13 21:32:13 2015 MANAGEMENT: >STATE:1442176333,GET_CONFIG,,,
Sun Sep 13 21:32:14 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Sep 13 21:32:14 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.70.0.10,dhcp-option DNS 10.70.0.11,route-gateway 10.70.0.50,ping 10,ping-restart 120,ifconfig 10.70.2.10 255.255.252.0'
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: route-related options modified
Sun Sep 13 21:32:14 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Sep 13 21:32:14 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Sep 13 21:32:14 2015 MANAGEMENT: >STATE:1442176334,ASSIGN_IP,,10.70.2.10,
Sun Sep 13 21:32:14 2015 open_tun, tt->ipv6=0
Sun Sep 13 21:32:14 2015 TAP-WIN32 device [Local Area Connection 10] opened: \\.\Global\{8FA599A6-8994-4B0F-9072-F25BC5A8DAC1}.tap
Sun Sep 13 21:32:14 2015 TAP-Windows Driver Version 9.21
Sun Sep 13 21:32:14 2015 TAP-Windows MTU=1500
Sun Sep 13 21:32:14 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.70.2.10/255.255.252.0 on interface {8FA599A6-8994-4B0F-9072-F25BC5A8DAC1} [DHCP-serv: 10.70.0.0, lease-time: 31536000]
Sun Sep 13 21:32:14 2015 DHCP option string: 0f15636f 72702e75 6e696669 65646c6f 6769632e 636f6d06 080a4600 0a0a4600 0c
Sun Sep 13 21:32:14 2015 NOTE: FlushIpNetTable failed on interface [40] {8FA599A6-8994-4B0F-9072-F25BC5A8DAC1} (status=5) : Access is denied.
Sun Sep 13 21:32:19 2015 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Sun Sep 13 21:32:19 2015 Initialization Sequence Completed
Sun Sep 13 21:32:19 2015 MANAGEMENT: >STATE:1442176339,CONNECTED,SUCCESS,10.70.2.10,[REMOVED]
Code: Select all
C:\>ping 10.70.0.50
Pinging 10.70.0.50 with 32 bytes of data:
Reply from 10.70.0.50: bytes=32 time=118ms TTL=64
Reply from 10.70.0.50: bytes=32 time=32ms TTL=64
Reply from 10.70.0.50: bytes=32 time=60ms TTL=64
Reply from 10.70.0.50: bytes=32 time=82ms TTL=64
Ping statistics for 10.70.0.50:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 32ms, Maximum = 118ms, Average = 73ms
C:\>ping 10.70.0.10
Pinging 10.70.0.10 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 10.70.2.10: Destination host unreachable.
Request timed out.
Ping statistics for 10.70.0.10:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
http://postimg.org/image/o65dazbw5/
Can you please advise what I should do?
Many thanks!
Andy