Need some help to set up OpenVPN server on Windows PC

[rescapind]

Hi,

My setup is as following:
- Router N66U: 192.168.11.1
- My OpenVPN server PC: 192.168.11.101
- My OpenVPN client PC: 192.168.13.5

From my server PC, I can access "\\192.168.13.5" for WFS.
However, from my client PC, I cannot access "\\192.168.11.101" for WFS.

Please kindly help.
Thank you very much.

Server profile:

port 60103
proto tcp
dev tun
dev-node DNOVN

ca ca.crt
cert DNOVN_Server.crt
key DNOVN_Server.key
dh dh1024.pem

server 192.168.13.0 255.255.255.0
push "route 192.168.11.0 255.255.255.0"
push "dhcp-option DNS 192.168.11.1"
push "dhcp-option WINS 192.168.11.1"

client-config-dir ccd
client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Client profile:

client
dev tun
dev-node DNOVN
proto tcp
remote xxx.xxx.xxx 60103
resolv-retry infinite
nobind
persist-key
persist-tun

ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
xxx
-----END ENCRYPTED PRIVATE KEY-----
</key>

[maikcat]

check your firewall settings on your openvpn server.

Michael.

[rescapind]

check your firewall settings on your openvpn server.

Michael.

I disabled all the firewall (on server and client PCs and on router).
It still didn't work.
Previously, I set up OpenVPN server on my router (N66U with Merlin build). Everything worked fine.
Only when I tried to move the server to my PC (behind the router), this problem happened.

[maikcat]

what OS is your server?

Michael.

[rescapind]

what OS is your server?

Michael.

Server is Windows 8 Pro.
Client is Windows 8.1 Preview.

[maikcat]

if your server can ping/access services on your client
then ip connectivity is established...

check your server OS for any "filtering" habbits it might have
(f.e win 7 used to set as unindentified network the tap interface and deny
access to its shares via vpn..)

Michael.

[rescapind]

if your server can ping/access services on your client
then ip connectivity is established...

check your server OS for any "filtering" habbits it might have
(f.e win 7 used to set as unindentified network the tap interface and deny
access to its shares via vpn..)

Michael.

I enabled file sharing for both private and public network.
I guess that's not the cause since I cannot access my NAS (on same subnet with server PC) from OpenVPN client too.

Here is the server config file of the OpenVPN server on my N66U router (Merlin). It is working fine.

# Automatically generated configuration
daemon
server 192.168.12.0 255.255.255.0
proto tcp-server
port 60102
dev tun21
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.11.0 255.255.255.0"
client-config-dir ccd
client-to-client
push "dhcp-option DNS 192.168.11.1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
push "dhcp-option WINS 192.168.11.1"
client-config-dir /tmp/mnt/DNN66UUSB1/ccd

The server config I used for the OpenVPN server on my PC is nearly same but it's not working.
I'm quite confused.

[rescapind]

Here is the routing tables on the devices:

- On router N66U (192.168.11.1)

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
202.55.71.1 * 255.255.255.255 UH 0 0 0 eth0
202.55.71.0 * 255.255.255.0 U 0 0 0 eth0
192.168.13.0 192.168.11.102 255.255.255.0 UG 1 0 0 br0
192.168.11.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default fnet1-f71-acces 0.0.0.0 UG 0 0 0 eth0

- On OpenVPN server PC (192.168.11.102)

===========================================================================
Interface List
4...a0 36 9f 07 d4 62 ......Intel(R) Ethernet Server Adapter I350-T2
23...00 ff 6f 2d d2 96 ......TAP-Windows Adapter V9
22...00 ff a9 ee 95 95 ......Astrill SSL VPN Adapter
1...........................Software Loopback Interface 1
6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
8...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.11.1 192.168.11.102 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.11.0 255.255.255.0 On-link 192.168.11.102 266
192.168.11.102 255.255.255.255 On-link 192.168.11.102 266
192.168.11.255 255.255.255.255 On-link 192.168.11.102 266
192.168.13.0 255.255.255.0 192.168.13.2 192.168.13.1 30
192.168.13.0 255.255.255.252 On-link 192.168.13.1 286
192.168.13.1 255.255.255.255 On-link 192.168.13.1 286
192.168.13.3 255.255.255.255 On-link 192.168.13.1 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.13.1 286
224.0.0.0 240.0.0.0 On-link 192.168.11.102 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.13.1 286
255.255.255.255 255.255.255.255 On-link 192.168.11.102 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
172.21.155.185 255.255.255.255 192.168.21.1 1
172.21.154.89 255.255.255.255 192.168.21.1 1
===========================================================================

- On OpenVPN client PC (192.168.13.5)

===========================================================================
Interface List
3...f0 4d a2 3a 20 30 ......Realtek PCIe GBE Family Controller
20...00 ff 6a 49 04 78 ......TAP-Windows Adapter V9
21...00 ff 53 dd a7 19 ......Astrill SSL VPN Adapter
1...........................Software Loopback Interface 1
6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
8...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.21.155.254 172.21.154.89 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.21.152.0 255.255.252.0 On-link 172.21.154.89 266
172.21.154.89 255.255.255.255 On-link 172.21.154.89 266
172.21.155.255 255.255.255.255 On-link 172.21.154.89 266
192.168.11.0 255.255.255.0 192.168.13.6 192.168.13.5 30
192.168.13.0 255.255.255.0 192.168.13.6 192.168.13.5 30
192.168.13.4 255.255.255.252 On-link 192.168.13.5 286
192.168.13.5 255.255.255.255 On-link 192.168.13.5 286
192.168.13.7 255.255.255.255 On-link 192.168.13.5 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.13.5 286
224.0.0.0 240.0.0.0 On-link 172.21.154.89 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.13.5 286
255.255.255.255 255.255.255.255 On-link 172.21.154.89 266
===========================================================================
Persistent Routes:
None

[maikcat]

did you enabled ip forwarding on your openvpn server?
can you access samba shares on openvpn server using its vpn ip address?

Michael.

[rescapind]

did you enabled ip forwarding on your openvpn server?
can you access samba shares on openvpn server using its vpn ip address?

Michael.

I just enabled IP forwarding on my server PC. Now I can access my server PC from my client PC by both IP: \\192.168.11.102 or \\192.168.13.1.
However, I'm still unable to reach other devices in the same subnet with the server PC.

[maikcat]

for testing add a static route (for vpn subnet) to one of your internal lan pc and test with it...

Michael.

[rescapind]

for testing add a static route (for vpn subnet) to one of your internal lan pc and test with it...

Michael.

I add following route to another PC on the server subnet:

route add 192.168.13.0 mask 255.255.255.0 192.168.11.102

I can access this PC from client PC now.
What should I do now?

[rescapind]

Well well well...
I saw the following thread.
http://forums.smallnetbuilder.com/showt ... hp?t=11429

Somehow the N66U fails to push static route.
Need to run following command for the router:
echo -e '#!/bin/sh\niptables -D FORWARD -m state --state INVALID -j DROP' > /jffs/scripts/firewall-start && chmod +x /jffs/scripts/firewall-start

Now things work fine.
Thank you very much for the valuable pointers.

[maikcat]

glad you sort this one out...

Closing topic,

regards
Michael.