openvpn client connects to the server but no access to internet

[jhaze01]

hi, both machines are on windows.

here is the server side config:

Code: Select all

# Specify a port, a protocol and a device type
port 1194
proto udp
dev tun
# Specify paths to server certificates
ca "C:\\Users\\me\\Documents\\easy-rsa\\pki\\ca.crt"
cert "C:\\Users\\me\\Documents\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\Users\\me\\Documents\\easy-rsa\\pki\\private\\server.key"
dh "C:\\Users\\me\\Documents\\easy-rsa\\pki\\dh.pem"
# Specify the settings of the IP network your VPN clients will get their IP addresses from
server 10.24.1.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# If you want to allow your clients to connect using the same key, enable the duplicate-cn option (not recommended)
# duplicate-cn
# TLS protection
tls-auth "C:\\Users\\me\\Documents\\easy-rsa\\pki\\ta.key" 0
cipher AES-256-GCM
# Other options
keepalive 20 60
persist-key
persist-tun
status "C:\\Program Files\\OpenVPN\\log\\status.log"
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3
mute 20
windows-driver wintun

and the client:

Code: Select all

client
dev tun
proto udp
remote xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Users\\meawm\\OpenVPN\\config\\testuser1\\ca.crt"
cert "C:\\Users\\meawm\\OpenVPN\\config\\testuser1\\testuser1.crt"
key "C:\\Users\\meawm\\OpenVPN\\config\\testuser1\\testuser1.key"
remote-cert-tls server
tls-auth "C:\\Users\\meawm\\OpenVPN\\config\\testuser1\\ta.key" 1
cipher AES-256-GCM
connect-retry-max 25
verb 3
windows-driver wintun

i can ping the server, but everything else is not going through

[jhaze01]

thats the log server side:

Code: Select all

2023-09-14 18:35:34 1.46.20.72:51772 VERIFY OK: depth=1, CN=BPS
2023-09-14 18:35:34 1.46.20.72:51772 VERIFY OK: depth=0, CN=testuser1
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_VER=2.6.6
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_PLAT=win
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_TCPNL=1
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_MTU=1600
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_NCP=2
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_PROTO=990
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_LZO_STUB=1
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_COMP_STUB=1
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_COMP_STUBv2=1
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-09-14 18:35:34 1.46.20.72:51772 peer info: IV_SSO=openurl,webauth,crtext
2023-09-14 18:35:34 1.46.20.72:51772 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-09-14 18:35:34 1.46.20.72:51772 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-09-14 18:35:34 1.46.20.72:51772 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-09-14 18:35:34 1.46.20.72:51772 [testuser1] Peer Connection Initiated with [AF_INET6]::ffff:1.46.20.72:51772
2023-09-14 18:35:34 MULTI: new connection by client 'testuser1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
2023-09-14 18:35:34 MULTI_sva: pool returned IPv4=10.24.1.6, IPv6=(Not enabled)
2023-09-14 18:35:34 MULTI: Learn: 10.24.1.6 -> testuser1/1.46.20.72:51772
2023-09-14 18:35:34 MULTI: primary virtual IP for testuser1/1.46.20.72:51772: 10.24.1.6
2023-09-14 18:35:34 SENT CONTROL [testuser1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,route 10.24.1.1,topology net30,ping 20,ping-restart 60,ifconfig 10.24.1.6 10.24.1.5,peer-id 1,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
2023-09-14 18:35:35 testuser1/1.46.20.72:51772 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2023-09-14 18:35:35 testuser1/1.46.20.72:51772 Timers: ping 20, ping-restart 120
2023-09-14 18:35:35 testuser1/1.46.20.72:51772 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

and client side:

Code: Select all

2023-09-14 18:35:30 --windows-driver is set to 'wintun'. Disabling Data Channel Offload
2023-09-14 18:35:30 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-09-14 18:35:30 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-09-14 18:35:30 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-09-14 18:35:30 DCO version: v0
2023-09-14 18:35:30 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2023-09-14 18:35:30 Need hold release from management interface, waiting...
2023-09-14 18:35:30 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:53819
2023-09-14 18:35:31 MANAGEMENT: CMD 'state on'
2023-09-14 18:35:31 MANAGEMENT: CMD 'log on all'
2023-09-14 18:35:31 MANAGEMENT: CMD 'echo on all'
2023-09-14 18:35:31 MANAGEMENT: CMD 'bytecount 5'
2023-09-14 18:35:31 MANAGEMENT: CMD 'state'
2023-09-14 18:35:31 MANAGEMENT: CMD 'hold off'
2023-09-14 18:35:31 MANAGEMENT: CMD 'hold release'
2023-09-14 18:35:33 MANAGEMENT: CMD 'password [...]'
2023-09-14 18:35:33 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-09-14 18:35:33 MANAGEMENT: >STATE:1694691333,RESOLVE,,,,,,
2023-09-14 18:35:33 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx:1194
2023-09-14 18:35:33 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-09-14 18:35:33 UDPv4 link local: (not bound)
2023-09-14 18:35:33 UDPv4 link remote: [AF_INET]xxx:1194
2023-09-14 18:35:33 MANAGEMENT: >STATE:1694691333,WAIT,,,,,,
2023-09-14 18:35:33 MANAGEMENT: >STATE:1694691333,AUTH,,,,,,
2023-09-14 18:35:33 TLS: Initial packet from [AF_INET]xxx:1194, sid=8bb7da65 41be06dd
2023-09-14 18:35:33 VERIFY OK: depth=1, CN=BPS
2023-09-14 18:35:33 VERIFY KU OK
2023-09-14 18:35:33 Validating certificate extended key usage
2023-09-14 18:35:33 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-09-14 18:35:33 VERIFY EKU OK
2023-09-14 18:35:33 VERIFY OK: depth=0, CN=BPS
2023-09-14 18:35:33 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-09-14 18:35:33 [BPS] Peer Connection Initiated with [AF_INET]xxx:1194
2023-09-14 18:35:33 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-09-14 18:35:33 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-09-14 18:35:33 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,route 10.24.1.1,topology net30,ping 20,ping-restart 60,ifconfig 10.24.1.6 10.24.1.5,peer-id 1,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
2023-09-14 18:35:33 OPTIONS IMPORT: --ifconfig/up options modified
2023-09-14 18:35:33 OPTIONS IMPORT: route options modified
2023-09-14 18:35:33 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-09-14 18:35:33 OPTIONS IMPORT: tun-mtu set to 1500
2023-09-14 18:35:33 interactive service msg_channel=924
2023-09-14 18:35:33 open_tun
2023-09-14 18:35:33 Ring buffers registered via service
2023-09-14 18:35:33 wintun device [OpenVPN Wintun] opened
2023-09-14 18:35:33 MANAGEMENT: >STATE:1694691333,ASSIGN_IP,,10.24.1.6,,,,
2023-09-14 18:35:33 INET address service: add 10.24.1.6/30
2023-09-14 18:35:34 IPv4 dns servers set using service
2023-09-14 18:35:34 IPv4 MTU set to 1500 on interface 16 using service
2023-09-14 18:35:34 C:\Windows\system32\route.exe ADD xxx MASK 255.255.255.255 192.168.2.1
2023-09-14 18:35:34 Route addition via service succeeded
2023-09-14 18:35:34 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.24.1.5
2023-09-14 18:35:34 Route addition via service succeeded
2023-09-14 18:35:34 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.24.1.5
2023-09-14 18:35:34 Route addition via service succeeded
2023-09-14 18:35:34 MANAGEMENT: >STATE:1694691334,ADD_ROUTES,,,,,,
2023-09-14 18:35:34 C:\Windows\system32\route.exe ADD 10.24.1.1 MASK 255.255.255.255 10.24.1.5
2023-09-14 18:35:34 Route addition via service succeeded
2023-09-14 18:35:34 Initialization Sequence Completed
2023-09-14 18:35:34 MANAGEMENT: >STATE:1694691334,CONNECTED,SUCCESS,10.24.1.6,xxx,1194,,
2023-09-14 18:35:34 Data Channel: cipher 'AES-256-GCM', peer-id: 1
2023-09-14 18:35:34 Timers: ping 20, ping-restart 60
2023-09-14 18:35:34 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
2023-09-14 18:35:43 C:\Windows\system32\route.exe DELETE 10.24.1.1 MASK 255.255.255.255 10.24.1.5
2023-09-14 18:35:43 Route deletion via service succeeded
2023-09-14 18:35:43 C:\Windows\system32\route.exe DELETE xxx MASK 255.255.255.255 192.168.2.1
2023-09-14 18:35:43 Route deletion via service succeeded
2023-09-14 18:35:43 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.24.1.5
2023-09-14 18:35:43 Route deletion via service succeeded
2023-09-14 18:35:43 C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.24.1.5
2023-09-14 18:35:43 Route deletion via service succeeded
2023-09-14 18:35:43 Closing TUN/TAP interface
2023-09-14 18:35:43 WINS servers deleted using service
2023-09-14 18:35:43 IPv4 dns servers deleted using service
2023-09-14 18:35:43 INET address service: remove 10.24.1.6/30
2023-09-14 18:35:43 SIGTERM[hard,] received, process exiting
2023-09-14 18:35:43 MANAGEMENT: >STATE:1694691343,EXITING,SIGTERM,,,,,

[pagepage]

I had the same problem, I followed Section 4. Enable Internet Connection Sharing and everything works as expected
https://supporthost.in/how-to-install-a ... indows-11/
But it is not what I want, all internet traffic goes through the server.

[jhaze01]

thanks for the answer, but I did all its said in section 4 and still have the same issue

[pagepage]

I found another way to disable all traffic to go through the server and internet is working too (without sharing internet). Just comment this line in the config server.
# push "redirect-gateway def1 bypass-dhcp"

[jhaze01]

but that is what i want actually, all the traffic to go through the server. My problem is that the server seems to not share his internet