OpenVPN Support Forum

opapanik wrote:I am now thinking of setting up a linux machine for the sole purpose of locating the problem

I ditched windows completely and never looked back

opapanik wrote:1. added routing from 10.20.31.0/24 (VPN addresses) to 10.20.30.10 (LAN IP of windows VPN server)

You might expect this to work .. but .. instead, select a host you want to be able to ping over the VPN and add static routes to it.

opapanik wrote:So far I have only tried to make the server-side LAN accessible to the VPN client. I have NOT also activated the configuration settings that would allow access to the client-side LAN. You think that could be a problem and I should try to enable them both at the same time?

NO .. you do not require routing both ways because the server LAN host will only see the VPN IP.

Do not try to use the server log at high verb-age to confirm packet transmission, that is not what the log is telling you. Use Wireshark on the server (or other sniffer) to determine where the packets are discarded.

TinCanTech wrote:I ditched windows completely and never looked back

I do not disagree but it's a big discussion.

TinCanTech wrote:

opapanik wrote:1. added routing from 10.20.31.0/24 (VPN addresses) to 10.20.30.10 (LAN IP of windows VPN server)

You might expect this to work .. but .. instead, select a host you want to be able to ping over the VPN and add static routes to it.

I am not really sure I understand what you say I should switch it to. This was according to the HOWTO:
"The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs 192.168.4.0/24 to the OpenVPN server box (you won't need this if the OpenVPN server box is the gateway for the server LAN)."
and as far as I can tell it is the reason I can ping from any LAN machine to the VPN client. It is referred as static routing on the router.

TinCanTech wrote:NO .. you do not require routing both ways because the server LAN host will only see the VPN IP.

Thanks for clearing this.

TinCanTech wrote:Do not try to use the server log at high verb-age to confirm packet transmission, that is not what the log is telling you. Use Wireshark on the server (or other sniffer) to determine where the packets are discarded.

True but at least as a quick and dirty trick I could confirm the ping is routed from the client through the VPN and reaches the server, no? The problem begins there..

Ok here's a good one:

if I initiate pings from both sides (as in LAN machine > VPN client and vice versa) at almost the same time, the VPN client sees the LAN machine (gets replies to its pings)!!!

Even more strange, for some of the LAN clients this lasts only a few minutes: the VPN client gets replies to its pings for some minutes after the initial "meeting". After a while it does not, and a new ping from the LAN machine toward the VPN client is required for the latter to "see" the LAN machine again!

For other LAN clients it seems to be a once-I-saw-you-I-know-you kind of thing and the VPN client can find them after the initial "meeting".

There are two switches in my network a 100mbps and a 1gbps. (I do turn off all network hardware when I have routing problems and have done it already before posting here)
Could it be a switching (hardware) problem?

Windows firewall is a stateful firewall.
My guess:
Your Windows firewall is not completely shutdown.
It remembers the state for a "certain time" of the ping coming from LAN machine going to VPN client.
If ping the other way and it succeeds then the state is still in the state table.
After a "certain time" the state is deleted from the state table and ping will not succeed.

Checked windows firewall like that:
Open Network and Sharing Center > Windows Firewall > Turn Windows Firewall On or Off > Off (for both Home or Work and Public networks)
Continued to Advanced Settings > Windows Firewall Off (reported) for Domain Profile, Private Profile and Public Profile
(menu) Action > Properties > (for every one of the 3 profiles) Customize (protected network connections) > unchecked TAP adapter
Continued to Monitoring > Windows Firewall Off (reported) for all networks

Shut everything (hardware) down. Restarted. No changes in my situation.

Setting aside this strange behaviour and returning to the problem. Talking about the unsuccessful pings from VPN client > LAN machines now:

I have confirmed that all pings from the VPN client reach their LAN targets. It's the answer that cannot get back to the VPN client.
So I guess I have a routing problem. But how can it be that (from LAN machines) answers to pings are not routed when initiating pings are ?

Nailed it! It's the router. A new TP-Link TD-W9977 VDSL N300 router.

Had to dig up my old ADSL router (TP-Link TL-WR340G). As soon as I set it up using same subnets and all and put it in place, bam! Problem gone!

Probably a firmware bug with the TD-W9977. Now I have to contact TP-Link..

Thanks everyone.

Thanks for letting us know what the real cause of the problem

Ah yup, if it`s not routing correctly that would explain it.
Happy VPN`ing :tumbsup:

Correction: the TL-WR340G is not ADSL, just (wireless) router.
Anyway, I posted in TP-Link's forum.

Thanks again.

Is there any real doubt ?

I'm sorry, I don't get you. Doubt about what?

If it is openvpn at fault .. or not ?

Oh no, OpenVPN is fine I guess.
As I said above all I did was switch hardware and the problem was gone. The only setup I did was on the old router cause it had defaults like 192.168.0.1 and stuff. Didn't touch any PCs or Androids.
Sorry if it wasn't clear (English not my native language)

So, simple hardware change and problem gone, seems clear cut who's at fault, to me. Have informed TP-Link and asked to address the probable firmware bug of TD-W9977.

Waiting for reply.

I would like to reopen this thread as i am at the same boat with our friend but tried 3 different routers and NONE solved the problem... In fact im doing EXACTLY what i used to do and it was working o ly now it doesnt work... There must be an error somewhere else and not the router... If somebody reads this ill post my details

horhe713 wrote: ↑

Fri Dec 25, 2020 2:31 am

If somebody reads this ill post my details

You need to ping server on its LAN address 10.20.30.10
If this suceeds, it is because you have not turned "ipv4_forward" on at VPN server.
Thus it will not route an incoming traffic with destination not itself.