How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.
Post Reply
paikuhan
OpenVpn Newbie
Posts: 3
Joined: Sat Aug 11, 2018 9:41 pm

How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

Post by paikuhan » Sat Aug 11, 2018 10:49 pm

Here is the whole journey!

I went to https://openvpn.net/index.php/open-sour ... loads.html and downloaded the latest installer for windows (openvpn-install-2.4.6-I602.exe as of this writing).

Image

Then I installed it on every machine by carefully checking the box for "EasyRSA 2 Certificate Management Scripts" (server machine only) and installing the TAP-Windows V9 Driver in every machine.

Image

Image

Generating certificates and keys

I configured openVPN by following the "HOWTO" guide from the official site. From Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients to Starting up the VPN and testing for initial connectivity.

i.e. I opened the command prompt as Administrator change directory to "C:\Program Files\OpenVPN\easy-rsa" and ran the commands:

Code: Select all

init-config
vars
for the sake of simplicity, I haven't changed any KEY_* in vars.bat
Then I ran the commands:

Code: Select all

clean-all
build-ca
When prompted me to enter an Common Name, I entered OpenVPN-CA just like in the "HOWTO" (I know I could have entered anything).

Next I generated and private key for the server like so:

Code: Select all

build-key-server server
Again I kept all the values the same except Common Name, where I entered "server". I then entered a challenge password but no optional company name. Finally I positively answered the two questions "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

After that, I generated and private key for each client like so:

Code: Select all

build-key clientN
Where N is a number. I kept all the values the same except Common Name, where I entered "clientN" (Where N is a number). I then entered the same challenge password as before but no optional company name. Finally I positively answered the two questions "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Then I Generated Diffie Hellman parameters with the following command:

Code: Select all

build-dh
Configuring the server

I then had to configure the server and client. So I first created a server folder in windows 8.1 "Documents" directory for the OpenVPN server. I then copied ca.crt, server.crt, server.key and dh2048.pem from "C:\Program Files\OpenVPN\easy-rsa\keys\" to the server directory in the Documents directory (C:\Users\<Username>\Documents\server\). I also copied server.ovpn from C:\Program Files\OpenVPN\sample-config\ to the same server directory.

Image

Finally I edited server.ovpn so that the ca, cert, key and dh parameters to point to the files I copied to the server directory (basically I had nothing to change)

Image

Since I am using ethernet (dev tap) I did some ethernet bridging (pretty sure it is not necessary) and for that I had to do a few extra things:

I went to Control Panel>Network and Internet>Network and Sharing Center and on the left hand side clicked "Change adapter settings" to open "Network Connections". There I right-clicked on the TAP-Windows Adapter V9 and renamed it to "TAP-Bridge". I also edited the server.ovpn by commenting out the line which says dev tun and replacing it instead with:

Server.ovpn


dev tap
dev-node tap-bridge



Image

As asked in "Bridge Server on Windows XP" in the OpenVNP Miscellaneous page

And commenting out the line that begins with server and replacing it with:

Server.ovpn


server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254



I also had to uncomment "server-bridge" (a few lines below) as told in the HOWTO's "Editing the server configuration file".

Image

Then I selected the Ethernet NIC and the TAP-Bridge, right clicked on one of them and clicked "Bridge Connections".

Image

I then right clicked on the newly created bridge adapter, opened its properties, double clicked on "Internet Protocol Version 4 (TCP/IPv4)" and Set the TCP/IP properties on the bridge adapter to an IP of 192.168.8.4 and a subnet mask of 255.255.255.0.

Image

At that point my server.ovpn looked something like this (without the comments):

Server.ovpn


port 1194

proto tcp

dev tap

dev-node TAP-Bridge

ca ca.crt
cert server.crt
key server.key

dh dh2048.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254

server-bridge

client-to-client

keepalive 10 120

tls-auth ta.key 0

cipher AES-256-CBC

persist-key
persist-tun

status openvpn-status.log

verb 3

explicit-exit-notify 0



Before I ran the server like it says in the HOWTO's Starting up the VPN and testing for initial connectivity I had to generate a "ta.key" file. I did it by opening a command prompt as Administrator and changing directory to C:\Program Files\OpenVPN\bin\ then I ran:

Code: Select all

openvpn --genkey --secret ta.key
as mentioned in comment in the server.ovpn. I moved the newly created "ta.key" to the server directory in windows 8.1 Documents directory.

Image

Then I opened a command window from the "server" directory and run the command:

Code: Select all

"C:\Program Files\OpenVPN\bin\openvpn" server.ovpn
Here is the output:

Code: Select all

Sat Aug 11 23:23:02 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Aug 11 23:23:02 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Aug 11 23:23:02 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Sat Aug 11 23:23:02 2018 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Sat Aug 11 23:23:02 2018 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Aug 11 23:23:02 2018 Diffie-Hellman initialized with 2048 bit key
Sat Aug 11 23:23:02 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 11 23:23:02 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 11 23:23:02 2018 interactive service msg_channel=0
Sat Aug 11 23:23:02 2018 open_tun
Sat Aug 11 23:23:02 2018 TAP-WIN32 device [TAP-Bridge] opened: \\.\Global\{214C63C9-1D0F-4FD0-958C-F8147D803E66}.tap
Sat Aug 11 23:23:02 2018 TAP-Windows Driver Version 9.21 
Sat Aug 11 23:23:02 2018 Sleeping for 10 seconds...
Sat Aug 11 23:23:12 2018 NOTE: FlushIpNetTable failed on interface [22] {214C63C9-1D0F-4FD0-958C-F8147D803E66} (status=1168) : Element not found.  
Sat Aug 11 23:23:12 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sat Aug 11 23:23:12 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Aug 11 23:23:12 2018 setsockopt(IPV6_V6ONLY=0)
Sat Aug 11 23:23:12 2018 Listening for incoming TCP connection on [AF_INET6][undef]:1194
Sat Aug 11 23:23:12 2018 TCPv6_SERVER link local (bound): [AF_INET6][undef]:1194
Sat Aug 11 23:23:12 2018 TCPv6_SERVER link remote: [AF_UNSPEC]
Sat Aug 11 23:23:12 2018 MULTI: multi_init called, r=256 v=256
Sat Aug 11 23:23:12 2018 IFCONFIG POOL: base=192.168.8.128 size=127, ipv6=0
Sat Aug 11 23:23:12 2018 IFCONFIG POOL LIST
Sat Aug 11 23:23:12 2018 MULTI: TCP INIT maxclients=60 maxevents=64
Sat Aug 11 23:23:12 2018 Initialization Sequence Completed
A Windows Security Alert came up and I chose "allow access" for Private networks, such as my homeor work network.

Image

That's it the server was up and running.


Configuring the clients

I first created a client folder in windows 8.1 "Documents" directory for the OpenVPN client on each client machine. I then copied ca.crt, clientN.crt and clientN.key (where N is a number) from "C:\Program Files\OpenVPN\easy-rsa\keys\" to the client directory in the Documents directory of each client machine (C:\Users\<Username>\Documents\client\). I also copied client.ovpn from C:\Program Files\OpenVPN\sample-config\ to the same client directories.

Image

Finally I edited server.ovpn so that the ca, cert, key and dh parameters to point to the files I copied to the server directory. basically I had client.crt and client.key to clientN.crt and clientN.key respectively (where N is a number).

At that point my client.ovpn files looked something like this (without the comments):


Client1.ovpn


client

dev tap

proto tcp

#<my.public.ip.address> is obviously my public IP
remote my.public.ip.address 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt

#here N is 1 that's why you read client1 instead of clientN
cert client1.crt
key client1.key

remote-cert-tls server

tls-auth ta.key 1

cipher AES-256-CBC

verb 3




Before I ran the clients like it says in the HOWTO's "Starting up the VPN and testing for initial connectivity" I had to add the same "ta.key" file to each client directory. So I copied the previously created "ta.key" to the client directory in windows 8.1 Documents directory on each client machine.

Image

Then I opened a command window from the "client" directory and run the command:

Code: Select all

"C:\Program Files\OpenVPN\bin\openvpn" client.ovpn
No connection at that point and no Windows Security Alert (firewall notification). I had to do one more thing to make it connect to the server. So I activated DMZ on my router (connected to the internet) to redirect every request to the machine running the server. Then I retried the above command for the clients. And Voila!

Here is the output of one of the clients:

Code: Select all

Sun Aug 12 03:31:59 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sun Aug 12 03:31:59 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Aug 12 03:31:59 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Sun Aug 12 03:32:00 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 12 03:32:00 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 12 03:32:00 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]my.public.ip.address:1194
Sun Aug 12 03:32:00 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Aug 12 03:32:00 2018 Attempting to establish TCP connection with [AF_INET]my.public.ip.address:1194 [nonblock]
Sun Aug 12 03:32:00 2018 TCP connection established with [AF_INET]my.public.ip.address:1194
Sun Aug 12 03:32:00 2018 TCP_CLIENT link local: (not bound)
Sun Aug 12 03:32:00 2018 TCP_CLIENT link remote: [AF_INET]my.public.ip.address:1194
Sun Aug 12 03:32:01 2018 TLS: Initial packet from [AF_INET]my.public.ip.address:1194, sid=5ce9ab74 c8d073e6
Sun Aug 12 03:32:02 2018 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=OpenVPN-CA, name=changeme, emailAddress=XXX@XXX...
Sun Aug 12 03:32:02 2018 VERIFY KU OK
Sun Aug 12 03:32:02 2018 Validating certificate extended key usage
Sun Aug 12 03:32:02 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Aug 12 03:32:02 2018 VERIFY EKU OK
Sun Aug 12 03:32:02 2018 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=server, name=changeme, emailAddress=XXX@XXX...
Sun Aug 12 03:32:03 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Aug 12 03:32:03 2018 [server] Peer Connection Initiated with [AF_INET]my.public.ip.address:1194
Sun Aug 12 03:32:05 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Aug 12 03:32:05 2018 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.8.4,ping 10,ping-restart 120,ifconfig 192.168.8.128 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: route-related options modified
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: peer-id set
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: adjusting link_mtu to 1658
Sun Aug 12 03:32:05 2018 OPTIONS IMPORT: data channel crypto options modified
Sun Aug 12 03:32:05 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Aug 12 03:32:05 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Aug 12 03:32:05 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Aug 12 03:32:05 2018 interactive service msg_channel=0
Sun Aug 12 03:32:05 2018 open_tun
Sun Aug 12 03:32:05 2018 TAP-WIN32 device [TAP-Ethernet] opened: \\.\Global\{600652AF-2FD3-421E-BC51-0C480E6EF549}.tap
Sun Aug 12 03:32:05 2018 TAP-Windows Driver Version 9.21 
Sun Aug 12 03:32:05 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.8.128/255.255.255.0 on interface {600652AF-2FD3-421E-BC51-0C480E6EF549} [DHCP-serv: 192.168.8.0, lease-time: 31536000]
Sun Aug 12 03:32:05 2018 NOTE: FlushIpNetTable failed on interface [5] {600652AF-2FD3-421E-BC51-0C480E6EF549} (status=5) : Access is denied.  
Sun Aug 12 03:32:05 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Aug 12 03:32:10 2018 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Sun Aug 12 03:32:10 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Aug 12 03:32:10 2018 Initialization Sequence Completed
(for reasons, I replaced my public IP address with my.public.ip.address. And I replaced the default email with XXX@XXX... because PHPBB)

Since every client could connect to the server I thought to myself "Why not ping" so like the Red October I sent one ping only from each client to any other client. What I got was disappointing. each time, I had an output similar to this:

Code: Select all

Pinging 192.168.8.128 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.8.128:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Troubleshooting

Then I decided to turn off the firewall on every single machine and tried again. And voila! everything worked fine.

Here is an example output:

Code: Select all

Pinging 192.168.8.129 with 32 bytes of data:
Reply from 192.168.8.129: bytes=32 time=69ms TTL=128
Reply from 192.168.8.129: bytes=32 time=75ms TTL=128
Reply from 192.168.8.129: bytes=32 time=27ms TTL=128
Reply from 192.168.8.129: bytes=32 time=45ms TTL=128

Ping statistics for 192.168.8.129:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 75ms, Average = 54ms
Even a client pinging the server and vice versa works just fine.

Issues that I can't fix (I need help with those)

Both on the server and on every single client the VPN network (Network Bridge on server) appears as an Unidentified Public Network

Image

Image

I have to turn off my firewall so that I can ping (so that they can communicate).

Image

What I tried

A. To make the clients network appear as Private network I did what was done in [Set Windows 10 TAP adaptor to private network]. i.e. I added in the server.ovpn file the following two lines

Server.ovpn

push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"


it didn't work (or rather it only works on "dev tun" and not "dev tap". I know I tried dev tun). And even if it did the Network Bridge (server) would remain unidentified (I tried with dev tun).


B. To allow me to enable the Firewall on the clients I went to Control Panel>System and Security>Windows Firewall. And on the left hand side I clicked on "Allow an app or feature through Windows Firewall". There I clicked on the "Change settings" button at the top and "Allow another app..." button at the bottom. I browsed for openvpn.exe (C:\Program Files\OpenVPN\bin\openvpn.exe). And selected both networks in "Network types...". Then I clicked Add and then OK.

Image

After I re-activated the firewalls on every client machine and run the clients, I tried to ping from one client to another. Nothing worked! Even server-to-client ping didn't work.


What I need

I need a solution that would work both on Windows 8.1 and Windows 10. Because although I am running it on Windows 8.1 I know that in the near future I will have to run the client on Windows 10.

Thanks in Advance!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4641
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

Post by TinCanTech » Sun Aug 12, 2018 12:12 am

paikuhan wrote:
Sat Aug 11, 2018 10:49 pm
What I need

I need a solution that would work both on Windows 8.1 and Windows 10
You mean .. You want Windows to do as it is told ... right ?

PingPong
OpenVPN User
Posts: 14
Joined: Sun Jul 29, 2018 2:01 pm

Re: How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

Post by PingPong » Sun Aug 12, 2018 7:12 am

You need different rules in the Win firewall for the internet and the OpenVPN network.

Internet should be more restricted, so you should make it a Public Network and define the firewall rules as they should be.

OpenVPN should be less restricted, so you should make it a Private Network and the define the firewall rules less strict.

How to define the OpenVPN network adapter as a private one? Do that by using MS PowerShell.
1. Find out the InterfaceIndex of your OpenVPN virtual network adapter.
In PowerShell: get-wmiobject win32_networkadapter | select netconnectionid, name, InterfaceIndex, netconnectionstatus
2. Make this network private.
In PowerShell: Set-NetConnectionProfile -InterfaceIndex [NUMBER OF ADAPTER] -NetworkCategory Private

Poorly Public Networks are boot-safe, Private Networks are not. If you ask MS why it is like that they will tell you that this is a feature not a bug. So put the command to make Private Network out of the virtual OpenVPN Adapter into a PowerShell script and run it, whenever the Computer starts.

But don't put that into Windows task scheduler, because then it will only work then and when. Put it into the start-up program folder and initially run a ping to somewhere 20 times to have some time at start-up, because this script might run before the network adapter drivers are loaded. Don't forget: It's a feature, not a bug.

There will be only one problem left: Then and when the numbers of the adapters will change all of the sudden. Then your script has to be changed. Why? It has to be. This is a feature, it's not a bug.

If you need it working all the time set up the OpenVPN server on a linux machine and let all the others connect to that.

Greetz
Martin

paikuhan
OpenVpn Newbie
Posts: 3
Joined: Sat Aug 11, 2018 9:41 pm

Re: How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

Post by paikuhan » Sun Aug 12, 2018 2:00 pm

TinCanTech wrote:
Sun Aug 12, 2018 12:12 am
You mean .. You want Windows to do as it is told ... right ?
@TinCanTech Like Martin (PingPong) said it's not a bug, it's a feature :lol:

@Martin Here is what I did.

Following orders

I turned the firewall back on on every single machine.

Image

Then I opened Windows PowerShell as Administrator and ran the commands

Code: Select all

get-wmiobject win32_networkadapter | select netconnectionid, name, InterfaceIndex, netconnectionstatus
Set-NetConnectionProfile -InterfaceIndex [NUMBER_OF_ADAPTER] -NetworkCategory Private
as You told me.

Image

On the server machine, When I tried replacing NUMBER_OF_ADAPTER with the InterfaceIndex for the "TAP-Bridge" (TAP-Windows Adapter V9), I got a error that look like this.

Image

So I had to replace NUMBER_OF_ADAPTER with the InterfaceIndex for the "Network Bridge" because this command only works on connected network. which is self evident.

Image

I then decided to make the Wifi network (Internet) public. to do so I opened the Charms (windows 8.1 right sidebar), clicked on the "Settings" icon, chose "Change PC settings" then "Network" and under "Connections" I left-clicked on my Wi-Fi Network icon. Finally I Turn off the "Find devices and content" switch. Here is what the "Network and Sharing Center" looked like on the clients and the server.

Image

Image

And here is how "Windows Firewall" looked on every machine.

Image

At that point I tried to ping the server from any client and here is the output:

Code: Select all


Pinging 192.168.8.4 with 32 bytes of data:
Reply from 192.168.0.254: Destination host unreachable.
Reply from 192.168.0.254: Destination host unreachable.
Reply from 192.168.0.254: Destination host unreachable.
Reply from 192.168.0.254: Destination host unreachable.

Ping statistics for 192.168.8.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
I got a similar output when I tried to ping any client from the server.


Troubleshooting (Almost there)

I tried to figure out what was wrong and why I couldn't reach the server. Then I noticed that for some reason the clients were disconnected to the server. After much trial and error I found out that if I make the internet connection Public on the server machine, connecting to the server is impossible. So I had to leave it back to Private.

Then whenever I tried to ping the server from any client I almost always get the expected results:

Code: Select all

Pinging 192.168.8.4 with 32 bytes of data:
Reply from 192.168.8.4: bytes=32 time=400ms TTL=128
Reply from 192.168.8.4: bytes=32 time=304ms TTL=128
Reply from 192.168.8.4: bytes=32 time=1494ms TTL=128
Reply from 192.168.8.4: bytes=32 time=109ms TTL=128

Ping statistics for 192.168.8.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 109ms, Maximum = 1494ms, Average = 576ms
But when I tried to ping any client from the server it failed epically:

Code: Select all

Pinging 192.168.8.128 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.8.128:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

And I got the same results when pinging any client from any other client. At that point pinging a client only worked if I disabled its Windows Firewall in "Private network settings".

Image

Issues that I can't fix

Clients can't ping each others (I get a "Request timed out." whenever I try)
Server can't ping clients (I get a "Request timed out." whenever I try)

What I tried

To create a bridge on each client and make them like the server hoping that this is the reason why I can ping the server. Once I did that, the Server became unreachable through ping. What I mean is that I could connect to OpenVPN server with the OpenVPN client and pinging gave me this output:

Code: Select all

Pinging 192.168.8.4 with 32 bytes of data:
Reply from 192.168.0.254: Destination host unreachable.
Reply from 192.168.0.254: Destination host unreachable.
Reply from 192.168.0.254: Destination host unreachable.
Reply from 192.168.0.254: Destination host unreachable.

Ping statistics for 192.168.8.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
the same goes with every client (they couldn't reach one another although they were connected to the server).

What I need

I need to fix this last piece of the puzzle .i.e making clients communicate with each other and the server communicate with its clients.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4641
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

Post by TinCanTech » Sun Aug 12, 2018 5:58 pm

I am not going to write an essay but I will address the problems I can see:
paikuhan wrote:
Sun Aug 12, 2018 2:00 pm
Then I opened a command window from the "server" directory and run the command:

Code: Select all

"C:\Program Files\OpenVPN\bin\openvpn" server.ovpn
This does not work, please use the openvpn-gui which will use the openvpn-interactive service and manages privileges correctly.
paikuhan wrote:
Sat Aug 11, 2018 10:49 pm
I then right clicked on the newly created bridge adapter, opened its properties, double clicked on "Internet Protocol Version 4 (TCP/IPv4)" and Set the TCP/IP properties on the bridge adapter to an IP of 192.168.8.4 and a subnet mask of 255.255.255.0.
You must enter a default gateway (which your screen shot shows you did not).

Also, in my experience server-bridge should point to the default gateway not the local IP.

So this:
  • server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254
Will probably need to be this:
  • server-bridge 192.168.8.1 255.255.255.0 192.168.8.128 192.168.8.254
Or whatever your gateway is.

PingPong
OpenVPN User
Posts: 14
Joined: Sun Jul 29, 2018 2:01 pm

Re: How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

Post by PingPong » Sun Aug 12, 2018 8:05 pm

paikuhan, great respect for the way you ask for help. You do everything what is needed to understand your request. Esp. you are learning on that and don't expect a solution to be delivered.
What I need
I need to fix this last piece of the puzzle .i.e making clients communicate with each other and the server communicate with its clients.
You'll need two parts of the puzzle. TinCanTech delivered one of them. I didn't have a closer look on your OpenVPN config, because there were some probs in your OS which should be solved before.

Here comes the other part of the puzzle:

Firewall in Linux (simplified) works like that:
1. Turn it on and everything is allowed.
2. (a) Forbid everything, then allow what's needed
-or-
(b) Leave everything allowed and disallow what you don't like.

2. (a) is the way people usually do.

How is it done in Windows?

You have two (or three) scenarios which are already set up. Microsoft doesn't call them (1) and (2), but "private" and "public" (and a third one "work"). You believe that Microsoft knows which rules you need in a public or a private network. But they don't. As far as I see, OpenVPN "comes in" via public. So you have to change the rules for incoming traffic in "public" that OpenVPN can connect. You even have to allow in "public", that you are able to ping and so on. Inside the private network you can allow nearly everything.

If you got everything working, the bigger problem is on the list: You got a bunch of rules for public networks which allow things you don't need. Close those holes! After that you should validate your success by a full port scan over all ports and all protocols. You have to do this from the outside network.

In my opinion you should upgrade to Win10 now, not later. Otherwise you will do things twice.

This will happen, when you upgrade to Win10, which you have to do sooner or later:
Upgrades to the next version will usually kill your OpenVPN! Number of adapter is changed then, firewall rules will be forgotten, virtual network adapters don't work after upgrade, virus scanner runs amok and doesn't allow any traffic on some virtual adapters until you uninstall it and so on.

So maybe the better hint for you is to be seen in my story: The first server I installed was Win NT4.0 server. First client I installed was Win3.11. Up from then I used every single version of Microsoft's clients and servers. I was beta-testing Win10. On the 29th of July 2015 Win10 was published. That day I took one day off, to install Linux on my desktop and notebook. It was an every day's fight for three months, but since then I can say that I never had more control of my computer as now.
Most I learned, because I gave myself "projects". For those I took an hour every day. I never learned that much about computers than in the last three years.
My real hint is: Get this OpenVPN working in a virtual linux. When it works, replace the Windows machine. ;)

paikuhan
OpenVpn Newbie
Posts: 3
Joined: Sat Aug 11, 2018 9:41 pm

Re: How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

Post by paikuhan » Tue Aug 14, 2018 1:01 pm

The Last Piece

Following order
TinCanTech wrote:
Sun Aug 12, 2018 5:58 pm
You must enter a default gateway (which your screen shot shows you did not).

Also, in my experience server-bridge should point to the default gateway not the local IP.

Thanks for the input. I added a default getway to the Network Bridge's IPV4 Properties

Image

I've also replaced this server-bridge in server.ovpn

Server.ovpn

server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254


to this

Server.ovpn

server-bridge 192.168.8.1 255.255.255.0 192.168.8.128 192.168.8.254


Although to be fair I didn't point it to a default gateway because the Miscellaneous said so. I guess someone messed up writing the documentation... or not. Keep reading to find out!

But that didn't solve my problem: I could only ping the server from any client only when the server was set on a Private Network. But couldn't ping the clients from any client (except themselves) or from the server whether they are set in a Public Network or Private Network.

But like Martin said:

PingPong wrote:
Sun Aug 12, 2018 8:05 pm
You'll need two parts of the puzzle. TinCanTech delivered one of them.

The other part of the puzzle being the Windows Firewall. So I had to figure out a way to fix it and I knew Microsoft had the answer. so I started googling and found exactly what I wanted: The missing piece.

One Piece

On the Microsoft Forum someone had an issue almost similar to mine. that is, OpenVPN TAP and Windows Firewall. In the last post he wrote:
Enabling "File and Printer Sharing: Public" worked for me. I am now able to ping my remote Windows OpenVPN server.
So basically according to him pinging goes through Microsoft Windows "File and Printer Sharing" feature.

And I had to check it for myself. So I opened Windows Firewall and on the left hand side I clicked on "Allow an app or feature through Windows Firewall", I scrolled down to "File and Printer Sharing" and you won't believe what I saw unless you see it too.

Image

It was left completely unchecked. So I activated the feature and it automatically checked Private (for Private Network only). I clicked OK and tried to ping the client sharing its files and printers. Guess what!? I works!! (as long as the client is in a Private Network)

Image

Extra things I found out

After much testing I found out that it is not the server that shouldn't be run in command line. It's the client. Although I will run the server using openvpn-gui from now on. From what I've seen, running it in GUI or in command line (as Administrator or not) doesn't seem to change anything. Running the client in GUI can change a lot but you have to reconfigure the server (server.ovpn). If you follow these simple steps your clients will automatically appear as being in a Private Network.

1. Remember these two lines:

Server.ovpn

push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"



If like me you removed them, put them back!

2. Don't follow every advice.
TinCanTech, whe you said:
TinCanTech wrote:
Sun Aug 12, 2018 5:58 pm
Will probably need to be this:
  • server-bridge 192.168.8.1 255.255.255.0 192.168.8.128 192.168.8.254

You were right to say probably need to because you were mistaken. When in doubt one should refer to the documentation. And in this case the Miscellaneous was right. Even the original server.ovpn states:


Server.ovpn

# Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100


it clearly states IP/netmask (where IP is 10.8.0.4 and netmask 255.255.255.0) and then goes on with a commented example using that same IP (i.e. 10.8.0.4).


if you add the two push commands and rewrite the server-bridge command accordingly you should end up with a server.ovpn that looks like this (without the comments):

Server.ovpn

port 1194

proto tcp

dev tap

dev-node TAP-Bridge

ca ca.crt
cert server.crt
key server.key

dh dh2048.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254

server-bridge

push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"

client-to-client

keepalive 10 120

tls-auth ta.key 0

cipher AES-256-CBC

persist-key
persist-tun

status openvpn-status.log

verb 3

explicit-exit-notify 0


The clientN.ovpn doesn't need any changes.

run the client using openvpn-gui, go to Network and Sharing Center and you'll see something similar to this:

Image

I am confident it will work on Windows 7 through 10.

Final Note
PingPong wrote:
Sun Aug 12, 2018 8:05 pm
My real hint is: Get this OpenVPN working in a virtual linux. When it works, replace the Windows machine. ;)
Why don't I go Linux? One word: Games!

What led me to install OpenVPN is LAN Gaming. Hamachi didn't work for me, GameRanger doesn't support all Lan Games (e.g. UT3) and both of them need me to create an account. Freelan, although it is too complex and its documentation is scarce, has taught me one thing. VPN isn't just about privacy when browsing the internet it is also a "Virtual Private Network" (i.e. could be a Virtual LAN). That's where OpenVPN comes into play. I don't mind having the OpenVPN server on linux (I have one raspberry Pi lying around somewhere) but I can't make the clients run linux
PingPong wrote:
Sun Aug 12, 2018 8:05 pm
great respect for the way you ask for help. You do everything what is needed to understand your request.
Thanks. I'm writing every single step and though process down so that if anyone, including me, is stuck when configuring OpenVPN he/she can check out my Topic-Tutorial and find the solution to his/her issue.

Han.a

PingPong
OpenVPN User
Posts: 14
Joined: Sun Jul 29, 2018 2:01 pm

Re: How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

Post by PingPong » Tue Aug 14, 2018 7:48 pm

Well done! And thanks for the reply and posting your solution!

Btw: PING = Printer and file sharing? There is nothing to add about the company which produced your OS!

When you start with Linux you will see that games is nothing you have to take care about anymore. You then play Linux and there is no time for another game :twisted:

To be honest, GAMES are the only real reason for me to run a physical Windows. All other could be done equal in a virtual machine...

You have some good attitudes to go on with network, routing etc. Just do ;)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4641
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to make openVPN work over windows 8.1 firewall as a private TAP (ethernet) network?

Post by TinCanTech » Tue Aug 14, 2018 7:58 pm

PingPong wrote:
Tue Aug 14, 2018 7:48 pm
Well done! And thanks for the reply and posting your solution!
Agreed, nice tutorial 8-)

Also, on a decent modern PC you can easily run *nix in a Virtual environment (many choices)
and it will be more than capable of running your Openvpn needs.

Post Reply