Connection Made, No Data Passes
Posted: Sat Jul 08, 2023 11:42 pm
Hello All
I'm using OpenVPN v2.6.5 Community.
I spent too many days running between two sites trying to get a site-to-site link to work.
So I set up this environment to allow testing a client-server model in situ.
Following is a diagram of this network setup.
I hope the URL works. I tried to paste the image here, but I surmise that can't be done.
Nope, img tags don't work.
My network diagram is here https://ibb.co/hR563zX.
I've included all of the pertinent information as follows.
The short story is that OpenVPN connects but nothing else works.
There are no functional pings over the tunnel link.
SERVER ROUTE TABLE with SERVER DOWN:
FROM SERVER SIDE - SERVER DOWN - CLIENT DOWN:
SERVER FIREWALL:
SERVER SETTINGS:
START SERVER:
SERVER LOG:
SERVER ROUTE TABLE with SERVER UP:
FROM SERVER SIDE - SERVER UP - CLIENT DOWN:
CLIENT FIREWALL:
CLIENT SETTINGS:
CLIENT ROUTE TABLE with CLIENT DOWN:
FROM CLIENT SIDE - SERVER UP - CLIENT DOWN:
SERVER LOG AFTER CLIENT CONNECTS:
CLIENT LOG AFTER CLIENT CONNECTS:
CLIENT ROUTE TABLE with CLIENT UP:
FROM CLIENT SIDE - SERVER UP - CLIENT UP:
FROM SERVER SIDE - SERVER UP - CLIENT UP:
SUMMARY:
IN ALL CASES:
All hosts can ping google.com
FROM SERVER SIDE - SERVER DOWN - CLIENT DOWN:
Server host can ping other server side hosts. <-OK
Server host cannot ping any client side hosts. <-OK
Server host cannot ping 10.88.88.1. <-OK
FROM SERVER SIDE - SERVER UP - CLIENT DOWN:
Server host can ping other server side hosts. <-OK
Server host cannot ping any client side hosts. <-OK - client is down
Server host can ping 10.88.88.1. <-OK
Tracert to client side fails to see 10.88.88.1. <-BAD - first hop should be 10.88.88.1 even though client is down
FROM CLIENT SIDE - SERVER UP - CLIENT DOWN:
Client host can ping server side hosts. <-OK - works because client router's WAN port connects to server router at 192.168.2.40.
Client host can ping other client side hosts. <-OK
Client host cannot ping 10.88.88.2. <-OK
FROM CLIENT SIDE - SERVER UP - CLIENT UP:
Client host cannot ping server side hosts. <-NORMAL - opening tunnel connection has rerouted this capability.
Client host can ping other client side hosts. <-OK
Client host cannot ping any server side hosts. <-BAD - now that the tunnel is UP, this should work.
Client host can ping 10.88.88.2. <-OK
Tracert to server side fails to see 10.88.88.2. <-BAD - first hop should be 10.88.88.2
FROM SERVER SIDE - SERVER UP - CLIENT UP:
Server host can ping other server side hosts. <-OK
Server host cannot ping any client side hosts. <-BAD - now that the tunnel is UP, this should work.
Server host can ping 10.88.88.1. <-OK
Tracert to client side fails to see 10.88.88.1. <-BAD - first hop should be 10.88.88.1.
I have been building networks since the days of IPX token ring and WFW v3.11.
But when I started this effort, I knew nothing about OpenVPN.
I have read dozens of articles and posts in order to get this far.
I am at my wits end. I have worked on this for more than a week now.
I pray that some kind soul knows the answer and will post a reply to point out my mistake.
Thank You
All for now
I'm using OpenVPN v2.6.5 Community.
I spent too many days running between two sites trying to get a site-to-site link to work.
So I set up this environment to allow testing a client-server model in situ.
Following is a diagram of this network setup.
I hope the URL works. I tried to paste the image here, but I surmise that can't be done.
Nope, img tags don't work.
My network diagram is here https://ibb.co/hR563zX.
I've included all of the pertinent information as follows.
The short story is that OpenVPN connects but nothing else works.
There are no functional pings over the tunnel link.
SERVER ROUTE TABLE with SERVER DOWN:
Code: Select all
C:\Windows\system32>route print -4
Interface List:
11...........................Wintun Userspace Tunnel
8...d8 bb c1 42 5f bf ......Intel(R) Ethernet Controller (3) I225-V
20...0a 00 27 00 00 14 ......VirtualBox Host-Only Ethernet Adapter
19...00 ff ee 5e 78 f6 ......TAP-Windows Adapter V9
16...........................OpenVPN Data Channel Offload
1...........................Software Loopback Interface 1
IPv4 Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.5 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.2.0 255.255.255.0 On-link 192.168.2.5 281
192.168.2.5 255.255.255.255 On-link 192.168.2.5 281
192.168.2.255 255.255.255.255 On-link 192.168.2.5 281
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.2.5 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.2.5 281
Persistent Routes:
NoneCode: Select all
Ping Google.com -> OK
Ping 192.168.2.any -> OK (server side router can reach server side hosts)
Ping 192.168.3.any -> TimeOut (server side router can't reach client side hosts)
Ping 10.88.88.0 -> TimeOut
Ping 10.88.88.1 -> TimeOut
Ping 10.88.88.2 -> TimeOut
C:\Windows\system32>tracert 192.168.3.2
Tracing route to 192.168.3.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.1 <-- hit on server side router
2 * * * Request timed out.
3 * * * Request timed out. (server side router can't reach client side hosts)Code: Select all
PS C:\Windows\system32> Show-NetFirewallRule | where {$_.DisplayName -Like "OpenVPN"}
Name : {A342248C-E54A-4CA2-8DB7-6A42ACAF6386}
DisplayName : OpenVPN
Description : Allow OpenVPN Inbound
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform :
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Allow
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses :
PolicyAppId :
C:\Windows\system32>netsh advfirewall firewall show rule name=OpenVPN
Rule Name: OpenVPN
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: Any
Protocol: UDP
LocalPort: 1194
RemotePort: 0-65535
Edge traversal: Yes
Action: Allow
Ok.Code: Select all
[oconf]server 10.88.88.0 255.255.255.0
port 1194
topology subnet
proto udp4
dev tun
windows-driver wintun [b]# Without this OpenVPN uses the Tap-v9 Adapter[/b]
route 192.168.3.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
data-ciphers AES-128-GCM:AES-256-GCM # Prefer 128, it's faster
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
status openvpn-status.log
keepalive 10 120
verb 3
mute 20
explicit-exit-notify 1[/oconf]SERVER LOG:
Code: Select all
[olog]Sat Jul 8 15:18:59 2023 Note: --data-cipher-fallback with cipher 'AES-256-CBC' disables data channel offload.
Sat Jul 8 15:18:59 2023 --pull-filter ignored for --mode server
Sat Jul 8 15:18:59 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
Sat Jul 8 15:18:59 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Sat Jul 8 15:18:59 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Sat Jul 8 15:18:59 2023 DCO version: v0
Sat Jul 8 15:18:59 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Jul 8 15:18:59 2023 Need hold release from management interface, waiting...
Sat Jul 8 15:19:00 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:15064
Sat Jul 8 15:19:00 2023 MANAGEMENT: CMD 'state on'
Sat Jul 8 15:19:00 2023 MANAGEMENT: CMD 'log on all'
Sat Jul 8 15:19:00 2023 MANAGEMENT: CMD 'echo on all'
Sat Jul 8 15:19:00 2023 MANAGEMENT: CMD 'bytecount 5'
Sat Jul 8 15:19:00 2023 MANAGEMENT: CMD 'state'
Sat Jul 8 15:19:00 2023 MANAGEMENT: CMD 'hold off'
Sat Jul 8 15:19:00 2023 NOTE: --mute triggered...
Sat Jul 8 15:19:00 2023 1 variation(s) on previous 20 message(s) suppressed by --mute
Sat Jul 8 15:19:00 2023 Note: cannot open openvpn-status.log for WRITE
Sat Jul 8 15:19:00 2023 Note: cannot open ipp.txt for READ/WRITE
Sat Jul 8 15:19:00 2023 Diffie-Hellman initialized with 2048 bit key
Sat Jul 8 15:19:00 2023 interactive service msg_channel=816
Sat Jul 8 15:19:00 2023 open_tun
Sat Jul 8 15:19:00 2023 Ring buffers registered via service
Sat Jul 8 15:19:00 2023 wintun device [OpenVPN Wintun] opened
Sat Jul 8 15:19:00 2023 MANAGEMENT: >STATE:1688843940,ASSIGN_IP,,10.88.88.1,,,,
Sat Jul 8 15:19:00 2023 INET address service: add 10.88.88.1/24
Sat Jul 8 15:19:00 2023 IPv4 MTU set to 1500 on interface 11 using service
Sat Jul 8 15:19:00 2023 MANAGEMENT: >STATE:1688843940,ADD_ROUTES,,,,,,
Sat Jul 8 15:19:00 2023 C:\Windows\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.0 10.88.88.2
Sat Jul 8 15:19:00 2023 Route addition via service succeeded
Sat Jul 8 15:19:00 2023 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jul 8 15:19:00 2023 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Jul 8 15:19:00 2023 UDPv4 link remote: [AF_UNSPEC]
Sat Jul 8 15:19:00 2023 MULTI: multi_init called, r=256 v=256
Sat Jul 8 15:19:00 2023 IFCONFIG POOL IPv4: base=10.88.88.2 size=253
Sat Jul 8 15:19:00 2023 IFCONFIG POOL LIST
Sat Jul 8 15:19:00 2023 Initialization Sequence Completed
Sat Jul 8 15:19:00 2023 MANAGEMENT: >STATE:1688843940,CONNECTED,SUCCESS,10.88.88.1,,,,[/olog]Code: Select all
C:\Windows\system32>route print -4
Interface List:
11...........................Wintun Userspace Tunnel
8...d8 bb c1 42 5f bf ......Intel(R) Ethernet Controller (3) I225-V
20...0a 00 27 00 00 14 ......VirtualBox Host-Only Ethernet Adapter
19...00 ff ee 5e 78 f6 ......TAP-Windows Adapter V9
16...........................OpenVPN Data Channel Offload
1...........................Software Loopback Interface 1
IPv4 Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.5 25
10.88.88.0 255.255.255.0 On-link 10.88.88.1 261
10.88.88.1 255.255.255.255 On-link 10.88.88.1 261
10.88.88.255 255.255.255.255 On-link 10.88.88.1 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.2.0 255.255.255.0 On-link 192.168.2.5 281
192.168.2.5 255.255.255.255 On-link 192.168.2.5 281
192.168.2.255 255.255.255.255 On-link 192.168.2.5 281
192.168.3.0 255.255.255.0 10.88.88.2 10.88.88.1 261
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.2.5 281
224.0.0.0 240.0.0.0 On-link 10.88.88.1 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.2.5 281
255.255.255.255 255.255.255.255 On-link 10.88.88.1 261
Persistent Routes:
NoneCode: Select all
Ping Google.com -> OK
Ping 192.168.2.any -> OK
Ping 192.168.3.any -> TimeOut
Ping 10.88.88.0 -> TimeOut
Ping 10.88.88.1 -> OK
Ping 10.88.88.2 -> TimeOut
C:\Windows\system32>tracert 192.168.3.2
Tracing route to 192.168.3.2 over a maximum of 30 hops
(no hit on 10.88.88.1 OpenVPN virtual router)
1 * * * Request timed out.
2 * * * Request timed out.Code: Select all
PS C:\Users\eewiz> Show-NetFirewallRule | where {$_.DisplayName -Like "OpenVPN"}
RETURNS NOTHING ON WINDOWS 11
C:\Users\eewiz> netsh advfirewall firewall show rule name=OpenVPN
Rule Name: OpenVPN
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: Any
Protocol: UDP
LocalPort: 1194
RemotePort: Any
Edge traversal: Yes
Action: Allow
Ok.Code: Select all
[oconf]client
remote 192.168.2.5 1194
# remote future.internet.server 1194
proto udp
dev tun
windows-driver wintun # Without this OpenVPN uses the Tap-v9 Adapter
nobind
persist-key
persist-tun
ca ca.crt
cert butch.crt
key butch.key
remote-cert-tls server
tls-auth ta.key 1
data-ciphers AES-128-GCM:AES-256-GCM # Prefer 128, it's faster
verb 3
mute 20[/oconf]Code: Select all
C:\Users\eewiz>route print -4
Interface List
9...68 1d ef 32 1a 33 ......Realtek PCIe GbE Family Controller
11...........................Wintun Userspace Tunnel
13...68 1d ef 32 1a 32 ......Realtek PCIe GbE Family Controller #2
3...00 ff 25 d7 05 c1 ......TAP-Windows Adapter V9
14...........................OpenVPN Data Channel Offload
6...e0 75 26 89 96 93 ......Realtek 8821CE Wireless LAN 802.11ac PCI-E NIC
10...e0 75 26 89 96 93 ......Microsoft Wi-Fi Direct Virtual Adapter
12...f2 75 26 89 96 93 ......Microsoft Wi-Fi Direct Virtual Adapter #2
5...e0 75 26 89 96 94 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
IPv4 Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.3.1 192.168.3.2 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.3.0 255.255.255.0 On-link 192.168.3.2 281
192.168.3.2 255.255.255.255 On-link 192.168.3.2 281
192.168.3.255 255.255.255.255 On-link 192.168.3.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.3.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.3.2 281
Persistent Routes:
NoneCode: Select all
Ping Google.com -> OK
Ping 192.168.2.any -> OK (works because client router's WAN port connects to server router at 192.168.2.40)
Ping 192.168.3.any -> OK
Ping 10.88.88.0 -> TimeOut
Ping 10.88.88.1 -> TimeOut
Ping 10.88.88.2 -> TimeOut
C:\Users\eewiz>tracert 192.168.2.5
Tracing route to MUFF [192.168.2.5]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms console.gl-inet.com [192.168.3.1]
2 1 ms 1 ms 1 ms MUFF [192.168.2.5]
Trace complete.Code: Select all
[oconf]Sat Jul 8 15:28:47 2023 192.168.2.40:57991 VERIFY OK: depth=1, CN=muff
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 VERIFY OK: depth=0, CN=butch
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_VER=2.6.5
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_PLAT=win
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_TCPNL=1
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_MTU=1600
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_NCP=2
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_CIPHERS=AES-128-GCM:AES-256-GCM
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_PROTO=990
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_LZO_STUB=1
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_COMP_STUB=1
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_COMP_STUBv2=1
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_GUI_VER=OpenVPN_GUI_11
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 peer info: IV_SSO=openurl,webauth,crtext
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 TLS: tls_multi_process: initial untrusted session promoted to trusted
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sat Jul 8 15:28:47 2023 192.168.2.40:57991 [butch] Peer Connection Initiated with [AF_INET]192.168.2.40:57991
Sat Jul 8 15:28:47 2023 butch/192.168.2.40:57991 MULTI_sva: pool returned IPv4=10.88.88.2, IPv6=(Not enabled)
Sat Jul 8 15:28:47 2023 butch/192.168.2.40:57991 MULTI: Learn: 10.88.88.2 -> butch/192.168.2.40:57991
Sat Jul 8 15:28:47 2023 butch/192.168.2.40:57991 MULTI: primary virtual IP for butch/192.168.2.40:57991: 10.88.88.2
Sat Jul 8 15:28:47 2023 butch/192.168.2.40:57991 SENT CONTROL [butch]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route-gateway 10.88.88.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.88.88.2 255.255.255.0,peer-id 0,cipher AES-128-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
Sat Jul 8 15:28:49 2023 butch/192.168.2.40:57991 Data Channel: cipher 'AES-128-GCM', peer-id: 0
Sat Jul 8 15:28:49 2023 butch/192.168.2.40:57991 Timers: ping 10, ping-restart 120
Sat Jul 8 15:28:49 2023 butch/192.168.2.40:57991 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt[/oconf]Code: Select all
[olog]Sat Jul 8 15:54:45 2023 --windows-driver is set to 'wintun'. Disabling Data Channel Offload
Sat Jul 8 15:54:45 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
Sat Jul 8 15:54:45 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Sat Jul 8 15:54:45 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Sat Jul 8 15:54:45 2023 DCO version: v0
Sat Jul 8 15:54:45 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Jul 8 15:54:45 2023 Need hold release from management interface, waiting...
Sat Jul 8 15:54:45 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:62039
Sat Jul 8 15:54:45 2023 MANAGEMENT: CMD 'state on'
Sat Jul 8 15:54:45 2023 MANAGEMENT: CMD 'log on all'
Sat Jul 8 15:54:45 2023 MANAGEMENT: CMD 'echo on all'
Sat Jul 8 15:54:45 2023 MANAGEMENT: CMD 'bytecount 5'
Sat Jul 8 15:54:45 2023 MANAGEMENT: CMD 'state'
Sat Jul 8 15:54:45 2023 MANAGEMENT: CMD 'hold off'
Sat Jul 8 15:54:45 2023 NOTE: --mute triggered...
Sat Jul 8 15:54:45 2023 1 variation(s) on previous 20 message(s) suppressed by --mute
Sat Jul 8 15:54:45 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.2.5:1194
Sat Jul 8 15:54:45 2023 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jul 8 15:54:45 2023 UDPv4 link local: (not bound)
Sat Jul 8 15:54:45 2023 UDPv4 link remote: [AF_INET]192.168.2.5:1194
Sat Jul 8 15:54:45 2023 MANAGEMENT: >STATE:1688846085,WAIT,,,,,,
Sat Jul 8 15:54:45 2023 MANAGEMENT: >STATE:1688846085,AUTH,,,,,,
Sat Jul 8 15:54:45 2023 TLS: Initial packet from [AF_INET]192.168.2.5:1194, sid=46aa2caf c359e98f
Sat Jul 8 15:54:45 2023 VERIFY OK: depth=1, CN=muff
Sat Jul 8 15:54:45 2023 VERIFY KU OK
Sat Jul 8 15:54:45 2023 Validating certificate extended key usage
Sat Jul 8 15:54:45 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jul 8 15:54:45 2023 VERIFY EKU OK
Sat Jul 8 15:54:45 2023 NOTE: --mute triggered...
Sat Jul 8 15:54:45 2023 2 variation(s) on previous 20 message(s) suppressed by --mute
Sat Jul 8 15:54:45 2023 [server] Peer Connection Initiated with [AF_INET]192.168.2.5:1194
Sat Jul 8 15:54:45 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sat Jul 8 15:54:45 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted
Sat Jul 8 15:54:45 2023 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route-gateway 10.88.88.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.88.88.2 255.255.255.0,peer-id 0,cipher AES-128-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Sat Jul 8 15:54:45 2023 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 8 15:54:45 2023 OPTIONS IMPORT: route options modified
Sat Jul 8 15:54:45 2023 OPTIONS IMPORT: route-related options modified
Sat Jul 8 15:54:45 2023 OPTIONS IMPORT: tun-mtu set to 1500
Sat Jul 8 15:54:45 2023 interactive service msg_channel=640
Sat Jul 8 15:54:45 2023 open_tun
Sat Jul 8 15:54:45 2023 Ring buffers registered via service
Sat Jul 8 15:54:45 2023 wintun device [OpenVPN Wintun] opened
Sat Jul 8 15:54:45 2023 MANAGEMENT: >STATE:1688846085,ASSIGN_IP,,10.88.88.2,,,,
Sat Jul 8 15:54:45 2023 INET address service: add 10.88.88.2/24
Sat Jul 8 15:54:45 2023 IPv4 MTU set to 1500 on interface 11 using service
Sat Jul 8 15:54:45 2023 MANAGEMENT: >STATE:1688846085,ADD_ROUTES,,,,,,
Sat Jul 8 15:54:45 2023 C:\WINDOWS\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 10.88.88.1
Sat Jul 8 15:54:45 2023 Route addition via service succeeded
Sat Jul 8 15:54:45 2023 Initialization Sequence Completed
Sat Jul 8 15:54:45 2023 MANAGEMENT: >STATE:1688846085,CONNECTED,SUCCESS,10.88.88.2,192.168.2.5,1194,,
Sat Jul 8 15:54:45 2023 Data Channel: cipher 'AES-128-GCM', peer-id: 0
Sat Jul 8 15:54:45 2023 Timers: ping 10, ping-restart 60
Sat Jul 8 15:54:45 2023 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt[/olog]Code: Select all
C:\Users\eewiz>route print -4
Interface List:
9...68 1d ef 32 1a 33 ......Realtek PCIe GbE Family Controller
11...........................Wintun Userspace Tunnel
13...68 1d ef 32 1a 32 ......Realtek PCIe GbE Family Controller #2
3...00 ff 25 d7 05 c1 ......TAP-Windows Adapter V9
14...........................OpenVPN Data Channel Offload
6...e0 75 26 89 96 93 ......Realtek 8821CE Wireless LAN 802.11ac PCI-E NIC
10...e0 75 26 89 96 93 ......Microsoft Wi-Fi Direct Virtual Adapter
12...f2 75 26 89 96 93 ......Microsoft Wi-Fi Direct Virtual Adapter #2
5...e0 75 26 89 96 94 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
IPv4 Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.3.1 192.168.3.2 25
10.88.88.0 255.255.255.0 On-link 10.88.88.2 261
10.88.88.2 255.255.255.255 On-link 10.88.88.2 261
10.88.88.255 255.255.255.255 On-link 10.88.88.2 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.2.0 255.255.255.0 10.88.88.1 10.88.88.2 261
192.168.3.0 255.255.255.0 On-link 192.168.3.2 281
192.168.3.2 255.255.255.255 On-link 192.168.3.2 281
192.168.3.255 255.255.255.255 On-link 192.168.3.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.88.88.2 261
224.0.0.0 240.0.0.0 On-link 192.168.3.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.88.88.2 261
255.255.255.255 255.255.255.255 On-link 192.168.3.2 281
Persistent Routes:
NoneCode: Select all
Ping Google.com -> OK
Ping 192.168.2.any -> TimeOut (THIS SHOULD WORK) [works OK if the tunnel is down (tunnel connection has broken this)]
Ping 192.168.3.any -> OK
Ping 10.88.88.0 -> TimeOut
Ping 10.88.88.1 -> TimeOut
Ping 10.88.88.2 -> OK
C:\Users\eewiz>tracert 192.168.2.5
Tracing route to 192.168.3.2 over a maximum of 30 hops
(no hit on 10.88.88.2 OpenVPN virtual router)
1 * * * Request timed out.
2 * * * Request timed out.Code: Select all
Ping Google.com -> OK
Ping 192.168.2.any -> OK
Ping 192.168.3.any -> TimeOut (THIS SHOULD WORK) [now that the tunnel is UP, this should work]
Ping 10.88.88.0 -> TimeOut
Ping 10.88.88.1 -> OK
Ping 10.88.88.2 -> TimeOutIN ALL CASES:
All hosts can ping google.com
FROM SERVER SIDE - SERVER DOWN - CLIENT DOWN:
Server host can ping other server side hosts. <-OK
Server host cannot ping any client side hosts. <-OK
Server host cannot ping 10.88.88.1. <-OK
FROM SERVER SIDE - SERVER UP - CLIENT DOWN:
Server host can ping other server side hosts. <-OK
Server host cannot ping any client side hosts. <-OK - client is down
Server host can ping 10.88.88.1. <-OK
Tracert to client side fails to see 10.88.88.1. <-BAD - first hop should be 10.88.88.1 even though client is down
FROM CLIENT SIDE - SERVER UP - CLIENT DOWN:
Client host can ping server side hosts. <-OK - works because client router's WAN port connects to server router at 192.168.2.40.
Client host can ping other client side hosts. <-OK
Client host cannot ping 10.88.88.2. <-OK
FROM CLIENT SIDE - SERVER UP - CLIENT UP:
Client host cannot ping server side hosts. <-NORMAL - opening tunnel connection has rerouted this capability.
Client host can ping other client side hosts. <-OK
Client host cannot ping any server side hosts. <-BAD - now that the tunnel is UP, this should work.
Client host can ping 10.88.88.2. <-OK
Tracert to server side fails to see 10.88.88.2. <-BAD - first hop should be 10.88.88.2
FROM SERVER SIDE - SERVER UP - CLIENT UP:
Server host can ping other server side hosts. <-OK
Server host cannot ping any client side hosts. <-BAD - now that the tunnel is UP, this should work.
Server host can ping 10.88.88.1. <-OK
Tracert to client side fails to see 10.88.88.1. <-BAD - first hop should be 10.88.88.1.
I have been building networks since the days of IPX token ring and WFW v3.11.
But when I started this effort, I knew nothing about OpenVPN.
I have read dozens of articles and posts in order to get this far.
I am at my wits end. I have worked on this for more than a week now.
I pray that some kind soul knows the answer and will post a reply to point out my mistake.
Thank You
All for now