OpenVPN Support Forum

OK, I know this is goofy (on a Windows machine), but I really need to have Windows Internet Connection Sharing enabled at the same time as openvpn on a little PC that is acting as a router. I had the router built with this functionality under Linux - it was easy - but my sister's ridiculous internet provider "doesn't support Linux". They are having problems, but they refuse to even look at the issue with a Linux router in the path. So now I need to set up a VPN client on the machine (so I can access it remotely) while it keeps the internet connection alive and forwards the traffic from the LAN to the dial-up WAN. I have both working, but not together.

If the VPN client contacts my openvpn server over the WAN connection, Windows shuts down almost all access to the server from the LAN. DHCP still works, but as far as I can tell, nothing else does. I can't even ping the LAN interface on the server from a host on the LAN.

If I shut down the VPN client, then internet access from the LAN is restored, but I have no way to contact the router or any other machine on the LAN so I can support it. My sister can barely work the power switch on a PC, so it is absolutely essential I be able to reach the machines on her network. She's 60 miles away from here, and I am disabled, so I can't just hop in the car and go fix her problem or show her how to surf the web for cooking utensils.

Has anybody been able to get ICS and openvpn working at the same time on a Windows XP Pro machine?

you dont need all this
use a normal router and get them to fix their stuff, then go back to using your linux router (assuming the problems are really on their side)

A normal router won't do. Unless I wish to purchase an EVDO router - and I am not even sure any of the commericially available EVDO routers will work with a Cricket A600 modem - I've got to have a PPP host in place. Indeed, even with an EVDO router, I'm still in the same boat. The only thing they support is Windows. (Note also the Cricket Modem has several additional USB LUNs in addition to the pseudo modem interface which the Windows util they supply uses to manage the connection.)

i see...
i dont know much about windows, but you could just run openvpn on a different machine right?
(for example the linux machine that is there)

Well, it does have to be a Linux machine, unless someone has a fix for me. If openvpn is run on a Windows machine I have the very problem I mention, unless I can find a work-around. The Linux router is the one that now is running Windows, so Linux us out on it for the time being, at least. I have put together another Linux machine with openvpn on it, but I am having trouble getting either my sister or sister-in-law to allow me to put another machine at either of their houses.

isnt there already a linux machine sitting at their house?
also, they could run openvpn on their desktop as a service...
you dont need openvpn to be on the router if you correctly setup routing for the lan
http://secure-computing.net/wiki/index. ... PN/Routing

sorry, im sure theres a way to accomplish your actual goal... but im not much of a windows guy and just dont know it

No, as I said, I had to replace Linux on the router with Windows. Ugh.

The example in the link you give is not what I need. It's quite backwards from that. Let's say my VPN server has an IP of 10.8.0.1 and the TUN interface of the Winows router (VPN Client) is 10.8.0.2. The local LAN for the VPN server is 192.168.1/24, and Windows assigns 192.168.0/24 to the LAN of the Windows router (no choice - ICS always assigns 192.168.0/24 to the LAN). Finally, the ISP address for the Windows router is dynamically assigned by PPP, but let's say it is 10.8.10.1. I need any traffic from the 192.168.0/24 subnet except that destined for 192.168.1.x to route via 10.8.0.1. I was not able to get this to work on the Windows router.

Running openvpn on any of the windows machines isolates the machine from the internet. I was not able to get a machine on the LAN to access the internet with openvpn running either on it or on the Windows router. If I run openvpn on the router, the machines on the LAN have no access to anything at all (except of course other machines on the 192.168.0/24 LAN segment). If I run openvpn on a local machine, it can't reach the internet.

With the router running Linux and the routes properly set up, the machines on the LAN could reach everywhere.

No, as I said, I had to replace Linux on the router with Windows. Ugh.

oh i see, i didnt realize it was the same machine

The local LAN for the VPN server is 192.168.1/24

so the machine is a windows router with its own uplink, but not the router for the lan?

OH are you using NAT just so you can access the lan behind the router from the vpn?
it just hit me... this might be what you are doing...
if that is the case, STOP and read my routing doc!
if not, i am mis-understanding why you need to NAT a network that already sits behind NAT

The Windows router does NAT - there are no options when using ICS, whether the ISP employs NAT or not. In this case, it does, which is why I have to have a VPN client on the router - or on some machine inside the firewall. If you mean on the openvpn server, then no, it does not employ ipmasquerade. It is not a router (well, technically it is, since IP forwarding is turned on, but it isn't a firewall router). It sits behind a cable gateway made by Motorola. The server's native address is 192.168.1.50, it's TUN address is 10.8.0.1, and the gateway to the internet on the firewall router is 192,168.1.1. Over at my sister's house, the only way to provide access to the internet is to turn on ICS, which automatically activates NAT and the built in DHCP server as well as a DNS server. 'No way to turn any of them off or configure them in any way - at least not of which I know. Hence this thread. Windows sux, but there you have it.

To clarify, the openvpn server is running on a Linux server whose vpn port is forwarded through the firewall router. IP forwarding is enabled so that machines on the local LAN at my house can talk to machines on the local LAN at my Sister's house. The server is not running IP Masquerade, or iptables, or any sort of NAT or firewall. Since the (external) NAT firewall at my house is totally under my control, this is where the openvpn server must reside.

At my sister's house, the internet service she has sits behind a NAT firewall completely controlled by her ISP, so this is where the openvpn client must go. PPP is used to assign a dynamic /30 address to the internet attached host, in this case the Windows router. Since this host now runs Windows, the only way to provide access to the internet from machines attached to the Windows host is via ICS. Bridging is not an option, since the subnet is only a /30. Running openvpn on this workstation terminates almost all access to the Windows machine on the LAN side - pings don't even work. Layer II still works, but nothing at Layer III, at all. Running openvpn on a workstation other than the router causes the workstation in question to lose access to the internet. Unless someone has some better ideas, this means the openvpn client must be a Linux workstation.

lrhorer wrote: Running openvpn on a workstation other than the router causes the workstation in question to lose access to the internet.

this sounds like the easiest thing to attack, if we could make that work would it be a viable option for you?

if so please post your client and server configs with no comments, and the log from the workstation connecting that loses internet access

krzee wrote:

lrhorer wrote: Running openvpn on a workstation other than the router causes the workstation in question to lose access to the internet.

this sounds like the easiest thing to attack, if we could make that work would it be a viable option for you?

Yeah, I can make that work.

krzee wrote:if so please post your client and server configs with no comments

I've got to hit the sack, at the moment, but I'll post them tomorrow.

krzee wrote: and the log from the workstation connecting that loses internet access

What log? Remember, this is a Windows workstation.

lrhorer wrote:What log? Remember, this is a Windows workstation.

server.conf:
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
route 192.168.1.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4

cricket.ovpn:
client
dev tun
proto udp
remote fletchergeek.homelinux.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Cricket.crt
key Cricket.key
comp-lzo
verb 3

Hmm. When I turned up the Windows router, I had to change the local subnet to 192.168.1/24 and the remote subnet to 192.168.0/24 (since Windows can't use anything else). I thought I had swapped the 192.168.0/24 and 192.168.1/24 subnets everywhere, but looking closer, I think I should have

push "route 192.168.1.0 255.255.255.0"

instead of

push "route 192.168.0.0 255.255.255.0"

and

route 192.168.0.0 255.255.255.0

instead of

route 192.168.1.0 255.255.255.0

in the server.conf file, and I should have

iroute 192.168.0.0 255.255.255.0

instead of

iroute 192.168.1.0 255.255.255.0

in the ccd/Cricket file. Is that correct?

lrhorer wrote:I think I should have
push "route 192.168.1.0 255.255.255.0"
instead of
push "route 192.168.0.0 255.255.255.0"

true if clients should be adding a route for 192.168.1.0 to be reached over the vpn

route 192.168.0.0 255.255.255.0
instead of
route 192.168.1.0 255.255.255.0
in the server.conf file, and I should have
iroute 192.168.0.0 255.255.255.0
instead of
iroute 192.168.1.0 255.255.255.0
in the ccd/Cricket file. Is that correct?

true if the server should reach 192.168.0.0 behind a client with the cert common-name Cricket (note, caps matter)

Yes, but I think the server was pushing an incorrect route to the PC, which was killing the internet access. Basic access seems to be working, now. I had a heart attack last week, so I have been unable to do any further research heretofore.