Client connects to multiple server issues

[Callindril]

Hey,

I use OpenVPN for when I work from home, its setup by our admin with full cert usage....I've started using a private VPN connection on the same box for my Non-Work related internet usage (from private internet access.com).

Separately, they both work great...but if I have the work connection up, and everything there is great, when I activate the other, I can no longer access my work connection...pings to known working work boxes don't return, remote desktop wont connect..basically although the work connection sez its active, nothing goes thru...

I'm guessing that the private internet access connection is using some kind of routing magic to make everything go thru its connection, and since it doesn't know about the work connection, it tries to find my work network (192.168.xxx.xxx) and cant, so everything going to the work address either times out or fails...

So question is, how can I tell the private internet access connection to ignore the 192.168.xxx.xxx address or how can I give the work connection a higher priority so it gets routed to the work vpn before the private internet access connection even sees it?

Thanks for any help or pointers...
Cal

[janjust]

without config files and log files it's impossible to tell what is going on: routing per VPN connection is certainly possible but it all depends on your setup(s).

[Callindril]

Thanks for the reply....

Here's the two config files:

First, the one for work that is limited to the 192.168.xxx.xxx network:

Code: Select all

client
dev tap
dev-node xxxxTap1
proto udp
remote xxxxxxxxx.xxxxxx.org 1194
nobind
persist-key
persist-tun
ca "C:\\Program Files (x86)\\OpenVPN\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\keys\\xxxx.crt"
key "C:\\Program Files (x86)\\OpenVPN\\keys\\xxxx.key"
comp-lzo
verb 1

And the one for the Private Internet Access connection:

Code: Select all

client
dev tun
proto udp
dev-node xxxxTap2
remote us-east.privateinternetaccess.com 9201
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files (x86)\\OpenVPN\\keys\\xxxxxxxx.crt"
tls-client
remote-cert-tls server
auth-user-pass "C:\\Program Files (x86)\\OpenVPN\\config\\xxxxxxx.txt"
comp-lzo
verb 1
reneg-sec 0

As far as logs go, what level logging would you like to see?
Thanks for any insight...

[janjust]

try it with 'verb 4' or 'verb 5' . the client configs look simple, but a lot of stuff can be pushed from the server - this will only show up in the client log files.

[Callindril]

Here are the Verb 5 logs:

Here is the log from the work account:

Code: Select all

Tue Apr 23 17:24:53 2013 us=620145 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Tue Apr 23 17:24:53 2013 us=620145 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Apr 23 17:24:53 2013 us=620145 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 23 17:24:53 2013 us=941164 LZO compression initialized
Tue Apr 23 17:24:53 2013 us=941164 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 23 17:24:53 2013 us=948164 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 23 17:24:54 2013 us=259182 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Apr 23 17:24:54 2013 us=260182 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Apr 23 17:24:54 2013 us=260182 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Apr 23 17:24:54 2013 us=260182 Local Options hash (VER=V4): 'd79ca330'
Tue Apr 23 17:24:54 2013 us=260182 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue Apr 23 17:24:54 2013 us=260182 UDPv4 link local: [undef]
Tue Apr 23 17:24:54 2013 us=260182 UDPv4 link remote: [AF_INET]xx.xx.xxx.64:1194
Tue Apr 23 17:24:54 2013 us=263182 TLS: Initial packet from [AF_INET]xx.xx.xxx.64:1194, sid=2856d703 8c155132
Tue Apr 23 17:24:54 2013 us=279183 VERIFY OK: depth=1, C=US, ST=VA, L=xxxxxxx, O=xxxxxxxxxxxxxxxxxx, CN=OpenVPN, emailAddress=xxxx@xxxxxxxxxxxxxxxxxxx.COM
Tue Apr 23 17:24:54 2013 us=280183 VERIFY OK: depth=0, C=US, ST=VA, O=xxxxxxxxxxxxxxxxxx, CN=server, emailAddress=xxxx@xxxxxxxxxxxxxxxxxxx.COM
Tue Apr 23 17:24:54 2013 us=310185 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 23 17:24:54 2013 us=310185 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 23 17:24:54 2013 us=310185 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 23 17:24:54 2013 us=310185 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 23 17:24:54 2013 us=310185 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr 23 17:24:54 2013 us=310185 [server] Peer Connection Initiated with [AF_INET]xx.xx.xxx.64:1194
Tue Apr 23 17:24:56 2013 us=509311 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Apr 23 17:24:56 2013 us=510311 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.69.222,ping 10,ping-restart 120,ifconfig 192.168.69.150 255.255.255.0'
Tue Apr 23 17:24:56 2013 us=511311 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 23 17:24:56 2013 us=511311 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 23 17:24:56 2013 us=511311 OPTIONS IMPORT: route-related options modified
Tue Apr 23 17:24:56 2013 us=514311 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr 23 17:24:56 2013 us=514311 open_tun, tt->ipv6=0
Tue Apr 23 17:24:56 2013 us=517311 TAP-WIN32 device [EETap] opened: \\.\Global\{95DAF23C-C71B-4606-AEAA-A8F406D86F8E}.tap
Tue Apr 23 17:24:56 2013 us=517311 TAP-Windows Driver Version 9.9 
Tue Apr 23 17:24:56 2013 us=517311 TAP-Windows MTU=1500
Tue Apr 23 17:24:56 2013 us=521311 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.69.150/255.255.255.0 on interface {95DAF23C-C71B-4606-AEAA-A8F406D86F8E} [DHCP-serv: 192.168.69.0, lease-time: 31536000]
Tue Apr 23 17:24:56 2013 us=521311 Successful ARP Flush on interface [25] {95DAF23C-C71B-4606-AEAA-A8F406D86F8E}
Tue Apr 23 17:25:01 2013 us=63571 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Tue Apr 23 17:25:01 2013 us=63571 Initialization Sequence Completed

At this point, everything on the work connection works...Ping, Remote desktop, Telnet...all is good

And thenI bring up the Private Internet Access account and this is its log:

Code: Select all

Tue Apr 23 17:27:29 2013 us=358053 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Tue Apr 23 17:27:29 2013 us=359053 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 23 17:27:29 2013 us=668071 LZO compression initialized
Tue Apr 23 17:27:29 2013 us=668071 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 23 17:27:29 2013 us=675071 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 23 17:27:29 2013 us=723074 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr 23 17:27:29 2013 us=723074 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Apr 23 17:27:29 2013 us=723074 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Apr 23 17:27:29 2013 us=723074 Local Options hash (VER=V4): '41690919'
Tue Apr 23 17:27:29 2013 us=723074 Expected Remote Options hash (VER=V4): '530fdded'
Tue Apr 23 17:27:29 2013 us=723074 UDPv4 link local: [undef]
Tue Apr 23 17:27:29 2013 us=723074 UDPv4 link remote: [AF_INET]xxx.xx.xx.68:9201
Tue Apr 23 17:27:29 2013 us=741075 TLS: Initial packet from [AF_INET]xxx.xx.xx.68:9201, sid=094106f9 6999cc76
Tue Apr 23 17:27:29 2013 us=741075 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr 23 17:27:29 2013 us=849081 VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Tue Apr 23 17:27:29 2013 us=849081 Validating certificate key usage
Tue Apr 23 17:27:29 2013 us=849081 ++ Certificate has key usage  00a0, expects 00a0
Tue Apr 23 17:27:29 2013 us=849081 VERIFY KU OK
Tue Apr 23 17:27:29 2013 us=849081 Validating certificate extended key usage
Tue Apr 23 17:27:29 2013 us=849081 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr 23 17:27:29 2013 us=850081 VERIFY EKU OK
Tue Apr 23 17:27:29 2013 us=850081 VERIFY OK: depth=0, C=US, ST=OH, L=Columbus, O=xxxxxxxxxxxxxxxxxxxxxxx, CN=server, emailAddress=xxxxxx@xxxxxxxxxxxxxxxxxxxxx.com
Tue Apr 23 17:27:29 2013 us=912085 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 23 17:27:29 2013 us=912085 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 23 17:27:29 2013 us=912085 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 23 17:27:29 2013 us=912085 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 23 17:27:29 2013 us=912085 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr 23 17:27:29 2013 us=912085 [server] Peer Connection Initiated with [AF_INET]xxx.xx.xx.68:9201
Tue Apr 23 17:27:32 2013 us=430229 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Apr 23 17:27:32 2013 us=448230 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,ping 10,route 10.194.210.1,topology net30,ifconfig 10.194.210.10 10.194.210.9'
Tue Apr 23 17:27:32 2013 us=449230 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 23 17:27:32 2013 us=449230 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 23 17:27:32 2013 us=449230 OPTIONS IMPORT: route options modified
Tue Apr 23 17:27:32 2013 us=449230 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Apr 23 17:27:32 2013 us=476232 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr 23 17:27:32 2013 us=476232 open_tun, tt->ipv6=0
Tue Apr 23 17:27:32 2013 us=480232 TAP-WIN32 device [VPNTap] opened: \\.\Global\{988E57D2-9397-4045-98C4-8F39A770D738}.tap
Tue Apr 23 17:27:32 2013 us=480232 TAP-Windows Driver Version 9.9 
Tue Apr 23 17:27:32 2013 us=480232 TAP-Windows MTU=1500
Tue Apr 23 17:27:32 2013 us=481232 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.194.210.10/255.255.255.252 on interface {988E57D2-9397-4045-98C4-8F39A770D738} [DHCP-serv: 10.194.210.9, lease-time: 31536000]
Tue Apr 23 17:27:32 2013 us=482232 DHCP option string: 06080808 08080808 0404
Tue Apr 23 17:27:32 2013 us=482232 Successful ARP Flush on interface [24] {988E57D2-9397-4045-98C4-8F39A770D738}
Tue Apr 23 17:27:37 2013 us=745533 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Apr 23 17:27:37 2013 us=746533 C:\Windows\system32\route.exe ADD xxx.xx.xx.68 MASK 255.255.255.255 192.168.1.1
Tue Apr 23 17:27:37 2013 us=748533 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Tue Apr 23 17:27:37 2013 us=748533 Route addition via IPAPI succeeded [adaptive]
Tue Apr 23 17:27:37 2013 us=748533 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.194.210.9
Tue Apr 23 17:27:37 2013 us=750533 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue Apr 23 17:27:37 2013 us=750533 Route addition via IPAPI succeeded [adaptive]
Tue Apr 23 17:27:37 2013 us=751533 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.194.210.9
Tue Apr 23 17:27:37 2013 us=753533 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue Apr 23 17:27:37 2013 us=753533 Route addition via IPAPI succeeded [adaptive]
Tue Apr 23 17:27:37 2013 us=753533 C:\Windows\system32\route.exe ADD 10.194.210.1 MASK 255.255.255.255 10.194.210.9
Tue Apr 23 17:27:37 2013 us=756534 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue Apr 23 17:27:37 2013 us=756534 Route addition via IPAPI succeeded [adaptive]
Tue Apr 23 17:27:37 2013 us=756534 Initialization Sequence Completed

And once this is brought up, the work connection no longer works....it still sez connected, but nothing gets passed thru the VPN to the work network...

[janjust]

now it's becoming clearer: the second VPN (non-work) redirects all traffic and this also includes traffic sent to the work-VPN connection; add a static route to the work-VPN server that bypasses the second VPN settings. The easiest spot to do this is in teh work-VPN client config:

Code: Select all

route X.X.X.X 255.255.255.255 net_gateway

where X.X.X.X is the IP address of the work-VPN server.

[Callindril]

Put that line in the work-client-vpn config
Started the work Vpn
Verified I could connect by pinging a known server
Started the private access vpn
Tried to ping the same work sever and got:

Code: Select all

Pinging 192.168.69.100 with 32 bytes of data:
Reply from 192.168.69.150: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.69.100:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

Whats odd is that the 192.168.69.150 is the IP assigned to the my home PC via the work VPN...

[janjust]

ok, then also put in a route for your home network, e.g.

Code: Select all

push "route 192.168.2.0 255.255.255.0"

in the work config.

[Callindril]

Curiouser and curiouser....

With that statement in the work config as well (adjusted for my home network IP) the oping now returns:

Code: Select all

Pinging 192.168.69.100 with 32 bytes of data:
Reply from 192.168.69.150: Destination host unreachable.
Reply from 69.31.34.193: Destination net unreachable.
Request timed out.
Reply from 69.31.34.193: Destination net unreachable.

Ping statistics for 192.168.69.100:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

No idea where the 69.31.34.193 address is coming from...

Thats not my "real IP" from my home router, nor is it my assigned IP from the private VPN....

Just to confirm I have the work vpn config right:

Code: Select all

client
dev tap
dev-node xxxxTap1
proto udp
remote xxxxxxxxxxxxxxxxxxxx 1194
nobind

persist-key
persist-tun

ca "C:\\Program Files (x86)\\OpenVPN\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\keys\\xxxx.crt"
key "C:\\Program Files (x86)\\OpenVPN\\keys\\xxxx.key"

comp-lzo

verb 5

push "route 192.168.16.0 255.255.255.0"
route 192.168.69.222 255.255.255.255 net_gateway

#Work VPN Server address is 192.168.69.222
#Work network is 192.168.69.xxx
#Home network is 192.168.16.xxx

Here's the current Work Log:

Code: Select all

Wed Apr 24 11:17:46 2013 us=279051 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Wed Apr 24 11:17:46 2013 us=280051 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Apr 24 11:17:46 2013 us=280051 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Apr 24 11:17:46 2013 us=597069 LZO compression initialized
Wed Apr 24 11:17:46 2013 us=597069 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Apr 24 11:17:46 2013 us=607070 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Apr 24 11:17:46 2013 us=726077 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Apr 24 11:17:46 2013 us=726077 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Apr 24 11:17:46 2013 us=726077 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Apr 24 11:17:46 2013 us=726077 Local Options hash (VER=V4): 'd79ca330'
Wed Apr 24 11:17:46 2013 us=726077 Expected Remote Options hash (VER=V4): 'f7df56b8'
Wed Apr 24 11:17:46 2013 us=726077 UDPv4 link local: [undef]
Wed Apr 24 11:17:46 2013 us=727077 UDPv4 link remote: [AF_INET]72.83.xxx.xxx:1194
Wed Apr 24 11:17:46 2013 us=730077 TLS: Initial packet from [AF_INET]72.83.xxx.xxx:1194, sid=f88ce49a d4b00ab9
Wed Apr 24 11:17:46 2013 us=746078 VERIFY OK: depth=1, C=US, ST=VA, L=HERNDON, O=xxxxxxxxxxxxxxxxxx, CN=OpenVPN, emailAddress=xxxx@xxxxxxxxxxxxxxxxxxx.COM
Wed Apr 24 11:17:46 2013 us=746078 VERIFY OK: depth=0, C=US, ST=VA, O=xxxxxxxxxxxxxxxxxx, CN=server, emailAddress=xxxx@xxxxxxxxxxxxxxxxxxx.COM
Wed Apr 24 11:17:46 2013 us=776079 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 24 11:17:46 2013 us=776079 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 24 11:17:46 2013 us=776079 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 24 11:17:46 2013 us=776079 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 24 11:17:46 2013 us=776079 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Apr 24 11:17:46 2013 us=776079 [server] Peer Connection Initiated with [AF_INET]72.83.xxx.xxx:1194
Wed Apr 24 11:17:48 2013 us=326168 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Apr 24 11:17:48 2013 us=328168 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.69.222,ping 10,ping-restart 120,ifconfig 192.168.69.150 255.255.255.0'
Wed Apr 24 11:17:48 2013 us=329168 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 24 11:17:48 2013 us=329168 OPTIONS IMPORT: --ifconfig/up options modified
Wed Apr 24 11:17:48 2013 us=329168 OPTIONS IMPORT: route-related options modified
Wed Apr 24 11:17:48 2013 us=338169 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 24 11:17:48 2013 us=338169 open_tun, tt->ipv6=0
Wed Apr 24 11:17:48 2013 us=340169 TAP-WIN32 device [EETap] opened: \\.\Global\{95DAF23C-C71B-4606-AEAA-A8F406D86F8E}.tap
Wed Apr 24 11:17:48 2013 us=340169 TAP-Windows Driver Version 9.9 
Wed Apr 24 11:17:48 2013 us=340169 TAP-Windows MTU=1500
Wed Apr 24 11:17:48 2013 us=342169 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.69.150/255.255.255.0 on interface {95DAF23C-C71B-4606-AEAA-A8F406D86F8E} [DHCP-serv: 192.168.69.0, lease-time: 31536000]
Wed Apr 24 11:17:48 2013 us=342169 Successful ARP Flush on interface [25] {95DAF23C-C71B-4606-AEAA-A8F406D86F8E}
Wed Apr 24 11:17:53 2013 us=165445 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Wed Apr 24 11:17:53 2013 us=165445 C:\Windows\system32\route.exe ADD 192.168.69.222 MASK 255.255.255.255 192.168.16.1
Wed Apr 24 11:17:53 2013 us=167445 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Wed Apr 24 11:17:53 2013 us=167445 Route addition via IPAPI succeeded [adaptive]
Wed Apr 24 11:17:53 2013 us=167445 Initialization Sequence Completed

And for what its worth, here is the log from the Private connection:

Code: Select all

Wed Apr 24 11:03:38 2013 us=609567 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Wed Apr 24 11:03:38 2013 us=609567 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Apr 24 11:03:38 2013 us=919585 LZO compression initialized
Wed Apr 24 11:03:38 2013 us=919585 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Apr 24 11:03:38 2013 us=928585 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Apr 24 11:03:38 2013 us=979588 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Apr 24 11:03:38 2013 us=979588 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Apr 24 11:03:38 2013 us=979588 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Apr 24 11:03:38 2013 us=979588 Local Options hash (VER=V4): '41690919'
Wed Apr 24 11:03:38 2013 us=979588 Expected Remote Options hash (VER=V4): '530fdded'
Wed Apr 24 11:03:38 2013 us=980588 UDPv4 link local: [undef]
Wed Apr 24 11:03:38 2013 us=980588 UDPv4 link remote: [AF_INET]64.237.37.124:9201
Wed Apr 24 11:03:38 2013 us=998589 TLS: Initial packet from [AF_INET]64.237.37.124:9201, sid=352af6f8 d8416b10
Wed Apr 24 11:03:38 2013 us=998589 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Apr 24 11:03:39 2013 us=111596 VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Wed Apr 24 11:03:39 2013 us=111596 Validating certificate key usage
Wed Apr 24 11:03:39 2013 us=111596 ++ Certificate has key usage  00a0, expects 00a0
Wed Apr 24 11:03:39 2013 us=111596 VERIFY KU OK
Wed Apr 24 11:03:39 2013 us=111596 Validating certificate extended key usage
Wed Apr 24 11:03:39 2013 us=111596 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Apr 24 11:03:39 2013 us=111596 VERIFY EKU OK
Wed Apr 24 11:03:39 2013 us=111596 VERIFY OK: depth=0, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=server, emailAddress=secure@privateinternetaccess.com
Wed Apr 24 11:03:39 2013 us=180600 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 24 11:03:39 2013 us=181600 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 24 11:03:39 2013 us=181600 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 24 11:03:39 2013 us=181600 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 24 11:03:39 2013 us=181600 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Apr 24 11:03:39 2013 us=181600 [server] Peer Connection Initiated with [AF_INET]64.237.37.124:9201
Wed Apr 24 11:03:41 2013 us=703744 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Apr 24 11:03:41 2013 us=722745 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,ping 10,route 10.188.1.1,topology net30,ifconfig 10.188.1.10 10.188.1.9'
Wed Apr 24 11:03:41 2013 us=722745 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 24 11:03:41 2013 us=722745 OPTIONS IMPORT: --ifconfig/up options modified
Wed Apr 24 11:03:41 2013 us=723745 OPTIONS IMPORT: route options modified
Wed Apr 24 11:03:41 2013 us=723745 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Apr 24 11:03:41 2013 us=748747 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 24 11:03:41 2013 us=748747 open_tun, tt->ipv6=0
Wed Apr 24 11:03:41 2013 us=751747 TAP-WIN32 device [VPNTap] opened: \\.\Global\{988E57D2-9397-4045-98C4-8F39A770D738}.tap
Wed Apr 24 11:03:41 2013 us=751747 TAP-Windows Driver Version 9.9 
Wed Apr 24 11:03:41 2013 us=751747 TAP-Windows MTU=1500
Wed Apr 24 11:03:41 2013 us=752747 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.188.1.10/255.255.255.252 on interface {988E57D2-9397-4045-98C4-8F39A770D738} [DHCP-serv: 10.188.1.9, lease-time: 31536000]
Wed Apr 24 11:03:41 2013 us=752747 DHCP option string: 06080808 08080808 0404
Wed Apr 24 11:03:41 2013 us=753747 Successful ARP Flush on interface [24] {988E57D2-9397-4045-98C4-8F39A770D738}
Wed Apr 24 11:03:47 2013 us=18048 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Apr 24 11:03:47 2013 us=18048 C:\Windows\system32\route.exe ADD 64.237.37.124 MASK 255.255.255.255 192.168.16.1
Wed Apr 24 11:03:47 2013 us=20048 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Wed Apr 24 11:03:47 2013 us=20048 Route addition via IPAPI succeeded [adaptive]
Wed Apr 24 11:03:47 2013 us=20048 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.188.1.9
Wed Apr 24 11:03:47 2013 us=22048 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Apr 24 11:03:47 2013 us=22048 Route addition via IPAPI succeeded [adaptive]
Wed Apr 24 11:03:47 2013 us=22048 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.188.1.9
Wed Apr 24 11:03:47 2013 us=24048 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Apr 24 11:03:47 2013 us=24048 Route addition via IPAPI succeeded [adaptive]
Wed Apr 24 11:03:47 2013 us=24048 C:\Windows\system32\route.exe ADD 10.188.1.1 MASK 255.255.255.255 10.188.1.9
Wed Apr 24 11:03:47 2013 us=26048 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Apr 24 11:03:47 2013 us=26048 Route addition via IPAPI succeeded [adaptive]
Wed Apr 24 11:03:47 2013 us=26048 Initialization Sequence Completed

Thanks for looking at this...

[janjust]

the client config should not contain

push "route 192.168.16.0 255.255.255.0"

a server pushes a route to a client. A server config line of

push "route 192.168.16.0 255.255.255.0"

is equivalent to adding

Code: Select all

route 192.168.16.0 255.255.255.0

in the client config.

[Callindril]

Sorry...Misunderstood when you said...

ok, then also put in a route for your home network, e.g.
Code:
push "route 192.168.2.0 255.255.255.0"

in the work config.

I thought that meant put that push line in the work client config...I dont have access to the work VPN server configs...

I removed the push line from the work config file and replaced it with

Code: Select all

route 192.168.16.0 255.255.255.0

reset everything and started up the work VPN and when I connect the private vpn it sez it cant resolve the address in the remote line:

Code: Select all

Wed Apr 24 11:30:36 2013 us=353097 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Wed Apr 24 11:30:36 2013 us=354097 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Apr 24 11:30:36 2013 us=663114 LZO compression initialized
Wed Apr 24 11:30:36 2013 us=663114 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Apr 24 11:30:36 2013 us=672115 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Apr 24 11:30:36 2013 us=689116 RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: The requested name is valid, but no data of the requested type was found. 
Wed Apr 24 11:30:36 2013 us=689116 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Apr 24 11:30:36 2013 us=689116 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Apr 24 11:30:36 2013 us=689116 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Apr 24 11:30:36 2013 us=689116 Local Options hash (VER=V4): '41690919'
Wed Apr 24 11:30:36 2013 us=689116 Expected Remote Options hash (VER=V4): '530fdded'
Wed Apr 24 11:30:36 2013 us=689116 RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: The requested name is valid, but no data of the requested type was found. 
Wed Apr 24 11:30:41 2013 us=689402 RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: The requested name is valid, but no data of the requested type was found. 
Wed Apr 24 11:30:46 2013 us=689688 RESOLVE: signal received during DNS resolution attempt
Wed Apr 24 11:30:46 2013 us=689688 TCP/UDP: Closing socket
Wed Apr 24 11:30:46 2013 us=689688 SIGTERM[hard,init_instance] received, process exiting

I shut the work connection down, and the private one connects as normal...

[janjust]

looks like a DNS issue after the work VPN comes up - what are the DNS settings after the work VPN comes up? does name resolution still work in a CMD.EXE prompt? can you post the output of "ipconfig /all" (and look for the tap-win32 adapter) after the work VPN is up?

[Callindril]

Once the work VPN is up, I can ping Google.com with no trouble i a command box (cmd.exe)

here is the result of the ipconfig /all

Code: Select all

Ethernet adapter xxxxTap1:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2
   Physical Address. . . . . . . . . : 00-FF-95-DA-F2-3C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.69.150(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, April 24, 2013 11:36:52 AM
   Lease Expires . . . . . . . . . . : Thursday, April 24, 2014 11:36:52 AM
   Default Gateway . . . . . . . . . : 
   DHCP Server . . . . . . . . . . . : 192.168.69.0
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 00-25-11-43-3F-A5
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.16.7(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.16.1
   DNS Servers . . . . . . . . . . . : 192.168.16.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

With the work VPN up, I can do a tracert to google.com to show that the regular internet usage still goes thru my regular ISP (Verizon in this case), it stays on the .16 network, not going thru the .69 work connection...

Code: Select all

Tracing route to google.com [74.125.228.71]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  Wireless_Broadband_Router.home [192.168.16.1]
  2     6 ms     7 ms     7 ms  L100.WASHDC-VFTTP-125.verizon-gni.net [xxx.xxx.xxx.1]
  3     9 ms    11 ms    12 ms  G1-3-1725.WASHDC-LCR-07.verizon-gni.net [130.81.180.188]
  4    14 ms    10 ms     9 ms  ae4-0.RES-BB-RTR1.verizon-gni.net [130.81.199.122]
  5    10 ms     9 ms    12 ms  0.xe-5-1-3.XL3.IAD8.ALTER.NET [152.63.7.245]
  6    12 ms    28 ms    13 ms  TenGigE0-6-1-0.GW7.IAD8.ALTER.NET [152.63.32.194]
  7     *        *        *     Request timed out.
  8    13 ms    12 ms   147 ms  216.239.46.248
  9    12 ms    12 ms    11 ms  72.14.238.247
 10    13 ms    12 ms    12 ms  iad23s07-in-f7.1e100.net [74.125.228.71]

Trace complete.

[janjust]

I'm confused now: the 'ipconfig' output shows that the DNS server for your LAN adapter is 192.168.16.1 yet you've added a line

Code: Select all

route 192.168.16.0 255.255.255.0

to the client config for one of the tap-win32 adapters - why do you need this route? it will make the dns server at 192.168.16.1 unreachable...

[Callindril]

Hey,

Guess we are both confused then...

In a previous post you had said

ok, then also put in a route for your home network, e.g.
Code:
push "route 192.168.2.0 255.255.255.0"

in the work config.

So I put that in my work-client config, and then you said

the client config should not contain push commands, that is equivalent to adding

Code: Select all

route 192.168.16.0 255.255.255.0

in the client config.

So I added that to the work client config...

Guess I should take it out now ?

[janjust]

I mentioned

push "route 192.168.2.0 255.255.255.0"

note the "2" instead of the "16" - change the client config to use

Code: Select all

route 192.168.2.0 255.255.255.0

and repeat ....