OpenVPN connects, but no further connection possible

OVUser81 · Post by **OVUser81** » Fri Nov 03, 2023 10:36 am

I try to use the OpenVPN-Server installed on a Synology (DSM 6.2.4)

The OpenVPN-client "openvpn-connect-3.4.2.3160_signed.msi" is connecting fine (gets "green").

But I can not make any further connection to the same NAS or to an external internet website.

After connecting, I get a 10.8.0.6 IP address from Synology for my client.
But I can't ping to
10.8.0.1
or
192.168.178.1 (Router of the NAS in remote location)
or
192.168.178.215 (NAS in remote location)
or
google.com

This is the ouptput of route print WITHOUT VPN connection established:

Code: Select all

route print
===========================================================================
Schnittstellenliste
 25...00 ff c4 42 86 37 ......TAP-Windows Adapter V9 for OpenVPN Connect
  6...00 0c 29 38 a0 0d ......Intel(R) 82574L Gigabit Network Connection
 29...........................OpenVPN Data Channel Offload
 13...3c 6a a7 e1 b8 aa ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.24     25
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    331
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
      192.168.1.0    255.255.255.0   Auf Verbindung      192.168.1.24    281
     192.168.1.24  255.255.255.255   Auf Verbindung      192.168.1.24    281
    192.168.1.255  255.255.255.255   Auf Verbindung      192.168.1.24    281
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    331
        224.0.0.0        240.0.0.0   Auf Verbindung      192.168.1.24    281
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
  255.255.255.255  255.255.255.255   Auf Verbindung      192.168.1.24    281
===========================================================================
Ständige Routen:
  Keine

IPv6-Routentabelle
===========================================================================
Aktive Routen:
 If Metrik Netzwerkziel             Gateway
  1    331 ::1/128                  Auf Verbindung
  1    331 ff00::/8                 Auf Verbindung
===========================================================================
Ständige Routen:
  Keine

and this is the output if an OpenVPN-connection is established (but don't let me use anything on the remote location):

Code: Select all

route print
===========================================================================
Schnittstellenliste
 25...00 ff c4 42 86 37 ......TAP-Windows Adapter V9 for OpenVPN Connect
  6...00 0c 29 38 a0 0d ......Intel(R) 82574L Gigabit Network Connection
 29...........................OpenVPN Data Channel Offload
 13...3c 6a a7 e1 b8 aa ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.24     25
          0.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6    257
         10.8.0.0    255.255.255.0         10.8.0.5         10.8.0.6    257
         10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6    257
         10.8.0.4  255.255.255.252   Auf Verbindung          10.8.0.6    257
         10.8.0.6  255.255.255.255   Auf Verbindung          10.8.0.6    257
         10.8.0.7  255.255.255.255   Auf Verbindung          10.8.0.6    257
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    331
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
        128.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6    257
      192.168.1.0    255.255.255.0   Auf Verbindung      192.168.1.24    281
     192.168.1.24  255.255.255.255   Auf Verbindung      192.168.1.24    281
    192.168.1.255  255.255.255.255   Auf Verbindung      192.168.1.24    281
    192.168.178.0    255.255.255.0         10.8.0.5         10.8.0.6    257
    217.71.xxx.yy  255.255.255.255      192.168.1.1     192.168.1.24    281
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    331
        224.0.0.0        240.0.0.0   Auf Verbindung      192.168.1.24    281
        224.0.0.0        240.0.0.0   Auf Verbindung          10.8.0.6    257
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
  255.255.255.255  255.255.255.255   Auf Verbindung      192.168.1.24    281
  255.255.255.255  255.255.255.255   Auf Verbindung          10.8.0.6    257
===========================================================================
Ständige Routen:
  Keine

IPv6-Routentabelle
===========================================================================
Aktive Routen:
 If Metrik Netzwerkziel             Gateway
  1    331 ::1/128                  Auf Verbindung
  1    331 ff00::/8                 Auf Verbindung
===========================================================================
Ständige Routen:
  Keine

What could be the reason that neither a Windows 10 nor a Windows 11 can use the OpenVPN-Connection in collaboration with a Synology VPN-Server?

This is the log from the OpenVPNGUI:

Code: Select all

[Nov 3, 2023, 11:21:30] OpenVPN core 3.8.2connect1 win x86_64 64-bit OVPN-DCO built on Aug 21 2023 16:29:24
⏎[Nov 3, 2023, 11:21:30] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Nov 3, 2023, 11:21:30] EVENT: RESOLVE ⏎[Nov 3, 2023, 11:21:30] Contacting 217.71.xxx.yy:1194 via UDP
⏎[Nov 3, 2023, 11:21:30] EVENT: WAIT ⏎[Nov 3, 2023, 11:21:30] WinCommandAgent: transmitting bypass route to 217.71.xxx.yy
{
	"host" : "217.71.xxx.yy",
	"ipv6" : false
}

⏎[Nov 3, 2023, 11:21:30] Connecting to [synologyname-redacted.synology.me]:1194 (217.71.xxx.yy) via UDP
⏎[Nov 3, 2023, 11:21:30] EVENT: CONNECTING ⏎[Nov 3, 2023, 11:21:30] Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client
⏎[Nov 3, 2023, 11:21:30] Creds: Username/Password
⏎[Nov 3, 2023, 11:21:30] Peer Info:
IV_VER=3.8.2connect1
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO=1
IV_GUI_VER=OCWindows_3.4.2-3160
IV_SSO=webauth,openurl,crtext

⏎[Nov 3, 2023, 11:21:32] SSL Handshake: peer certificate: CN=synologyname-redacted.synology.me, 2048 bit RSA, cipher: DHE-RSA-AES256-GCM-SHA384      TLSv1.2 Kx=DH       Au=RSA   Enc=AESGCM(256)            Mac=AEAD

⏎[Nov 3, 2023, 11:21:32] Session is ACTIVE
⏎[Nov 3, 2023, 11:21:32] EVENT: GET_CONFIG ⏎[Nov 3, 2023, 11:21:32] Sending PUSH_REQUEST to server...
⏎[Nov 3, 2023, 11:21:32] OPTIONS:
0 [redirect-gateway] [def1]
1 [route] [192.168.178.0] [255.255.255.0]
2 [route] [10.8.0.0] [255.255.255.0]
3 [route] [10.8.0.1]
4 [topology] [net30]
5 [ping] [10]
6 [ping-restart] [60]
7 [ifconfig] [10.8.0.6] [10.8.0.5]

⏎[Nov 3, 2023, 11:21:32] EVENT: ASSIGN_IP ⏎[Nov 3, 2023, 11:21:32] PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA512
  key-derivation: OpenVPN PRF
  compress: LZO
  peer ID: -1
⏎[Nov 3, 2023, 11:21:32] CAPTURED OPTIONS:
Session Name: synologyname-redacted.synology.me
Layer: OSI_LAYER_3
Remote Address: 217.71.xxx.yy
Tunnel Addresses:
  10.8.0.6/30 -> 10.8.0.5 [net30]
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv4: no
Block IPv6: no
Add Routes:
  192.168.178.0/24
  10.8.0.0/24
  10.8.0.1/32
Exclude Routes:
DNS Servers:
Search Domains:

⏎[Nov 3, 2023, 11:21:32] SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
	"allow_local_dns_resolvers" : false,
	"confirm_event" : "c008000000000000",
	"destroy_event" : "9805000000000000",
	"tun" : 
	{
		"adapter_domain_suffix" : "",
		"add_routes" : 
		[
			{
				"address" : "192.168.178.0",
				"gateway" : "",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			},
			{
				"address" : "10.8.0.0",
				"gateway" : "",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			},
			{
				"address" : "10.8.0.1",
				"gateway" : "",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 32
			}
		],
		"block_ipv6" : false,
		"layer" : 3,
		"mtu" : 0,
		"remote_address" : 
		{
			"address" : "217.71.xxx.yy",
			"ipv6" : false
		},
		"reroute_gw" : 
		{
			"flags" : 275,
			"ipv4" : true,
			"ipv6" : false
		},
		"route_metric_default" : -1,
		"session_name" : "synologyname-redacted.synology.me",
		"tunnel_address_index_ipv4" : 0,
		"tunnel_address_index_ipv6" : -1,
		"tunnel_addresses" : 
		[
			{
				"address" : "10.8.0.6",
				"gateway" : "10.8.0.5",
				"ipv6" : false,
				"metric" : -1,
				"net30" : true,
				"prefix_length" : 30
			}
		]
	},
	"tun_type" : 0
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{C4428637-042E-4592-B298-E99DBC3A5F98}' index=25 name='LAN-Verbindung'
Open TAP device "LAN-Verbindung" PATH="\\.\Global\{C4428637-042E-4592-B298-E99DBC3A5F98}.tap" SUCCEEDED
TAP-Windows Driver Version 9.26
ActionDeleteAllRoutesOnInterface iface_index=25
netsh interface ip set interface 25 metric=1
OK.
netsh interface ip set address 25 static 10.8.0.6 255.255.255.252 gateway=10.8.0.5 store=active
IPHelper: add route 192.168.178.0/24 25 10.8.0.5 metric=-1
IPHelper: add route 10.8.0.0/24 25 10.8.0.5 metric=-1
IPHelper: add route 10.8.0.1/32 25 10.8.0.5 metric=-1
netsh interface ip add route 217.71.xxx.yy/32 6 192.168.1.1 store=active
Das Objekt ist bereits vorhanden.
netsh interface ip add route 0.0.0.0/1 25 10.8.0.5 store=active
OK.
netsh interface ip add route 128.0.0.0/1 25 10.8.0.5 store=active
OK.
ipconfig /flushdns
Windows-IP-Konfiguration
Der DNS-Auflösungscache wurde geleert.
TAP: ARP flush succeeded
TAP handle: 5407000000000000
⏎[Nov 3, 2023, 11:21:32] Connected via TUN_WIN
⏎[Nov 3, 2023, 11:21:32] LZO-ASYM init swap=0 asym=1
⏎[Nov 3, 2023, 11:21:32] EVENT: CONNECTED VPN@synologyname-redacted.synology.me:1194 (217.71.xxx.yy) via /UDP on TUN_WIN/10.8.0.6/ gw=[10.8.0.5/] mtu=(default)⏎[Nov 3, 2023, 11:21:32] EVENT: COMPRESSION_ENABLED Asymmetric compression enabled.  Server may send compressed data.  This may be a potential security issue.⏎

This is my current VPNConfig.ovpn content:

Code: Select all

dev tun
tls-client

remote synologyname-redacted.synology.me 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
shortened
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
shortened
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

</ca>

What do I need to change that an established OpenVPN-connection let me make further connection to a NAS or external websites?

Do I need to add some registry entries like it is necessary for L2TP/IPsec?
Do I need to change anything on the OpenVPN-Server on the Synology like adding Routes or give special permissions to the VPN user?

OVUser81 · Post by **OVUser81** » Fri Nov 03, 2023 12:34 pm

I think I've found the cause:

It seems to be the Synology Firewall blocking my PING and connection attempts.

After adding the subnet ip range 10.8.0.0 - 10.8.0.255 to the list of allowed ip addresses I could immediately PING and connect the shared folders on my NAS.

I suspect that many Windows and Synology users have forgotten that the already activated and running Synology Firewall needs to be set up for OpenVPN (as it has to be set up for L2TP/IPsec too...)

OpenVPN Support Forum

OpenVPN connects, but no further connection possible

OpenVPN connects, but no further connection possible

Re: OpenVPN connects, but no further connection possible