I give up trying to configure OpenVPN on Windows - need help

[phiNole]

Hello,
I'm sure this is something simple, which explains why I can't see it, but I can't get OpenVPN to work with Windows Server 2012 R2 and a Windows 8.1 client. Here are the configurations:

View OriginalServer

port 1194
proto udp
dev tun
ca ca.crt
cert WIN-CRHH9BLMSUF.crt
key WIN-CRHH9BLMSUF.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 60
persist-key
persist-tun
status openvpn-status.log
verb 3

View OriginalClient

client
dev tun
proto udp
remote -Dynamic DNS name for server here- 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert jlenker-lt01.crt
key jlenker-lt01.key
remote-cert-tls server
#tls-auth /etc/openvpn/ta.key 1
verb 3

I've configured firewalls on both ends to open port 1194 UDP, and the router is port-forwarding UDP requests on 1194 to the correct IP address. I've recreated the certs several times thinking that was my problem, but the end result is the same. The certs are created using easy-rsa and the CN and Name for the server is the same, as well as the CN and Name for the client are the same. In both instances, the CN/Name pair match the filename for the .crt and .key files. I've followed a couple of different guides found on the internet for generating certs and configuring this, but it has been a major pain and unsolvable for me at this point.

My goal is to connect this Windows 8.1 client, then to connect a client (using a new client cert of course) running Mac OSX and a utility like TunnelBlick. Thanks in advance for any help.

Client log (partial):
Tue Dec 06 22:48:50 2016 ROUTE_GATEWAY 192.168.4.1/255.255.252.0 I=3 HWADDR=c8:f7:33:8f:e0:2b
Tue Dec 06 22:48:50 2016 MANAGEMENT: Client disconnected
Tue Dec 06 22:48:50 2016 There are no TAP-Windows adapters on this system. You should be able to create a TAP-Windows adapter by going to Start -> All Programs -> TAP-Windows -> Utilities -> Add a new TAP-Windows virtual ethernet adapter.
Tue Dec 06 22:48:50 2016 Exiting due to fatal error

Could this be as simple as creating a TAP adapter on the client? Unfortunately I don't know what that is ...

Server log when attempting to connect is below. I have no idea why there is an error log using a netgear cert issuer.

Tue Dec 06 22:47:30 2016 OpenVPN 2.3.13 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Nov 3 2016
Tue Dec 06 22:47:30 2016 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Dec 06 22:47:30 2016 library versions: OpenSSL 1.0.1u 22 Sep 2016, LZO 2.09
Enter Management Password:
Tue Dec 06 22:47:30 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343
Tue Dec 06 22:47:30 2016 Need hold release from management interface, waiting...
Tue Dec 06 22:47:30 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25343
Tue Dec 06 22:47:30 2016 MANAGEMENT: CMD 'state on'
Tue Dec 06 22:47:30 2016 MANAGEMENT: CMD 'log all on'
Tue Dec 06 22:47:30 2016 MANAGEMENT: CMD 'hold off'
Tue Dec 06 22:47:30 2016 MANAGEMENT: CMD 'hold release'
Tue Dec 06 22:47:30 2016 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Tue Dec 06 22:47:31 2016 Diffie-Hellman initialized with 1024 bit key
Tue Dec 06 22:47:31 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 06 22:47:31 2016 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=13 HWADDR=d8:cb:8a:43:bf:1c
Tue Dec 06 22:47:31 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Dec 06 22:47:31 2016 MANAGEMENT: >STATE:1481082451,ASSIGN_IP,,10.8.0.1,
Tue Dec 06 22:47:31 2016 open_tun, tt->ipv6=0
Tue Dec 06 22:47:31 2016 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{11819E4A-25E7-4EF9-BE91-41BACF981AB6}.tap
Tue Dec 06 22:47:31 2016 TAP-Windows Driver Version 9.21
Tue Dec 06 22:47:31 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {11819E4A-25E7-4EF9-BE91-41BACF981AB6} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
Tue Dec 06 22:47:31 2016 Sleeping for 10 seconds...
Tue Dec 06 22:47:41 2016 Successful ARP Flush on interface [17] {11819E4A-25E7-4EF9-BE91-41BACF981AB6}
Tue Dec 06 22:47:41 2016 MANAGEMENT: >STATE:1481082461,ADD_ROUTES,,,
Tue Dec 06 22:47:41 2016 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
Tue Dec 06 22:47:41 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Dec 06 22:47:41 2016 Route addition via IPAPI succeeded [adaptive]
Tue Dec 06 22:47:41 2016 UDPv4 link local (bound): [undef]
Tue Dec 06 22:47:41 2016 UDPv4 link remote: [undef]
Tue Dec 06 22:47:41 2016 MULTI: multi_init called, r=256 v=256
Tue Dec 06 22:47:41 2016 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Dec 06 22:47:41 2016 ifconfig_pool_read(), in='jlenker-lt01,10.8.0.4', TODO: IPv6
Tue Dec 06 22:47:41 2016 succeeded -> ifconfig_pool_set()
Tue Dec 06 22:47:41 2016 IFCONFIG POOL LIST
Tue Dec 06 22:47:41 2016 jlenker-lt01,10.8.0.4
Tue Dec 06 22:47:41 2016 Initialization Sequence Completed
Tue Dec 06 22:47:41 2016 MANAGEMENT: >STATE:1481082461,CONNECTED,SUCCESS,10.8.0.1,
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 TLS: Initial packet from [AF_INET]75.176.148.87:49581, sid=21725bdb c68e14e5
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear_user, emailAddress=mail@netgear.com
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 TLS_ERROR: BIO read tls_read_plaintext error
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 TLS Error: TLS object -> incoming plaintext read error
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 TLS Error: TLS handshake failed
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Dec 06 22:48:17 2016 75.176.148.87:54918 TLS: Initial packet from [AF_INET]75.176.148.87:54918, sid=3c4da98a 64eeca6f
Tue Dec 06 22:48:17 2016 75.176.148.87:54918 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear_user, emailAddress=mail@netgear.com
Tue Dec 06 22:48:17 2016 75.176.148.87:54918 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Tue Dec 06 22:48:17 2016 75.176.148.87:54918 TLS_ERROR: BIO read tls_read_plaintext error
Tue Dec 06 22:48:17 2016 75.176.148.87:54918 TLS Error: TLS object -> incoming plaintext read error
Tue Dec 06 22:48:17 2016 75.176.148.87:54918 TLS Error: TLS handshake failed
Tue Dec 06 22:48:17 2016 75.176.148.87:54918 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 TLS: Initial packet from [AF_INET]74.219.81.115:56812, sid=5bc05146 a3c80a29
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 VERIFY OK: depth=1, C=US, ST=FL, L=StAugustine, O=BlackCypress, OU=BCC, CN=WIN-CRHH9BLMSUF, name=WIN-CRHH9BLMSUF, emailAddress=admin@blackcypresscapital.com
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 VERIFY OK: depth=0, C=US, ST=FL, L=StAugustine, O=BlackCypress, OU=BCC, CN=jlenker-lt01, name=jlenker-lt01, emailAddress=admin@blackcypresscapital.com
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 [jlenker-lt01] Peer Connection Initiated with [AF_INET]74.219.81.115:56812
Tue Dec 06 22:48:48 2016 jlenker-lt01/74.219.81.115:56812 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Tue Dec 06 22:48:48 2016 jlenker-lt01/74.219.81.115:56812 MULTI: Learn: 10.8.0.6 -> jlenker-lt01/74.219.81.115:56812
Tue Dec 06 22:48:48 2016 jlenker-lt01/74.219.81.115:56812 MULTI: primary virtual IP for jlenker-lt01/74.219.81.115:56812: 10.8.0.6
Tue Dec 06 22:48:50 2016 jlenker-lt01/74.219.81.115:56812 PUSH: Received control message: 'PUSH_REQUEST'
Tue Dec 06 22:48:50 2016 jlenker-lt01/74.219.81.115:56812 send_push_reply(): safe_cap=940
Tue Dec 06 22:48:50 2016 jlenker-lt01/74.219.81.115:56812 SENT CONTROL [jlenker-lt01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' (status=1)

[TinCanTech]

Problem 1:

Client log (partial):
Tue Dec 06 22:48:50 2016 ROUTE_GATEWAY 192.168.4.1/255.255.252.0 I=3 HWADDR=c8:f7:33:8f:e0:2b
Tue Dec 06 22:48:50 2016 MANAGEMENT: Client disconnected
Tue Dec 06 22:48:50 2016 There are no TAP-Windows adapters on this system. You should be able to create a TAP-Windows adapter by going to Start -> All Programs -> TAP-Windows -> Utilities -> Add a new TAP-Windows virtual ethernet adapter.
Tue Dec 06 22:48:50 2016 Exiting due to fatal error

Could this be as simple as creating a TAP adapter on the client? Unfortunately I don't know what that is ...

Read your log ..

[TinCanTech]

Problem 2:

Server log
<..>
Tue Dec 06 22:47:30 2016 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN

• You are advised to change your server LAN to a more unique RFC1918 compliant subnet. f.e 192.168.143.0/24

[TinCanTech]

Problem 3:

Server log
<..>
Tue Dec 06 22:48:48 2016 74.219.81.115:56812 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).

Read your log ..

[TinCanTech]

Problem 4:

Server log
<..>
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 TLS: Initial packet from [AF_INET]75.176.148.87:49581, sid=21725bdb c68e14e5
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear_user, emailAddress=mail@netgear.com
Tue Dec 06 22:47:46 2016 75.176.148.87:49581 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

I expect the client has the wrong certificate etc.

[phiNole]

Thanks for taking the time, but this does not help me. I don't know how to use a larger block size on a cipher, and I've created the certificate multiple times and have no idea why I see a generic CN and OU. I have explicitly NOT used those values at all, and don't have a clue how they are getting into this process.

So, instead of "read your log", do you or anyone else have something helpful? The log is not clear/helpful since I am completely new to this process.

[TinCanTech]

What do you think log files are for ?

[phiNole]

TinCanTech, I appreciate your willingness to help with such insight and detail to the logfiles I've posted. When I repeated that I don't know how to proceed with some of the aspects of this configuration, you quickly and efficiently gave me some context and assistance that was so incredibly helpful - it allowed me to know where to start solving this problem!

I wish I could say that. Instead, I'm going to say thanks for nothing. Condescension is seemingly what you do best.

[TinCanTech]

Your log files have provided at least four items you can fix ..

For Example:

Problem 1:

Client log (partial):
Tue Dec 06 22:48:50 2016 ROUTE_GATEWAY 192.168.4.1/255.255.252.0 I=3 HWADDR=c8:f7:33:8f:e0:2b
Tue Dec 06 22:48:50 2016 MANAGEMENT: Client disconnected
Tue Dec 06 22:48:50 2016 There are no TAP-Windows adapters on this system. You should be able to create a TAP-Windows adapter by going to Start -> All Programs -> TAP-Windows -> Utilities -> Add a new TAP-Windows virtual ethernet adapter.
Tue Dec 06 22:48:50 2016 Exiting due to fatal error

have you fixed that ?

Could this be as simple as creating a TAP adapter on the client? Unfortunately I don't know what that is ...

Read your log ..

I suggest you start here:
HOWTO: For OpenVPN Community Edition

'm going to say thanks for nothing. Condescension is seemingly what you do best

[what ever] ..Ciao

[TiTex]

I wish I could say that. Instead, I'm going to say thanks for nothing. Condescension is seemingly what you do best.

This is mostly off topic
well , he might have the wrong tone for the right reason sometimes , but since most of the guys whom are posting on these forums don't take the time to read the documentation , or don't even try to figure it out on their own i would say he has that right.

Networking is not for everybody , like webdesign or any other technology is not for everybody ... at least not for somebody who doesn't like it or doesn't want to learn , that being said we the "forumers" are not paid support team so we expect or at least i'm expecting you the guy who asked for help to take at least the time to investigate and try to solve the issue after you have been pointed in the right direction, you know google is for everybody.
1. https://lmgtfy.com/?q=openvpn+Add+a+new ... et+adapter - 3rd link also "You should be able to create a TAP-Windows adapter by going to Start -> All Programs -> TAP-Windows -> Utilities -> Add a new TAP-Windows virtual ethernet adapter." from the log
2. self explanatory
3. https://lmgtfy.com/?q=openvpn+cipher+options - 2nd link ( probably messed up the PKI )
4. https://lmgtfy.com/?q=openvpn+client+certificate - any link on first page (probably messed up the PKI)

this might help https://openmaniak.com/openvpn_pki.php

[phiNole]

Hello,

I decided to start over with v2.4 and scrapped everything that was attempted with v2.3. After regenerating the certificates and using the new config options in the v2.4 server and client config files, everything works. The only caveat was that if the server is started via a right-click on the server.ovpn config file, there are several permission/access denied problems encountered on operations like CreateIpForwardEntry. If I run the OpenVPN GUI as Admin, these permission problems are not encountered. I'm not sure how to elevate permissions for executing the server from command line/right-click on the config file, but starting it as a daemon/service works fine. This is OPPOSITE of what the HOWTO directs you to do.

There were no problems creating a TAP-Windows adapter in 2.4, nor were there problems with PKI/Ciphers, nor with the TLS negotiation. I noticed an option in the 2.4 config that I did not notice in 2.3:

tls-auth ../easy-rsa/keys/ta.key 0

This portion of the config is new in 2.4 as well, which I believe overcame the 2.3 log entries regarding "insecure cipher"

# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.

Finally, as some constructive feedback to the other members of this forum who obviously have experience with this software:

I'm an IT professional, I know how to Google. I use it everyday to find information and troubleshoot problems in the SharePoint world where I act as a consultant. I'm an experienced software developer, a freelance web designer and have managed both Linux and Windows servers for years but am unfamiliar with VPN software and needed to establish a VPN for a client. Trust me, I Googled various items in that logfile pertaining to the 2.3 difficulties without any clarity. The TAP adapter never showed up when I ran the utility in 2.3, so I assumed I didn't know what it was since it didn't appear in Windows Network Connections. I also could not understand the generic netgear entries pertaining to the certs, especially when I painstakingly generated the server and client certs at least 3 times to ensure I did it correctly with matching values where necessary. The cipher entries were also misleading since I used the defaults in the sample config files and apparently that wasn't sufficient in 2.3. I made no changes to my process with 2.4 and suddenly the cipher problems disappeared. I say all that to make this point:

I always use forums as a last resort. I don't want to use them since I prefer to be resourceful and self-reliant. However, when I posted on this forum, the dismissal of "go read the logfile" is not only rude, it's not helpful. Assuming I did 0 research into the log entries I posted was the wrong assumption, especially when I receive a response of "What do you think logfiles are for?" How condescending is that? Imagine if your car broke down and having little expertise in a specific area of the automotive world, you took it to a mechanic. He runs the diagnostic software on the vehicle, then hands you the printout and says "Here, go fix what it says." That's how I felt reading these responses.

Responses such as these come from a person who shouldn't be monitoring help forums for software. That person obviously does not have the temperament nor patience to support people that need help. Assuming everyone is a lazy moron is exactly the opposite attitude you should have if you're going to make yourself available to assist someone. If you're not going to show a bit of patience or interest in helping someone, then please don't even respond to posts like mine. You come off as a rude prick. I suggest being a bit more interested in what the poster has to say, and more patient. Ask more questions, for example, instead of "Read your log" or "Have you fixed that?", say "Try running the TAP Adapter from Program Files, and if it doesn't appear, you may need to run the explicit batch file itself" - since that is exactly what happened to me. I did not see anything like that in the documentation, so of course I didn't know how to proceed.

On a positive note, this response was actually very helpful, and I directed my client to change the subnet on his router:

":arrow: Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN
You are advised to change your server LAN to a more unique RFC1918 compliant subnet. f.e 192.168.143.0/24"

So, thank you, I guess, but please consider how you respond to people on this forum. Assume the best, not the worst.

[TiTex]

I'm not running an openvpn server on windows but as far as i know you just have to start the service from the services mmc (Start -> Run -> services.msc ) that will load any config found in Program Files/Openvpn/config.
Another way would be to open a command prompt (cmd) or powershell console for that matter with admin privileges (run as administrator) and run

Code: Select all

openvpn --config path/to/your/config.ovpn

or an even better way would be to create a shortcut for command prompt somewhere easily accessible lets say on the desktop , right click on the shortcut -> properties
in the target box enter something like

Code: Select all

%windir%\system32\cmd.exe /k openvpn --config "C:\Program Files\OpenVPN\config\vpnserver.ovpn"

Note that openvpn binary needs to be in your path
Click on the "Advanced" button on the same tab and tick the "Run as administrator" checkbox.

as for the rest of your message , i guess you also have a point