Windows 7 as OpenVPN server with redirect-gateway

[vovsen]

have tried the example but I'm having dificult to the statement:
Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.
There doesn't drop any list down makes it impossible to select the TAP connection. have tried to brigde it but it doesn't do anything. both the client and the server give green light when run. and the logs don't show any errors. neither can I ping either sides.

The server's log:
Tue Nov 06 21:23:56 2012 pc-30/89.236.13.177:61472 SIGTERM[soft,remote-exit] received, client-instance exiting
Tue Nov 06 21:24:15 2012 MULTI: multi_create_instance called
Tue Nov 06 21:24:15 2012 89.236.13.177:61542 Re-using SSL/TLS context
Tue Nov 06 21:24:15 2012 89.236.13.177:61542 LZO compression initialized
Tue Nov 06 21:24:15 2012 89.236.13.177:61542 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Nov 06 21:24:15 2012 89.236.13.177:61542 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Nov 06 21:24:15 2012 89.236.13.177:61542 Local Options hash (VER=V4): '530fdded'
Tue Nov 06 21:24:15 2012 89.236.13.177:61542 Expected Remote Options hash (VER=V4): '41690919'
Tue Nov 06 21:24:15 2012 89.236.13.177:61542 TLS: Initial packet from 89.236.13.177:61542, sid=1edbfe75 5660451a
Tue Nov 06 21:24:15 2012 89.236.13.177:61542 VERIFY OK: depth=1, /C=DK/ST=DK/L=Bagsvaerd/O=Beregnerservice/OU=Malerkalk/CN=pc30/name=changeme/emailAddress=vif@itogav.dk
Tue Nov 06 21:24:15 2012 89.236.13.177:61542 VERIFY OK: depth=0, /C=DK/ST=DK/L=Gentofte/O=Beregnerservice/OU=support/CN=pc-30/name=changeme/emailAddress=vif@itogav.dk
Tue Nov 06 21:24:16 2012 89.236.13.177:61542 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 06 21:24:16 2012 89.236.13.177:61542 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 06 21:24:16 2012 89.236.13.177:61542 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 06 21:24:16 2012 89.236.13.177:61542 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 06 21:24:16 2012 89.236.13.177:61542 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Nov 06 21:24:16 2012 89.236.13.177:61542 [pc-30] Peer Connection Initiated with 89.236.13.177:61542
Tue Nov 06 21:24:16 2012 pc-30/89.236.13.177:61542 MULTI: Learn: 10.0.0.6 -> pc-30/89.236.13.177:61542
Tue Nov 06 21:24:16 2012 pc-30/89.236.13.177:61542 MULTI: primary virtual IP for pc-30/89.236.13.177:61542: 10.0.0.6
Tue Nov 06 21:24:18 2012 pc-30/89.236.13.177:61542 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 06 21:24:18 2012 pc-30/89.236.13.177:61542 SENT CONTROL [pc-30]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5' (status=1)


the clients log:
Tue Nov 06 21:24:07 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Tue Nov 06 21:24:07 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Nov 06 21:24:07 2012 LZO compression initialized
Tue Nov 06 21:24:07 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Nov 06 21:24:07 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Nov 06 21:24:07 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Nov 06 21:24:07 2012 Local Options hash (VER=V4): '41690919'
Tue Nov 06 21:24:07 2012 Expected Remote Options hash (VER=V4): '530fdded'
Tue Nov 06 21:24:07 2012 UDPv4 link local: [undef]
Tue Nov 06 21:24:07 2012 UDPv4 link remote: 93.167.4.126:1194
Tue Nov 06 21:24:07 2012 TLS: Initial packet from 93.167.4.126:1194, sid=ef28ac0f 75df05b3
Tue Nov 06 21:24:07 2012 VERIFY OK: depth=1, /C=DK/ST=DK/L=Bagsvaerd/O=Beregnerservice/OU=Malerkalk/CN=pc30/name=changeme/emailAddress=vif@itogav.dk
Tue Nov 06 21:24:07 2012 VERIFY OK: nsCertType=SERVER
Tue Nov 06 21:24:07 2012 VERIFY OK: depth=0, /C=DK/ST=DK/L=Bagsvaerd/O=Beregnerservice/OU=changeme/CN=changeme/name=changeme/emailAddress=vif@itogav.dk
Tue Nov 06 21:24:08 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 06 21:24:08 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 06 21:24:08 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 06 21:24:08 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 06 21:24:08 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Nov 06 21:24:08 2012 [changeme] Peer Connection Initiated with 93.167.4.126:1194
Tue Nov 06 21:24:10 2012 SENT CONTROL [changeme]: 'PUSH_REQUEST' (status=1)
Tue Nov 06 21:24:10 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5'
Tue Nov 06 21:24:10 2012 OPTIONS IMPORT: timers and/or timeouts modified
Tue Nov 06 21:24:10 2012 OPTIONS IMPORT: --ifconfig/up options modified
Tue Nov 06 21:24:10 2012 OPTIONS IMPORT: route options modified
Tue Nov 06 21:24:10 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Nov 06 21:24:10 2012 ROUTE default_gateway=192.168.2.1
Tue Nov 06 21:24:10 2012 TAP-WIN32 device [OpenVPN-1] opened: \\.\Global\{268CB66C-B6CC-4551-ADEA-46A5AE82464F}.tap
Tue Nov 06 21:24:10 2012 TAP-Win32 Driver Version 9.9
Tue Nov 06 21:24:10 2012 TAP-Win32 MTU=1500
Tue Nov 06 21:24:10 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.0.6/255.255.255.252 on interface {268CB66C-B6CC-4551-ADEA-46A5AE82464F} [DHCP-serv: 10.0.0.5, lease-time: 31536000]
Tue Nov 06 21:24:10 2012 Successful ARP Flush on interface [393220] {268CB66C-B6CC-4551-ADEA-46A5AE82464F}
Tue Nov 06 21:24:12 2012 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Tue Nov 06 21:24:12 2012 Route: Waiting for TUN/TAP interface to come up...
Tue Nov 06 21:24:14 2012 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Nov 06 21:24:14 2012 C:\WINDOWS\system32\route.exe ADD 93.167.4.126 MASK 255.255.255.255 192.168.2.1
Tue Nov 06 21:24:14 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.0.5
Tue Nov 06 21:24:14 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.0.5
Tue Nov 06 21:24:15 2012 C:\WINDOWS\system32\route.exe ADD 10.0.0.1 MASK 255.255.255.255 10.0.0.5
Tue Nov 06 21:24:15 2012 Initialization Sequence Completed.

Hope somebody can figure out what to do.

Best regards
Villy

[brazil_1983]

1)push "redirect-gateway def1"
with this method u redirect every outgoing connection trough the openvpn ... is there a way to redirect only some of the connections? (for example according to ips/subnets?)

2)is there away to choose the redirection according to the client and not the server (i mean the clinet should choose if to use the server for the connections or not in my opinion

Yes on both accounts. Those two are best answered together. See this code (this code is for client.ovpn):

Code: Select all

route-nopull
route remote_host 255.255.255.255 net_gateway
route 126.21.20.256 255.255.255.255 10.0.0.1

"route-nopull" tells the client to ignore any routes pushed from the server (so, it will ignore "redirect gateway").
"route remote_host 255.255.255.255 net_gateway" tells Windows that the route to the VPN server is via the default Internet connection.
"route 126.21.20.0 255.255.255.0 10.0.0.1" tells Windows that all connections to subnet 126.21.20.x should be routed through 10.0.0.1 (VPN server LAN IP)

3) ithe dns solution seems kind of weird .. what if my server cant use the google dns? (which it cant) is there another way to slove that? (like using the openvpn server as dns so it will use it own or something like it )

Not sure yet, sorry though. If you or any of the experts does know the answer, please do share. I think it will be something very simple and obvious. After all, Windows 7 has built in DNS service, so it must be something to do with that. Potentially, you may need some 3rd party DNS serving tool.

4)u said it is unknown if the 3 tweaks are needed... is there anything new about that subject? its kind of weird to tweak a machine for no reason (yet i will do it... just need it to work)

thanks for all the help!
er.

The reason its unknown (its only unknown by me) is that I tried to set up the server with these 3 tweaks and it worked. What I didn't do, was go back and get it working without just 1 tweak at a time. Its essentially just a time/effort limitation on my behalf. If you can do that and report back it would be excellent.. If not, I do intend to do that myself soon too -- thank you for the reminder.

Hi, i have a problem with "route-nopull", i cant ping the server after this command line, any idea??

regards

[ramin_malek]

Hi Dear Friend I want Setup openvpn server on windows 2003 server I download openvpn and build ca and server key or server.crt and dh1024.pem
copy to openvpn directory

Edit Regiter
and Enable Routing and remote access
AND on my internet connect share This

This is my config file
port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.0

ca C:\\Program Files\\OpenVPN\\ca.crt
cert C:\\Program Files\\OpenVPN\\server.crt
key C:\\Program Files\\OpenVPN\\server.key
dh C:\\Program Files\\OpenVPN\\dh1024.pem

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"

#the following commands are optional
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3


Ok how enable service openvon on windows Like linxu server openvpn start


??????????//

when in my server Open openvpn GUi and connect

this error
Mon Apr 22 05:34:14 2013 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Mon Apr 22 05:34:14 2013 Cannot open C:\Program for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Mon Apr 22 05:34:14 2013 Exiting

show Me
what is This Error Help me please

????????

[02CWRX]

Hi all,

I just wanted to give some feedback on how I managed to make my application work using a desktop computer running Windows 7 Ultimate as the server, and a laptop running Windows 7 Ultimate as the client. My goal was to simply map a network drive in Windows to my home server so I could access it anywhere my laptop has internet. So, here are the things I did in addition to the things listed in this thread.

First off, I think a big reason I had problems with mine was simply because when the VPN originally connected, Windows wouldn't allow me to change the network type from "unidentified network" to "home" or "work". I believe this prevented certain features from working due to the way Windows 7's firewall is setup. I cannot confirm this, but I know that once I figured this part out, everything seemed to start working better. Once the below steps are done, you should be prompted to select a network location. I personally chose "Work", but "Home" should work just as well.

On the server machine:

• Open Network and Sharing Center
• In the left column, click Change Adapter Settings
• Right click the icon for your VPN network (TAP-Windows Adapter V9) and select Properties
• Select Internet Protocol Version 4 (TCP/IPv4) and click Properties
• Click Advanced at the bottom
• Under Default Gateways click Add
• Enter the default gateway address you are using (basic configuration should be 10.8.0.2)
• Confirm and close all boxes.

In order to get a default gateway on any client that connects without having to manually make all those changes, you need to push a false route to the client from the server. This should allow you to select "Home" or "Work" as the network type on any client computer that connects. To do this, enter the following command into the server config file:

Code: Select all

push "route 0.0.0.0 0.0.0.0"

Now then, from the time I first connected everything, I could never ping anything, server to client, client to server, etc. It didn't matter if I tried to ping the VPN address or the LAN address. The only way I could get that to work was to edit the firewall rules to enable echo requests across all IP addresses, not just the local subnet.

I am curious if there is a better way to get this to work without having to edit firewall rules, such as pushing a route somehow to make pinging work?

Anyway, here is how I edited the rules to make it work. On both the client and the server machines:

• Open the Control Panel and open Windows Firewall
• In the left column, select Advanced Settings
• In the left column, select Inbound Rules
• Find the rule that is labeled File and Printer Sharing (Echo Request - ICMPv4-In)
  Make sure the one you find is for the private network types, not public
• Double click it to open the properties box
• Click the tab at the top labeled Scope
• At the bottom under Remote IP Addresses click the radio button for All IP Addresses
• Confirm and close all the dialog boxes.

Once that was done, I was able to ping between everything using either IP address (LAN or VPN).

Following that, it was just a matter of getting my configuration files working correctly. Since my goal was simply to use whatever internet connection was available to access a share path, I used the route commands listed earlier in this thread as follows

Code: Select all

#Route to tell client to use local internet connection to access the VPN server IP address
push "route remote_host 255.255.255.255 net_gateway"

This command, as previously explained, tells the computer to access the remote host IP address using the default internet connection.

Code: Select all

#Route to tell client to tunnel all traffic destined to home LAN through VPN
push "route 192.168.1.0 255.255.255.0 10.8.0.5"

This command tells the computer that any IP address along this range (your home LAN) should use the VPN gateway to access it. The 192.168.1.0 is whatever IP range you are using on your local LAN network, just like the gateway address of 10.8.0.5 is whatever gateway address you are using for your VPN network. The example is just a typical setup.

Once that's done, simply map the network drive as follows:

• Open My Computer
• Click Map Network Drive
• In the path box, enter the path using the local LAN IP address of the machine (\\192.168.1.XXX\Share Name)
• Click OK and it should connect

After doing all that, the way it works for me is that if I am on my home network I don't need the VPN running because I can access the mapped drive via the LAN. When I am away from home and I connect to the internet, I simply fire up the VPN, then the same mapped drive still works. This is exactly how I wanted it to work.

Hope that helps someone else out there. I am by no means an expert, a lot of this was simply trial and error and days of searching and reading tons of posts and combining different things.

[al7amimi]

Thanks! I applied all this on windows server 2008 r2 web, and all is good and working as expected. However, I am curious how can I implement user/pass authentication...Please note that my windows 2008 r2 edition is web, so it is missing a lot of roles, and I cant upgrade it.

[al7amimi]

I found this plugin http://code.google.com/p/openvpnauthwindowsplugin/ is this a recommended way to implement user/pass authentication on windows server?

[zroid]

Is there any way to allow local traffic without need of OpenVPN client?

My setup is quite common one using config mentioned here.

1. Desktop with OpenVPN Server.
2. OpenVPN client on phone to access home network and secure it when accessing from unsecured network
3. Laptop without OpenVPN client.

Laptop cannot connect to Desktop shared folder when OpenVPN Server is running.

Any Advise? Thanks in advance.

[nicolajkl]

Goal:

• Tunnel Internet traffic through a Windows 7 PC, using OpenVPN server mode. Traffic can be tunneled from any OpenVPN client.

Scope:

• This example assumes that you already know how to install OpenVPN and setup keys and/or certificates. For the scope of this example, information about key and certificate management will not be provided.

Overview:

• We'll setup a server.ovpn, a client.ovpn, and some Windows 7 tweaks.

The Code

server.ovpn

Code: Select all

port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.0   #you may choose any subnet. 10.0.0.x is used for this example.

ca ca.crt                    #certs are optional. you may choose to go with keys or passwords instead.
cert server_win7.crt
key server_win7.key  
dh dh1024.pem

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"      

#the following commands are optional
keepalive 10 120         
comp-lzo                   
persist-key                
persist-tun                
verb 3                      

#last updated May 29, 2011

Client.ovpn

Code: Select all

client
dev tun
proto udp
remote ip.of.win7.server 1194   

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
ns-cert-type server

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 2

#last updated June 04, 2011

Windows 7 tweaks for forwarding VPN traffic

Code: Select all

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

Next:

Control Panel
Network and Sharing Center
Local Area Connection
Properties
Sharing
Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

Notes:

• Further tweaking and streamlining may be possible.
• Thank you to Krzee for the register-dns tweak

Very nice guide, exactly what i was looking for! But i do sit back with one question:
What are these lines needed for as they are not included in the sample-config:

-ns-cert-type server
-explicit-exit-notify 2
-ping 10
-ping-restart 60
-route-method exe
-route-delay 2

Also it seems to be working just fine without them? I guess they are default values but where do i see a list of default values?


/Nicolajkl