Page 1 of 1
Can't ping LAN behind VPN server
Posted: Thu Jan 20, 2011 10:41 am
by stentor
Dear all,
server: win2008
Code: Select all
port 1194
proto udp
dev tun
dev-node VPN
ca "C:\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 11.10.10.0 255.255.255.0"
tls-server
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client: win7
Code: Select all
client
dev tun
dev-node VPN
proto udp
remote 62.87.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "c:\\openvpn\\config\\ca.crt"
cert "c:\\openvpn\\config\\klient02.crt"
key "c:\\openvpn\\config\\klient02.key"
ns-cert-type server
comp-lzo
verb 3
Can't ping LAN 11.10.10.0/24 (behing OpenVPN server) from client. I can't even ping OpenVPN LAN interface 11.10.10.1.
CAN ping 10.8.0.1 (OpenVPN virtual interface) from client - the tunnel is UP.
Any firewalls on windows are turned off.
Re: Can't ping LAN behind VPN server
Posted: Thu Jan 20, 2011 2:42 pm
by maikcat
hi there,
is routing enabled on 2008 server?
cheers,
michael
Re: Can't ping LAN behind VPN server
Posted: Thu Jan 20, 2011 3:02 pm
by stentor
maikcat wrote:hi there,
is routing enabled on 2008 server?
cheers,
michael
What do You mean exactly by that?
regards
GN
Re: Can't ping LAN behind VPN server
Posted: Fri Jan 21, 2011 8:42 am
by maikcat
when a pc has 2 network interfaces (2 physical nics,or virtual) that they
belong in different ip subnet, and you want to pass traffic from one
interface to another this is called "routing" , every ms os has this DISABLED by default,
f.e on win2003 you must do the following to enable it:
using regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1 <--by default this is 0 (disabled)
you need reboot after that...
cheers,
michael
Re: Can't ping LAN behind VPN server
Posted: Sat Jan 22, 2011 8:54 pm
by arbalyst
I recently did an install on Windows Server 2008 (today actually
) encountered loads of fun problems with it. Possibly the same you're having, first thing is, do you have OpenVPN on the server set to automatically start, or are you launching by right clicking (or gui) on the server script?
If you have it set to automatically start, do you have it on delayed start ? This was actually the last problem I encountered, OpenVPN was starting before the network services did, in turn, it prevented it me from pinging the vpn server address (10.8.0.1 in my case). By enabling delayed automatic start, it sorted that problem.
Another issue I had was with windows server firewall itself, despite turning it off, it still blocked connections (yeah, I know!). Make sure you to the advanced mode of windows firewall, (type in wf.msc into a run box, quickest way), go to the middle look for "windows firewall properties", go through the domain, public and private profile tabs, go to "protected network connections" and click customise, untick your windows tap driver from that list. Do that on all 3 tabs, I think it was the private tab that gave me the problem, but just to be sure. Next create an inbound firewall rule, select "port", select udp, "allow the connection", apply it to the three profiles (this is all in the wizard" and give it a name. Do the same for outbound connection.
Finnnnnnnnnnnnnaly, have you got the port forward in your router correctly?
Re: Can't ping LAN behind VPN server
Posted: Sun Jan 23, 2011 7:20 pm
by stentor
enabling routing (done by modyfying register) solved my issue
question:
can I restrict access for vpn users only to one IP and one port, for example 11.10.10.2 port 1433 on remote LAN?
Re: Can't ping LAN behind VPN server
Posted: Sun Jan 23, 2011 7:27 pm
by krzee
yes, in your server firewall, or on the lan machine's firewall
Re: Can't ping LAN behind VPN server
Posted: Mon Jan 24, 2011 1:30 pm
by stentor
Can I restrict this access inside OpenVPn server configuration?
Re: Can't ping LAN behind VPN server
Posted: Thu Feb 03, 2011 5:04 am
by krzee
no it needs to be done in a firewall