OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

My client Windows receive a wrong ip

https://forums.openvpn.net/viewtopic.php?t=17523

Page 1 of 1

My client Windows receive a wrong ip

Posted: Sun Nov 16, 2014 1:23 am
by Lud3rik
Hello guys,

I am new to OpenVPN so I've been trying to create some VPN to make me able to be connected at home from another place. I have got some issue on my Windows client. It does not receive the IP I configured in the config file. The server is a VM hosted in Hyper-V. My lan is in 192.168.0.0/24 and the VPN network is in 10.10.10.0/24.
I hope that someone will help me to understand why I get this issue xD

Here are my config files and routes :

Client
client
proto tcp
dev tun

ca ca.crt
cert chain.crt
key cmathis.key
cipher AES-256-CBC

remote FQDN 443
ifconfig 10.10.10.8 255.255.255.0

tls-client
tls-auth ta.key 1

#user nobody
#group nogroup

comp-lzo

verb 3

Result of routeprint of client

IPv4 Table de routage
===========================================================================
Itin‚raires actifsÿ:
Destination r‚seau Masque r‚seau Adr. passerelle Adr. interface M‚trique
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.1 20
0.0.0.0 0.0.0.0 192.168.1.2 192.168.1.1 266
0.0.0.0 128.0.0.0 10.10.10.5 10.10.10.6 30 ---> My client has got a wrong ip
10.10.10.1 255.255.255.255 10.10.10.5 10.10.10.6 30
10.10.10.4 255.255.255.252 On-link 10.10.10.6 286
10.10.10.6 255.255.255.255 On-link 10.10.10.6 286
10.10.10.7 255.255.255.255 On-link 10.10.10.6 286
public.ip 255.255.255.255 192.168.0.254 192.168.0.1 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.10.10.5 10.10.10.6 30
169.254.0.0 255.255.0.0 On-link 169.254.142.135 261
169.254.142.135 255.255.255.255 On-link 169.254.142.135 261
169.254.255.255 255.255.255.255 On-link 169.254.142.135 261
192.168.0.0 255.255.255.0 On-link 192.168.0.1 276
192.168.0.1 255.255.255.255 On-link 192.168.0.1 276
192.168.0.254 255.255.255.255 192.168.0.254 192.168.0.1 20
192.168.0.255 255.255.255.255 On-link 192.168.0.1 276
192.168.1.0 255.255.255.252 On-link 192.168.1.1 266
192.168.1.1 255.255.255.255 On-link 192.168.1.1 266
192.168.1.3 255.255.255.255 On-link 192.168.1.1 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.10.10.6 286
224.0.0.0 240.0.0.0 On-link 192.168.0.1 276
224.0.0.0 240.0.0.0 On-link 169.254.142.135 261
224.0.0.0 240.0.0.0 On-link 192.168.1.1 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.10.10.6 286
255.255.255.255 255.255.255.255 On-link 192.168.0.1 276
255.255.255.255 255.255.255.255 On-link 169.254.142.135 261
255.255.255.255 255.255.255.255 On-link 192.168.1.1 266
===========================================================================
Itin‚raires persistantsÿ:
Adresse r‚seau Masque r‚seau Adresse passerelle M‚trique
0.0.0.0 0.0.0.0 192.168.1.2 Par d‚faut
===========================================================================

ipconfig of client
Configuration IP de Windows


Carte Ethernet Connexion au r‚seau local :

Suffixe DNS propre … la connexion. . . :
Adresse IPv6 de liaison locale. . . . .: fe80::7065:8d4f:6229:7b8a%29
Adresse IPv4. . . . . . . . . . . . . .: 10.10.10.6
Masque de sous-r‚seau. . . .ÿ. . . . . : 255.255.255.252 --> I don't know why it is getting a mask of 252 (The mask needs to be 0)
 Passerelle par d‚faut. . . .ÿ. . . . . :

Logs of client's connexion
Sun Nov 16 01:51:16 2014 OpenVPN 2.3.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
Sun Nov 16 01:51:16 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05
Enter Management Password:
Sun Nov 16 01:51:16 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Nov 16 01:51:16 2014 Need hold release from management interface, waiting...
Sun Nov 16 01:51:16 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Nov 16 01:51:16 2014 MANAGEMENT: CMD 'state on'
Sun Nov 16 01:51:16 2014 MANAGEMENT: CMD 'log all on'
Sun Nov 16 01:51:16 2014 MANAGEMENT: CMD 'hold off'
Sun Nov 16 01:51:16 2014 MANAGEMENT: CMD 'hold release'
Sun Nov 16 01:51:16 2014 WARNING: using --pull/--client and --ifconfig together is probably not what you want
Sun Nov 16 01:51:16 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Nov 16 01:51:17 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sun Nov 16 01:51:17 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 16 01:51:17 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 16 01:51:17 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Nov 16 01:51:17 2014 MANAGEMENT: >STATE:1416099077,RESOLVE,,,
Sun Nov 16 01:51:17 2014 Attempting to establish TCP connection with [AF_INET]myip:443 [nonblock]
Sun Nov 16 01:51:17 2014 MANAGEMENT: >STATE:1416099077,TCP_CONNECT,,,
Sun Nov 16 01:51:18 2014 TCP connection established with [AF_INET]myip:443
Sun Nov 16 01:51:18 2014 TCPv4_CLIENT link local: [undef]
Sun Nov 16 01:51:18 2014 TCPv4_CLIENT link remote: [AF_INET]myip:443
Sun Nov 16 01:51:18 2014 MANAGEMENT: >STATE:1416099078,WAIT,,,
Sun Nov 16 01:51:18 2014 MANAGEMENT: >STATE:1416099078,AUTH,,,
Sun Nov 16 01:51:18 2014 TLS: Initial packet from [AF_INET]public.ip:443, sid=94a63ac0 e3d9ad34
Sun Nov 16 01:51:18 2014 VERIFY OK: depth=1, C=FR, ST=Ile-de-France, L=Paris, O=mydomain, OU=VPN, CN=Global CA, name=VPNCA, emailAddress=email
Sun Nov 16 01:51:18 2014 VERIFY OK: depth=0, C=FR, ST=Ile-de-France, L=Paris, O=mydomain, OU=VPN, CN=vpnsrv, name=VPNCA, emailAddress=email
Sun Nov 16 01:51:18 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Nov 16 01:51:18 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 16 01:51:18 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Nov 16 01:51:18 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Nov 16 01:51:18 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Nov 16 01:51:18 2014 [vpnsrv] Peer Connection Initiated with [AF_INET]myip:443
Sun Nov 16 01:51:19 2014 MANAGEMENT: >STATE:1416099079,GET_CONFIG,,,
Sun Nov 16 01:51:20 2014 SENT CONTROL [vpnsrv]: 'PUSH_REQUEST' (status=1)
Sun Nov 16 01:51:20 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 212.27.40.241,redirect-gateway def1 bypass-dhcp,route 10.10.10.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.6 10.10.10.5'
Sun Nov 16 01:51:20 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sun Nov 16 01:51:20 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sun Nov 16 01:51:20 2014 OPTIONS IMPORT: route options modified
Sun Nov 16 01:51:20 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Nov 16 01:51:20 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Nov 16 01:51:20 2014 MANAGEMENT: >STATE:1416099080,ASSIGN_IP,,10.10.10.6, --> I never asked for it
Sun Nov 16 01:51:20 2014 open_tun, tt->ipv6=0
Sun Nov 16 01:51:20 2014 TAP-WIN32 device [Connexion au réseau local] opened: \\.\Global\{4F8F135F-9F68-4106-B4F5-67248DF41A36}.tap
Sun Nov 16 01:51:20 2014 TAP-Windows Driver Version 9.9
Sun Nov 16 01:51:20 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.10.6/255.255.255.252 on interface {4F8F135F-9F68-4106-B4F5-67248DF41A36} [DHCP-serv: 10.10.10.5, lease-time: 31536000]
Sun Nov 16 01:51:20 2014 Successful ARP Flush on interface [29] {4F8F135F-9F68-4106-B4F5-67248DF41A36}
Sun Nov 16 01:51:25 2014 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Nov 16 01:51:25 2014 C:\Windows\system32\route.exe ADD myip MASK 255.255.255.255 192.168.0.254
Sun Nov 16 01:51:25 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Nov 16 01:51:25 2014 Route addition via IPAPI succeeded [adaptive]
Sun Nov 16 01:51:25 2014 C:\Windows\system32\route.exe ADD 192.168.0.254 MASK 255.255.255.255 192.168.0.254 IF 28
Sun Nov 16 01:51:25 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Nov 16 01:51:25 2014 Route addition via IPAPI succeeded [adaptive]
Sun Nov 16 01:51:25 2014 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.10.10.5
Sun Nov 16 01:51:25 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 16 01:51:25 2014 Route addition via IPAPI succeeded [adaptive]
Sun Nov 16 01:51:25 2014 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.10.10.5
Sun Nov 16 01:51:25 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 16 01:51:25 2014 Route addition via IPAPI succeeded [adaptive]
Sun Nov 16 01:51:25 2014 MANAGEMENT: >STATE:1416099085,ADD_ROUTES,,,
Sun Nov 16 01:51:25 2014 C:\Windows\system32\route.exe ADD 10.10.10.1 MASK 255.255.255.255 10.10.10.5
Sun Nov 16 01:51:25 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sun Nov 16 01:51:25 2014 Route addition via IPAPI succeeded [adaptive]
Sun Nov 16 01:51:25 2014 Initialization Sequence Completed
Sun Nov 16 01:51:25 2014 MANAGEMENT: >STATE:1416099085,CONNECTED,SUCCESS,10.10.10.6,myip
Sun Nov 16 01:54:19 2014 C:\Windows\system32\route.exe DELETE 10.10.10.1 MASK 255.255.255.255 10.10.10.5
Sun Nov 16 01:54:19 2014 Route deletion via IPAPI succeeded [adaptive]
Sun Nov 16 01:54:19 2014 C:\Windows\system32\route.exe DELETE public.ip MASK 255.255.255.255 192.168.0.254
Sun Nov 16 01:54:19 2014 Route deletion via IPAPI succeeded [adaptive]
Sun Nov 16 01:54:19 2014 C:\Windows\system32\route.exe DELETE 192.168.0.254 MASK 255.255.255.255 192.168.0.254
Sun Nov 16 01:54:19 2014 Route deletion via IPAPI succeeded [adaptive]
Sun Nov 16 01:54:19 2014 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.10.10.5
Sun Nov 16 01:54:19 2014 Route deletion via IPAPI succeeded [adaptive]
Sun Nov 16 01:54:19 2014 C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.10.10.5
Sun Nov 16 01:54:19 2014 Route deletion via IPAPI succeeded [adaptive]
Sun Nov 16 01:54:19 2014 Closing TUN/TAP interface
Sun Nov 16 01:54:19 2014 SIGTERM[hard,] received, process exiting
Sun Nov 16 01:54:19 2014 MANAGEMENT: >STATE:1416099259,EXITING,SIGTERM,,

Server
mode server
proto tcp-server
port 443
dev tun

ca /etc/openvpn/ca/ca.crt
cert /etc/openvpn/vpnsrv.crt
key /etc/openvpn/vpnsrv.key
dh /etc/openvpn/dh2048.pem
cipher AES-256-CBC

server 10.10.10.0 255.255.255.0
ifconfig 10.10.10.1 255.255.255.0
push "dhcp-option DNS 212.27.40.241"
push "redirect-gateway def1 bypass-dhcp"

keepalive 10 120
tls-server
tls-auth ta.key 0

#user nobody
#group nogroup

comp-lzo

#ping 15
#ping-restart 45
#ping-timer-rem

persist-tun
persist-key
status openvpn-status.log

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting

#script-security 2

verb 3

Ifconfig server

eth0 Link encap:Ethernet HWaddr 00:15:5d:00:0a:0b
inet adr:192.168.0.20 Bcast:192.168.0.255 Masque:255.255.255.0
adr inet6: 2a01:e35:1393:e5e0:215:5dff:fe00:a0b/64 Scope:Global
adr inet6: fe80::215:5dff:fe00:a0b/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:187109 errors:0 dropped:0 overruns:0 frame:0
TX packets:56772 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:36358459 (34.6 MiB) TX bytes:12268096 (11.6 MiB)

lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet adr:10.10.10.1 P-t-P:10.10.10.2 Masque:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3413 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:221018 (215.8 KiB) TX bytes:0 (0.0 B)

ip route server

default via 192.168.0.254 dev eth0
10.10.10.0/24 via 10.10.10.2 dev tun0
10.10.10.2 dev tun0 proto kernel scope link src 10.10.10.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.20

ip tables executed
#!/bin/bash

#Flush all rules

iptables -t filter -F
iptables -t nat -F

#Policy BLOCK ALL

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#Interface loopback

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

#Interface eth0

#Grant icmp

iptables -t filter -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p icmp -j ACCEPT
iptables -t filter -A FORWARD -p icmp -i eth0 -o eth0 -j ACCEPT

#Grant SSH

iptables -t filter -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#Grant DNS

iptables -t filter -A INPUT -p udp --sport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

#Grant FTP

#port 20:21

iptables -t filter -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p tcp --sport 20:21 -m state --state ESTABLISHED -j ACCEPT

#random port for passive ftp

iptables -t filter -A INPUT -p tcp --dport 49000:49100 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 49000:49100 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Interface tun0

#Grant https

iptables -t filter -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -o tun0 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i tun0 -p tcp --sport 443 -o eth0 -m state --state ESTABLISHED -j ACCEPT

#Subsitute ipaddress

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

#SHOW RULES

iptables -nvL -t nat
iptables -nvL -t filter


Thank you guys for reading and if you think you know where the problem is, please inform me ;)

Re: My client Windows receive a wrong ip

Posted: Sun Nov 16, 2014 1:03 pm
by Traffic
Lud3rik wrote: have got some issue on my Windows client. It does not receive the IP I configured in the config file
Your client receives 10.10.10.6 .. which is correct .. so what is the problem ?
Lud3rik wrote:Client

ifconfig 10.10.10.8 255.255.255.0
This is both not required and incorrect for your setup.

See --topology in The Manual v23x

Re: My client Windows receive a wrong ip

Posted: Sun Nov 16, 2014 4:22 pm
by Lud3rik
Traffic wrote:
Lud3rik wrote: have got some issue on my Windows client. It does not receive the IP I configured in the config file
Your client receives 10.10.10.6 .. which is correct .. so what is the problem ?
Lud3rik wrote:Client

ifconfig 10.10.10.8 255.255.255.0
This is both not required and incorrect for your setup.

See --topology in The Manual v23x
Hello traffic and thank you for taking time to answer about my issue.
If I understand rightly what you said, I need to erase "Client" and "ifconfig *" from my client file.

Furthermore, I see that the client is not able to reach the internet, have you got any idea why?

Re: My client Windows receive a wrong ip

Posted: Sun Nov 16, 2014 7:34 pm
by Traffic
Lud3rik wrote:If I understand rightly what you said, I need to erase "Client" and "ifconfig *" from my client file.
Remove ifconfig .. not client .. read the manual to understand both.
Lud3rik wrote:Furthermore, I see that the client is not able to reach the internet, have you got any idea why
indeed .. did you enable IP-Forwarding ?

Re: My client Windows receive a wrong ip

Posted: Mon Nov 17, 2014 3:16 pm
by Traffic
Also note:
Lud3rik wrote:My lan is in 192.168.0.0/24
on both the server and the client .. so you have a routing conflict.

You must change one or the other or preferably both to a unique subnet.
eg: Server 192.168.101.0/24 & Client 192.168.111.0/24
Lud3rik wrote:Result of routeprint of client

IPv4 Table de routage
===========================================================================
Itin‚raires actifsÿ:
Destination r‚seau Masque r‚seau Adr. passerelle Adr. interface M‚trique
<snip>
192.168.0.0 255.255.255.0 On-link 192.168.0.1 276
<snip>
192.168.1.0 255.255.255.252 On-link 192.168.1.1 266
and ..
Lud3rik wrote:Ifconfig server

eth0 Link encap:Ethernet HWaddr 00:15:5d:00:0a:0b
inet adr:192.168.0.20 Bcast:192.168.0.255 Masque:255.255.255.0

Re: My client Windows receive a wrong ip

Posted: Tue Nov 18, 2014 12:41 am
by Lud3rik
Hello,

So as you suggested, I changed the the config of both :

Config files

Client

client
proto tcp
dev tun

ca ca.crt
cert chain.crt
key cmathis.key
cipher AES-256-CBC

remote freebiz.ddns.net 443

tls-client
tls-auth ta.key 1

#user nobody
#group nogroup

comp-lzo

verb 9


Server
mode server
proto tcp-server
port 443
dev tun

ca /etc/openvpn/ca/ca.crt
cert /etc/openvpn/vpnsrv.crt
key /etc/openvpn/vpnsrv.key
dh /etc/openvpn/dh2048.pem
cipher AES-256-CBC

server 192.168.111.0 255.255.255.0
ifconfig 192.168.111.1 255.255.255.0
push "dhcp-option DNS 212.27.40.241"
push "redirect-gateway def1 bypass-dhcp"

keepalive 10 120
tls-server
tls-auth ta.key 0

#user nobody
#group nogroup

comp-lzo

#ping 15
#ping-restart 45
#ping-timer-rem

persist-tun
persist-key
status openvpn-status.log

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting

#script-security 2

verb 3

IP configs

Server
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:15:5d:00:0a:0b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.20/24 brd 192.168.0.255 scope global eth0
inet6 2a01:e35:1393:e5e0:215:5dff:fe00:a0b/64 scope global dynamic
valid_lft 86115sec preferred_lft 86115sec
inet6 fe80::215:5dff:fe00:a0b/64 scope link
valid_lft forever preferred_lft forever
342: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 192.168.111.1 peer 192.168.111.2/32 scope global tun0

default via 192.168.0.254 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.20
192.168.111.0/24 via 192.168.111.2 dev tun0
192.168.111.2 dev tun0 proto kernel scope link src 192.168.111.1

I precise that "ip forward" is enabled on my VPN srv

Client

Route print

IPv4 Table de routage
===========================================================================
Itin‚raires actifsÿ:
Destination r‚seau Masque r‚seau Adr. passerelle Adr. interface M‚trique
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.1 20
0.0.0.0 0.0.0.0 192.168.1.2 192.168.1.1 266
0.0.0.0 128.0.0.0 192.168.111.5 192.168.111.6 30
81.57.62.94 255.255.255.255 192.168.0.254 192.168.0.1 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 192.168.111.5 192.168.111.6 30
169.254.0.0 255.255.0.0 On-link 169.254.142.135 261
169.254.142.135 255.255.255.255 On-link 169.254.142.135 261
169.254.255.255 255.255.255.255 On-link 169.254.142.135 261
192.168.0.0 255.255.255.0 On-link 192.168.0.1 276
192.168.0.1 255.255.255.255 On-link 192.168.0.1 276
192.168.0.254 255.255.255.255 192.168.0.254 192.168.0.1 20
192.168.0.255 255.255.255.255 On-link 192.168.0.1 276
192.168.1.0 255.255.255.252 On-link 192.168.1.1 266
192.168.1.1 255.255.255.255 On-link 192.168.1.1 266
192.168.1.3 255.255.255.255 On-link 192.168.1.1 266
192.168.111.1 255.255.255.255 192.168.111.5 192.168.111.6 30
192.168.111.4 255.255.255.252 On-link 192.168.111.6 286
192.168.111.6 255.255.255.255 On-link 192.168.111.6 286
192.168.111.7 255.255.255.255 On-link 192.168.111.6 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.111.6 286
224.0.0.0 240.0.0.0 On-link 192.168.0.1 276
224.0.0.0 240.0.0.0 On-link 169.254.142.135 261
224.0.0.0 240.0.0.0 On-link 192.168.1.1 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.111.6 286
255.255.255.255 255.255.255.255 On-link 192.168.0.1 276
255.255.255.255 255.255.255.255 On-link 169.254.142.135 261
255.255.255.255 255.255.255.255 On-link 192.168.1.1 266
===========================================================================
Itin‚raires persistantsÿ:
Adresse r‚seau Masque r‚seau Adresse passerelle M‚trique
0.0.0.0 0.0.0.0 192.168.1.2 Par d‚faut
===========================================================================
IPTABLES

#!/bin/bash

#Flush all rules

iptables -t filter -F
iptables -t nat -F

#Policy BLOCK ALL

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#Interface loopback

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

#SECURITY

#LOG SUSPICIOUS PACKETS

iptables -A INPUT -m state --state NEW -m recent --set --name DEFAULT --rsource
iptables -A INPUT -m state --state INVALID --log-level 4 --log-prefix "invalid:" -j LOG
iptables -A INPUT -m state --state INVALID -j DROP

#RECORDING LOGS

#FTP
iptables -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j LOG
iptables -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent --update --seconds --hitcount 4 --name DEFAULT --rsource -j DROP

#HTTPS
iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j LOG
iptables -A INPUT -p udp -m udp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j LOG

#DROPPING PACKETS

#FTP
iptables -A INPUT -p -m tcp --dport 21 -state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP

#HTTPS

iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
iptables -A INPUT -p udp -m udp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP

#Interface eth0

#Grant icmp

iptables -t filter -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p icmp -j ACCEPT
iptables -t filter -A FORWARD -p icmp -i eth0 -o tun0 -j ACCEPT

#LIMIT ICMP traffic

iptables -t filter -I INPUT -p icmp --icmp-type echo-request -m recent --set
iptables -t filter -I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 10 --hitcount 5 -j DROP

#Grant SSH

iptables -t filter -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#Grant DNS

iptables -t filter -A INPUT -p udp --sport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

#Grant FTP

#port 20:21

iptables -t filter -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p tcp --sport 20:21 -m state --state ESTABLISHED -j ACCEPT

#random port for passive ftp

iptables -t filter -A INPUT -p tcp --dport 49000:49100 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 49000:49100 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Interface tun0

#Grant https

iptables -t filter -A INPUT -p tcp -i eth0 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -o eth0 --sport 443 -m state --state ESTABLISHED -j ACCEPT
#iptables -t filter -A FORWARD -p tcp -i eth0 --dport 443 -o tun0 -m state --state ESTABLISHED -j ACCEPT
#iptables -t filter -A FORWARD -p tcp -i tun0 --sport 443 -o eth0 -m state --state ESTABLISHED -j ACCEPT

#Subsitute ipaddress

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.111.0/30 -j ACCEPT
iptbles -t filter -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 192.168.111.0/30 -o eth0 -j MASQUERADE

#SHOW RULES

iptables -nvL -t nat
iptables -nvL -t filter

Now I know that OpenVPN on Windows creates a /30 network by design. My VPN works, but my client cannot surf on the Internet. Maybe my iptables are too restrictives. I have been reading examples on the Internet to make it as logical as possible, but it think I have forgotten some important rules.

Thank you in advance for helping me traffic.

Re: My client Windows receive a wrong ip

Posted: Tue Nov 18, 2014 10:47 am
by Traffic
Lud3rik wrote:So as you suggested, I changed the the config of both :
I did not say anything about the OpenVPN Configs .. Your Real networks are conflicting.

The LAN of the server and the LAN of the client are both 192.168.0.0/24 ..
I suggest you change your server side LAN to 192.168.101.0/24 and your client side LAN to 192.168.111.0/24
:roll:

Re: My client Windows receive a wrong ip

Posted: Tue Nov 18, 2014 8:56 pm
by Lud3rik
I finally managed to make this VPN running and make the client able to surf on the Internet.

The root cause of problem was there :

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

Next:

Control Panel
Network and Sharing Center
Local Area Connection
Properties
Sharing
Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

Thank you traffic for trying to help a psycho-paranoid like me :p

CONCLUSION

PIBCK & RTFM

Best Regards ;)
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/