[Solved] Windows 10 OpenVPN Server NAT with redirect-gateway

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
matbkk
OpenVpn Newbie
Posts: 9
Joined: Fri Jan 15, 2016 11:49 am

[Solved] Windows 10 OpenVPN Server NAT with redirect-gateway

Post by matbkk » Sat Jan 16, 2016 1:27 pm

Hi,

I am trying to connect my computer to an OpenVPN in IPv4 on 1194.
First I am trying to have a tunnel configuration to watch the french TV from abroad.
The connection between the server and the computer is fine but when I am connected I do not have Internet anymore on the client.
The TAP and the Ethernet are bridged on the server (don't know if it is the right config).

The Server is on a 10.0.1.0 network gateway 10.0.1.11 DNS 10.0.1.11

Here is my Server config :

Code: Select all

port 1194
proto udp

push "redirect-gateway def1"

dev tun

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"  
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"  # This file should be kept secret

dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo

persist-key
persist-tun

status openvpn-status.log
verb 3
Here is my Client Config :

Code: Select all

client
dev tun
proto udp

remote my-server 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca "c:\\openvpn\\config\\ca.crt"
cert "c:\\openvpn\\config\\MF.crt"
key "c:\\openvpn\\config\\MF.key"  # This file should be kept secret

remote-cert-tls server

comp-lzo
verb 3
Server Log :

Code: Select all

Sat Jan 16 14:13:13 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan  4 2016
Sat Jan 16 14:13:13 2016 Windows version 6.2 (Windows 8 or greater)
Sat Jan 16 14:13:13 2016 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Sat Jan 16 14:13:13 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Jan 16 14:13:13 2016 Need hold release from management interface, waiting...
Sat Jan 16 14:13:13 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Jan 16 14:13:13 2016 MANAGEMENT: CMD 'state on'
Sat Jan 16 14:13:13 2016 MANAGEMENT: CMD 'log all on'
Sat Jan 16 14:13:13 2016 MANAGEMENT: CMD 'hold off'
Sat Jan 16 14:13:13 2016 MANAGEMENT: CMD 'hold release'
Sat Jan 16 14:13:14 2016 Diffie-Hellman initialized with 1024 bit key
Sat Jan 16 14:13:14 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jan 16 14:13:14 2016 ROUTE_GATEWAY 10.0.1.11/255.255.255.0 I=25 HWADDR=10:6f:3f:d5:8e:88
Sat Jan 16 14:13:14 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jan 16 14:13:14 2016 MANAGEMENT: >STATE:1452949994,ASSIGN_IP,,10.8.0.1,
Sat Jan 16 14:13:14 2016 open_tun, tt->ipv6=0
Sat Jan 16 14:13:14 2016 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{7CED3B95-5934-45D5-A883-A06DE83852DA}.tap
Sat Jan 16 14:13:14 2016 TAP-Windows Driver Version 9.21 
Sat Jan 16 14:13:14 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {7CED3B95-5934-45D5-A883-A06DE83852DA} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
Sat Jan 16 14:13:14 2016 Sleeping for 10 seconds...
Sat Jan 16 14:13:24 2016 NOTE: FlushIpNetTable failed on interface [28] {7CED3B95-5934-45D5-A883-A06DE83852DA} (status=1168) : Élément introuvable.  
Sat Jan 16 14:13:24 2016 MANAGEMENT: >STATE:1452950004,ADD_ROUTES,,,
Sat Jan 16 14:13:24 2016 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
Sat Jan 16 14:13:24 2016 Warning: route gateway is not reachable on any active network adapters: 10.8.0.2
Sat Jan 16 14:13:24 2016 Route addition via IPAPI failed [adaptive]
Sat Jan 16 14:13:24 2016 Route addition fallback to route.exe
Sat Jan 16 14:13:24 2016 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Sat Jan 16 14:13:24 2016 UDPv4 link local (bound): [undef]
Sat Jan 16 14:13:24 2016 UDPv4 link remote: [undef]
Sat Jan 16 14:13:24 2016 MULTI: multi_init called, r=256 v=256
Sat Jan 16 14:13:24 2016 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sat Jan 16 14:13:24 2016 ifconfig_pool_read(), in='MF,10.8.0.4', TODO: IPv6
Sat Jan 16 14:13:24 2016 succeeded -> ifconfig_pool_set()
Sat Jan 16 14:13:24 2016 ifconfig_pool_read(), in='intelnuc,10.8.0.8', TODO: IPv6
Sat Jan 16 14:13:24 2016 succeeded -> ifconfig_pool_set()
Sat Jan 16 14:13:24 2016 IFCONFIG POOL LIST
Sat Jan 16 14:13:24 2016 MF,10.8.0.4
Sat Jan 16 14:13:24 2016 intelnuc,10.8.0.8
Sat Jan 16 14:13:24 2016 Initialization Sequence Completed
Sat Jan 16 14:13:24 2016 MANAGEMENT: >STATE:1452950004,CONNECTED,SUCCESS,10.8.0.1,
Sat Jan 16 14:13:29 2016 x.x.x.x:62508 TLS: Initial packet from [AF_INET]X.X.X.X:62508, sid=34005547 095ab405
Sat Jan 16 14:13:29 2016 x.x.x.x:62508 VERIFY OK: depth=1, C=FR, ST=Rhone, L=Lyon, O=Company, CN=OpenVPN, emailAddress=x.xxxx@domain.com
Sat Jan 16 14:13:29 2016 x.x.x.x:62508 VERIFY OK: depth=0, C=FR, ST=Rhone, O=Company, CN=MF, emailAddress=x.xxxx@domain.com
Sat Jan 16 14:13:30 2016 x.x.x.x:62508 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan 16 14:13:30 2016 x.x.x.x:62508 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 16 14:13:30 2016 x.x.x.x:62508 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan 16 14:13:30 2016 x.x.x.x:62508 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 16 14:13:30 2016 x.x.x.x:62508 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Sat Jan 16 14:13:30 2016 x.x.x.x:62508 [MF] Peer Connection Initiated with [AF_INET]X.X.X.X:62508
Sat Jan 16 14:13:30 2016 MF/x.x.x.x:62508 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sat Jan 16 14:13:30 2016 MF/x.x.x.x:62508 MULTI: Learn: 10.8.0.6 -> MF/X.X.X.X:62508
Sat Jan 16 14:13:30 2016 MF/x.x.x.x:62508 MULTI: primary virtual IP for MF/X.X.X.X:62508: 10.8.0.6
Sat Jan 16 14:13:32 2016 MF/x.x.x.x:215:62508 PUSH: Received control message: 'PUSH_REQUEST'
Sat Jan 16 14:13:32 2016 MF/x.x.x.x:62508 send_push_reply(): safe_cap=940
Sat Jan 16 14:13:32 2016 MF/x.x.x.x:62508 SENT CONTROL [MF]: 'PUSH_REPLY,redirect-gateway def1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: New in OpenVPN help with Server/Client config file

Post by Traffic » Sat Jan 16, 2016 1:33 pm

matbkk wrote:The TAP and the Ethernet are bridged on the server (don't know if it is the right config).
It is not right .. delete the bridge.

matbkk
OpenVpn Newbie
Posts: 9
Joined: Fri Jan 15, 2016 11:49 am

Re: New in OpenVPN help with Server/Client config file

Post by matbkk » Sat Jan 16, 2016 2:38 pm

Traffic wrote:
matbkk wrote:The TAP and the Ethernet are bridged on the server (don't know if it is the right config).
It is not right .. delete the bridge.
Bridge Deleted :
I can connect to the server
I have internet access on the client but the Wan Ip is still the one of the client not the one of the server

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: New in OpenVPN help with Server/Client config file

Post by Traffic » Sat Jan 16, 2016 2:45 pm


matbkk
OpenVpn Newbie
Posts: 9
Joined: Fri Jan 15, 2016 11:49 am

Re: New in OpenVPN help with Server/Client config file

Post by matbkk » Sat Jan 16, 2016 3:13 pm

Thanks Traffic
I have Enabled push "dhcp-option DNS 10.0.8.1" & push "redirect-gateway def1 bypass-dhcp"

I can connect to the server but I am completely losing the Internet access

Is my Tap or Tun Setting fine ?
Shall I add more routing option ?
Could you please check what is wring in my config bellow ? (I am on windows I do not know how to remove the comments)

So far I am only modifying the SERVER config, shall I adjust anything on the CLIENT side ?

Code: Select all

port 1195
proto udp
dev tun

ca "c:\\openvpn\\config\\ca.crt"
cert "c:\\openvpn\\config\\server-jlf.crt"
key "c:\\openvpn\\config\\server-jlf.key"  # This file should be kept secret
dh "c:\\openvpn\\config\\dh1024.pem"

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "route 10.0.1.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 10.0.8.1"

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log
verb 3

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: New in OpenVPN help with Server/Client config file

Post by Traffic » Sat Jan 16, 2016 3:30 pm

matbkk wrote:I have Enabled push "dhcp-option DNS 10.0.8.1"
matbkk wrote:The Server is on a 10.0.1.0 network gateway 10.0.1.11 DNS 10.0.1.11
:geek:
Traffic wrote:Please see:
HOWTO: Routing all client traffic (including web-traffic) through the VPN
Note the iptables requirement.

matbkk
OpenVpn Newbie
Posts: 9
Joined: Fri Jan 15, 2016 11:49 am

Re: New in OpenVPN help with Server/Client config file

Post by matbkk » Sat Jan 16, 2016 4:36 pm

Here we are :

Modified :
With this settings the connection Server/Client is fine but no Internet Connection on the Client Side :
push "dhcp-option DNS 10.0.1.11"
push "dhcp-option DNS 8.8.8.8"


If I add this line the server refuse to connect :
iptables -t nat -A POSTROUTING -j MASQUERADE

I don't know if my command is good but on the HowTo I do not understand what I have to do.

matbkk
OpenVpn Newbie
Posts: 9
Joined: Fri Jan 15, 2016 11:49 am

Re: New in OpenVPN help with Server/Client config file

Post by matbkk » Sat Jan 16, 2016 5:17 pm

matbkk wrote:Here we are :
iptables -t nat -A POSTROUTING -j MASQUERADE
.
So I understant that I have to eable and configure Iptable, but how to do this with OpenVPN running on Windows 10 ?

Mat

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: New in OpenVPN help with Server/Client config file

Post by Traffic » Sat Jan 16, 2016 6:04 pm

iptables is only available for Linux.

You will have to try adding a static route to your network router.

Something along the lines of:
  • Route this network: 10.8.0.0/255.255.255.0
    Via this gateway: 10.0.1.x (where 10.0.1.x is the IP of your VPN server)

    You will have to check your router documentation for details.
If that does not work you may be able to use C:\netsh to configure NAT in W10.
You will have to consult google (et al) for help on that .. we do not have a W10 example .. yet.

matbkk
OpenVpn Newbie
Posts: 9
Joined: Fri Jan 15, 2016 11:49 am

Re: New in OpenVPN help with Server/Client config file

Post by matbkk » Sat Jan 16, 2016 6:11 pm

Thanks Traffic I did not try your suggestion yet.
But I found a way doing to redirect the Internet traffic with this post topic7806.html

Using this settings on Windows 10 :
Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

Next:

Control Panel
Network and Sharing Center
Local Area Connection
Properties
Sharing
Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)


It Works !!!!
My only problem now is a DNS leak... :D

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: New in OpenVPN help with Server/Client config file

Post by Traffic » Sat Jan 16, 2016 6:23 pm

Excellent work .. I did not know this was suitable for W10 .. thanks for letting me know 8-)

Regarding DNS leak .. OpenVPN has the Perfect solution:
See --block-outside-dns in The Manual v23x

You can either simply add block-outside-dns to your client config or push it from your server.
Make sure your server has a DNS solution in place. (FYI: Not suitable for WinXP)

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: [Solved] Windows 10 OpenVPN Server NAT with redirect-gat

Post by Traffic » Sat Jan 16, 2016 11:34 pm

Also, I would highly recommend you enable --tls-auth

See --tls-auth in The Manual v23x

And the HOWTO:
Hardening OpenVPN Security

Regards

Locked