Hi, Please excuse my lack of expertise in networking. I've read several posts on this forum and on google, but couldn't resolve the issue. I feel like I am pretty close to getting OpenVPN set up the way I want. I am hoping to resolve the last issue of not being able to access the internet when VPN is connected. OpenVPN server is installed on a Windows 10 PC in an office. OpenVPN client is installed on a laptop I carry around while I am out in the field. I want to access Windows Samba share on the Windows 10 PC through VPN, but allow rest of internet traffic to NOT go through the VPN Server. As of now, I can access the Samba share when VPN is connected, but I have no internet. I am not sure if it has something to do with the client not having a default gateway for the TAP adapter, or that IP forwarding is only enabled on the Server. Server subnet is 192.168.2.1, Server LAN ip is 192.168.2.10, Client subnet is 10.62.81.1, client LAN ip is 10.62.81.15, VPN subnet is 10.8.0.0, client VPN ip is 10.8.0.2, server VPN ip is 10.8.0.1. The Config files are below. Any help on this is GREATLY appreciated!
Server Config
dev tun
dev-node OpenVPN
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key" # This file should be kept secret
I want to access Windows Samba share on the Windows 10 PC through VPN, but allow rest of internet traffic to NOT go through the VPN Server. As of now, I can access the Samba share when VPN is connected, but I have no internet
#push "route 10.8.0.1 255.255.255.0" # Not required
#push "route 10.8.0.0 255.255.255.0" # Not required
push "route 192.168.2.1 255.255.255.0" # This is correct but See note 1
#push "route-metric 512" # Not required
#push "redirect-gateway def1" # Not required
#push "dhcp-option DNS 8.8.8.8" # See note 2
#push "dhcp-option DNS 8.8.4.4" # See note 2
Notes:
192.168.2.0/24 is a common subnet and could cause you routing conflicts in the future.
It is recommended that you change your server LAN to something more unique. eg: 192.168.147.0/24
These will not work as you expect on Windows.
You will be setting your DNS servers to 8.8.8.8 & 8.8.4.4 but they will not be routed through the VPN.
If you want your DNS to use the VPN in Windows you must use --block-outside-dns (Can be pushed)
OMG you are a lifesaver. I changed the subnet according to your note 1 to 192.168.150.0/24. I also added push "block-outside-dns", and commented out the other push lines as you suggested. Now, when connected to VPN, I have internet access, and my public IP shows I am accessing internet NOT through the VPN, which is what I wanted. Unfortunately, I now DON'T have access to the Samba shares for some reason. Any ideas that may help in getting access back to the Samba shares? Thanks so much!!
I changed the subnet according to your note 1 to 192.168.150.0/24
You must actually change that subnet on your server LAN and all the devices (eg: Printer) connected to that LAN, not just change the line in the config
Duh, sorry. I changed the server LAN and all devices on the LAN to 10.32.55.100. The server lan ip is now 10.32.55.110. However I still don't have access to the Samba share. I am really puzzled as to what happened. Again, your help is appreciated greatly!
Server config
port 2592
proto udp4
dev tun
dev-node OpenVPN
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key" # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.32.55.110 255.255.255.0"
push "block-outside-dns"
keepalive 10 120
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 2
I enabled IP forwarding by going to regedit HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] and changing IPEnableRouter to "1". I am not sure how to make sure the firewall allows IP forwarding. I only have Windows firewall. I tried accessing the Samba share while the firewall was turned off, and I still couldn't access the Samba share. I did create Windows firewall rules to allow all the File and Printer Sharing, and ports 135-139, 445 for both TCP and UDP. I did port forwarding on my router as well, for ports 135-139,445,2592 as well. I also checked to make sure Routing and Remote Access Service is enabled and Automatic. I really appreciate your help here again.
I am a novice at best outside of the Windows environment unfortunately. I was hoping the setup I need could be accommodated by Windows. Are you suggesting a Linux OS? If so, which one, and are there any common pitfalls I should watch out for? Thanks again.
I am a novice at best outside of the Windows environment unfortunately. I was hoping the setup I need could be accommodated by Windows. Are you suggesting a Linux OS? If so, which one, and are there any common pitfalls I should watch out for? Thanks again.
i am going to help you setup openvpn running on window , you need post here what yoi did and full server and client config and what version windows 10 you use ,
Thanks 300000. I appreciate the input from TinCanTech as well, as I read many posts about the horror stories of Windows networking being inconsistent. Please see the full config below. I have added port forwarding and static routes to the router settings on the server side. I created incoming rules for Windows firewall on ports 135-139,445 for TCP and UDP on the server machine. The server and client are both running Windows 10 Pro. In the client log, I did notice one error. I am not sure what it means. Thanks for all the help.
exception parsing IPv4 route: [route] [10.32.55.100] [255.255.255.0] : tun_prop_error: route is not canonical
Server config
port 2592
proto udp4
dev tun
dev-node OpenVPN
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key" # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.32.55.100 255.255.255.0"
push "block-outside-dns"
keepalive 10 120
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 2
persist-key
persist-tun
status openvpn-status.log
verb 4
explicit-exit-notify 1
Client config
client
dev tun
proto udp4
remote vkcpa.mynetgear.com 2592
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
verb 4
can you tell me what version of window 10 you installed , it this windows home or window server operate system? there are difference between windows home and windows server so I need to know before give you some advice .
why do you want to push route 10.32.55.100 ? what is address of samba server on server lan?
on server lan do you have any dns server sevice run on or not?
you said samba file share . is this run on linux or windows?
in order to access file over vpn you need WINS service which is can install on windows server or can make samba server act as WINS , so over internet you can access file server as \\ mycomputer,local\file than \\ 192.168.2.*\file
The server and client both are running Windows 10 Pro, I don't know if you need any additional version info. I am not running Windows Server OS. The lan subnet of the server is 10.32.55.100. The local ip of server (also where the samba share) is 10.32.55.110. The server is a basic pc running on Windows 10 Pro, and a shared folder. All other devices on the server lan, have access to this shared folder, mapped as a network drive. I hope this is enough info? I really don't know much about WINS service.
rename the internet netword card and openvpn netword card so it makes thing simple
click the the internet netword card and chose properties/chosing sharing tab
tick allow other netword user connect through this computer internet connection.
on drop down choose openvpn netword card if it is pressen and click ok.
right click openvpn netword card and chosse properties chose ip4 and set its ip as 10.8.0.1 subnet mask 255.255.255.0
this will make windows will lan routing all network card
go service and choose Internet Connection Sharing and choose automatic
go to service and find routing and remote access and choose automatic
just disable firewall to make connection first , after it works come back to firewall charge it later.
after that restart computer and check every sevice have been start so your openvpn run at windows wil routing all over netword card and client can go
when you try connect client to server if it work just try to go file share click search type \\ 10.32.55.110 enter
this server config not routing all internet though but only file share only
I make copy test your server config you can try and see if it works for you or not .
port 2592
proto udp4
ip-win32 manual
dev tun
dev-node OpenVPN
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
push "route 10.32.55.0 255.255.255.0 vpn_gateway"
topology subnet
server 10.8.0.0 255.255.255.0
keepalive 10 120
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 0
cipher AES-256-CBC
comp-lzo
max-clients 2
persist-key
persist-tun
status openvpn-status.log
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
register-dns
Thank you 300000 and TinCanTech. I changed one of the server config lines from push "route 10.32.55.100 255.255.255.0" to push "route 10.32.55.0 255.255.255.0". I got the thought to change this line based on 300000's recommendation above. And now I have access to the shared drive. I guess the 4th segment of the subnet must be 0. The only concern I have now is this error below which shows up like 50 times. Any ideas on what's causing this error? And is this something I can safely ignore or is this a critical issue? Please advise. Thank you so much for your help.
MULTI: bad source address from client [10.25.92.101], packet dropped
MULTI: bad source address from client [10.25.92.101], packet dropped
MULTI: bad source address from client [10.25.92.101], packet dropped
MULTI: bad source address from client [10.25.92.101], packet dropped
