Can't ping LAN behind VPN server

[stentor]

Dear all,

server: win2008

Code: Select all

port 1194
proto udp
dev tun
dev-node VPN
ca "C:\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\OpenVPN\\easy-rsa\\keys\\server.key" 
dh "C:\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 11.10.10.0 255.255.255.0"
tls-server
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

client: win7

Code: Select all

client
dev tun
dev-node VPN
proto udp
remote 62.87.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "c:\\openvpn\\config\\ca.crt"
cert "c:\\openvpn\\config\\klient02.crt"
key "c:\\openvpn\\config\\klient02.key"
ns-cert-type server
comp-lzo
verb 3

Can't ping LAN 11.10.10.0/24 (behing OpenVPN server) from client. I can't even ping OpenVPN LAN interface 11.10.10.1.
CAN ping 10.8.0.1 (OpenVPN virtual interface) from client - the tunnel is UP.
Any firewalls on windows are turned off.

[maikcat]

hi there,

is routing enabled on 2008 server?

cheers,

michael

[stentor]

hi there,

is routing enabled on 2008 server?

cheers,

michael

What do You mean exactly by that?

regards
GN

[maikcat]

when a pc has 2 network interfaces (2 physical nics,or virtual) that they
belong in different ip subnet, and you want to pass traffic from one
interface to another this is called "routing" , every ms os has this DISABLED by default,

f.e on win2003 you must do the following to enable it:

using regedit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1 <--by default this is 0 (disabled)
you need reboot after that...

cheers,

michael

[arbalyst]

I recently did an install on Windows Server 2008 (today actually ) encountered loads of fun problems with it. Possibly the same you're having, first thing is, do you have OpenVPN on the server set to automatically start, or are you launching by right clicking (or gui) on the server script?
If you have it set to automatically start, do you have it on delayed start ? This was actually the last problem I encountered, OpenVPN was starting before the network services did, in turn, it prevented it me from pinging the vpn server address (10.8.0.1 in my case). By enabling delayed automatic start, it sorted that problem.

Another issue I had was with windows server firewall itself, despite turning it off, it still blocked connections (yeah, I know!). Make sure you to the advanced mode of windows firewall, (type in wf.msc into a run box, quickest way), go to the middle look for "windows firewall properties", go through the domain, public and private profile tabs, go to "protected network connections" and click customise, untick your windows tap driver from that list. Do that on all 3 tabs, I think it was the private tab that gave me the problem, but just to be sure. Next create an inbound firewall rule, select "port", select udp, "allow the connection", apply it to the three profiles (this is all in the wizard" and give it a name. Do the same for outbound connection.

Finnnnnnnnnnnnnaly, have you got the port forward in your router correctly?

[stentor]

enabling routing (done by modyfying register) solved my issue

question:
can I restrict access for vpn users only to one IP and one port, for example 11.10.10.2 port 1433 on remote LAN?

[krzee]

yes, in your server firewall, or on the lan machine's firewall

[stentor]

Can I restrict this access inside OpenVPn server configuration?

[krzee]

no it needs to be done in a firewall