OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Same script, different client - 1 does not provide full conn

https://forums.openvpn.net/viewtopic.php?t=19210

Page 1 of 1

Same script, different client - 1 does not provide full conn

Posted: Wed Jul 08, 2015 1:10 pm
by Dtravler
I am using basic config-scripts for server and client. Just slight modifications.
With the config script I am able to successful setup a VPN tunnel from my Windows (8.1) client.

The funny thing is that with the standard OpenVPN client (openvpn-install-2.3.7-I601-x86_64.exe) I can setup a connection. Everything initiated perfectly, but I can not ping and access the webhost on this server.
YET
with the client SecurePoint OpenVPN (v1.0.3) I am able to successfully initiate a connection, and I can do a ping, access all traffic on open ports and so.

Because I prefer to use the standard OpenVPN client, I want this to work. Also out of the aspect of troubleshooting I need to know why.
When the purpose of this VPN server is satisfactory we want to deploy it to many of our clients to safely connect with our server(s).

Included the links to the logfiles during setup of the connection
- Log OpenVPN Client http://www.qimbiz.com/openvpn-configs/#clientlog
- Log SecurePoint OpenVPN Clienthttp://www.qimbiz.com/openvpn-configs/#Securepointlog

Conf files
- client.conf http://www.qimbiz.com/openvpn-configs/#clientconf
- server.conf http://www.qimbiz.com/openvpn-configs/#serverconf

Later I want to make the config a little bit more complicated in order to only allow access to one server on our network.
But before that this simple step needs to work first.

Looking forward for your input.
If you need more info, maybe about the firewall or other settings, let me know.

Re: Same script, different client - 1 does not provide full

Posted: Thu Jul 09, 2015 12:30 pm
by TiTex
this is interesting as i had the same problem connecting with openvpn-gui yesterday on a windows 8.1 machine , which is joined to an active directory domain , regular user account.
i was getting the same error messages
Wed Jul 08 13:35:46 2015 MANAGEMENT: >STATE:1436337346,ADD_ROUTES,,,
Wed Jul 08 13:35:46 2015 C:\Windows\system32\route.exe ADD 202.158.52.202 MASK 255.255.255.255 10.77.0.5
Wed Jul 08 13:35:46 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=19]
Wed Jul 08 13:35:46 2015 Route addition via IPAPI failed [adaptive]
Wed Jul 08 13:35:46 2015 Route addition fallback to route.exe
Wed Jul 08 13:35:46 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Wed Jul 08 13:35:46 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Wed Jul 08 13:35:46 2015 C:\Windows\system32\route.exe ADD 10.77.0.1 MASK 255.255.255.255 10.77.0.5
Wed Jul 08 13:35:46 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=19]
Wed Jul 08 13:35:46 2015 Route addition via IPAPI failed [adaptive]
Wed Jul 08 13:35:46 2015 Route addition fallback to route.exe
Wed Jul 08 13:35:46 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Wed Jul 08 13:35:46 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Wed Jul 08 13:35:46 2015 Initialization Sequence Completed
Wed Jul 08 13:35:46 2015 MANAGEMENT: >STATE:1436337346,CONNECTED,SUCCESS,10.77.0.6,54.85.17.249
i could not solve it until i've added the domain user account to the local administrators group on the client computer and run openvpn-gui as administrator with the domain account credentials , but i would rather not do that because now he has privileges to modify other things as well.
so i think i'll give a try to SecurePoint and see what happens , although i think in Dtravler's case SecurePoint runs by default "As Administrator" and OpenVPN-GUI doesn't , so if your users permissions are not limited like in a Active Directory environment , right clicking on the openvpn-gui's shortcut go to compatibility tab and tick the checkbox "Run as Administrator" will solve your issue.

I don't understand why Cisco's VPN client (IPSec) can set up routes with regular domain user account privileges , but OpenVPN can't.

Re: Same script, different client - 1 does not provide full

Posted: Thu Jul 09, 2015 2:02 pm
by TiTex
sorry for double posting , i can't edit my previous message

well , i only needed administrative privileges in a active directory environment until i installed the Securepoint openvpn client after that regular user can just start using it normally , no "run as administrator" required and everything works very nice.
and my guess is that securepoint is just a wrapper around the windows service , so the GUI actually controls the service which runs as a system account and doing so there is no need for "run as administrator"
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/