Page 1 of 1
Expecting client to show host's WAN IP, but it's not
Posted: Wed Mar 16, 2011 9:57 pm
by pwens
When after I've successfully connected my client to my OpenVPN server (verified successful by pinging VPN subnet addresses both ways), I would expect my Client to show the WAN IP address of the host. Instead, my client is showing it's own, regular WAN IP address (at
http://www.whatismyip.com, for example), as if I weren't connected to the VPN at all.
Furthermore, I have no evidence that the VPN connection on the client is actually being used for any network traffic at all, as the Windows Connection Activity window reports only a small handful of bytes up and down.
How do I get my client to appear to the outside world as if it's carrying the WAN IP of the server?
I'm using Static Key OpenVPN setup (the simple, single client, single server setup, described here
http://openvpn.net/index.php/open-sourc ... howto.html). Both the server and client are Windows OS (client being Windows XP, server being Windows 7).
Server Config:
Code: Select all
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
Client Config:
Code: Select all
remote [my server]
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
Client Connection Log indicating successful connection:
Code: Select all
Wed Mar 16 17:29:57 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 8 2010
Wed Mar 16 17:29:57 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Mar 16 17:29:57 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Mar 16 17:29:57 2011 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{[REDACTED]}.tap
Wed Mar 16 17:29:57 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.252 on interface {[REDACTED]} [DHCP-serv: 10.8.0.1, lease-time: 31536000]
Wed Mar 16 17:29:57 2011 Successful ARP Flush on interface [65542] {[REDACTED]}
Wed Mar 16 17:29:57 2011 UDPv4 link local (bound): [undef]:1194
Wed Mar 16 17:29:57 2011 UDPv4 link remote: [REDCATED]
Wed Mar 16 17:30:07 2011 Peer Connection Initiated with [SERVER IP REDACTED]:1194
Wed Mar 16 17:30:13 2011 Initialization Sequence Completed
Re: Expecting client to show host's WAN IP, but it's not
Posted: Thu Mar 17, 2011 1:54 am
by Bebop
server.conf requires:
Also if linux server, you need to setup forwarding in IPTABLES.
At least as a minimum you need:
Code: Select all
#
#Apply forwarding for OpenVPN Tunneling
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT #10.8.0.0 ? Check your OpenVPN server.conf to be sure
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#
#Enable forwarding
#
echo 1 > /proc/sys/net/ipv4/ip_forward
Full IPTABLES guide for your purpose can be found here:
topic7722.html
Re: Expecting client to show host's WAN IP, but it's not
Posted: Thu Mar 17, 2011 3:05 am
by pwens
Bebop - thanks, it looks like your advice has at least begun me down the correct path.
I couldn't push that redirect argument from the server side - but, I got it to work by declaring the client side, by putting it in like this on the client config:
Code: Select all
remote [REDACTED]
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
redirect-gateway def1
Upon connecting on the client side with that config, I could tell immediately that the Windows client was trying to use the VPN connection. First evidence was that ipconfig now shows the VPN host as the default gateway:
Code: Select all
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.8.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.1
Also, the outbound traffic monitor (Windows Network Activity dialog) now detects ample activity for HTTP requests. However, I notice that nothing is coming back on the inbound side. Upon attempting to access websites on the client, the web browser is returning error 105s - Google Chrome for example says:
Code: Select all
Error 105 (net::ERR_NAME_NOT_RESOLVED): The server could not be found.
You mentioned that if I were on a Linux Server (I am not - server is Windows 7) that I'd have to setup forwarding with IPTABLES. Is there a corresponding process that I need to follow for Windows, or is it something else?
Re: Expecting client to show host's WAN IP, but it's not
Posted: Thu Mar 17, 2011 3:40 am
by Bebop
pwens wrote:
You mentioned that if I were on a Linux Server (I am not - server is Windows 7) that I'd have to setup forwarding with IPTABLES. Is there a corresponding process that I need to follow for Windows, or is it something else?
Good question. One I've wanted to know the answer to for myself. Janjust or another expert will have to answer that for you.
Re: Expecting client to show host's WAN IP, but it's not
Posted: Thu Mar 17, 2011 9:11 am
by maikcat
hi there,
AFAIK Ras can perform Nat.....
to be honest i never though a scenario using Ras/windows instead of linux/iptables.
michael.
Re: Expecting client to show host's WAN IP, but it's not
Posted: Thu Mar 17, 2011 9:30 am
by janjust
I've never set up masquerading (or advanced routing) on Windows, but it might be possible using Routing&Remote Access Service (RRAS); another option is to buy WinGate or WinProxy.
If someone manages to get it working using Internet Connection Sharing (or whatever it is called nowadays on Windows) then I'm also happy to test&verify that.
Re: Expecting client to show host's WAN IP, but it's not
Posted: Fri Mar 18, 2011 2:22 pm
by janjust
had some time to play around with NATting on Windows:
* windows 7 NATting is present but really hard to use; M$ recommends to use ICS (see notes below)
* on windows XP NATting is quite easy to set up: read
http://forum.codecall.net/tutorials/101 ... ws-xp.html:
Code: Select all
netsh routing ip nat install
netsh routing ip nat add interface "Local Area Connection" full
netsh routing ip nat add interface "Local Area Connection #2 (tap-win32!)" private
where "Local Area Connection" is the name of the LAN adapter/outgoing interface (eth0 in linux speak) and "Local Area Connection #2" is the name of the TAP-win32 adapter/incoming interface
* ICS does similar things but it is quite ugly
- turns the PC on which ICS is configured (the "ICS Host") into a DHCP + DNS server
- requires all connecting clients to use this DHCP server
When used in combination with OpenVPN this can give unexpected issue:
* does not scale very well
* would require a 'tap' based setup, if it can be made to work at all.
If somebody has a working setup please let us know!
Re: Expecting client to show host's WAN IP, but it's not
Posted: Fri Mar 18, 2011 4:08 pm
by pwens
janjust wrote:had some time to play around with NATting on Windows:
* windows 7 NATting is present but really hard to use; M$ recommends to use ICS (see notes below)
* on windows XP NATting is quite easy to set up: read
http://forum.codecall.net/tutorials/101 ... ws-xp.html:
Code: Select all
netsh routing ip nat install
netsh routing ip nat add interface "Local Area Connection" full
netsh routing ip nat add interface "Local Area Connection #2 (tap-win32!)" private
where "Local Area Connection" is the name of the LAN adapter/outgoing interface (eth0 in linux speak) and "Local Area Connection #2" is the name of the TAP-win32 adapter/incoming interface
* ICS does similar things but it is quite ugly
- turns the PC on which ICS is configured (the "ICS Host") into a DHCP + DNS server
- requires all connecting clients to use this DHCP server
When used in combination with OpenVPN this can give unexpected issue:
* does not scale very well
* would require a 'tap' based setup, if it can be made to work at all.
If somebody has a working setup please let us know!
In a couple weeks time, I will have an opportunity to try this with a Windows XP machine as the OpenVPN server. I will test and report back.
Re: Expecting client to show host's WAN IP, but it's not
Posted: Fri Mar 18, 2011 5:16 pm
by m00
Hello,
I came from
Topic 7787 with pretty much the same issue.
I am running Win 7 for a host, and Win XP for a client.
I am out of suggestions, but am anxiously awaiting further info. Thank you to all who are involved already.
Re: Expecting client to show host's WAN IP, but it's not
Posted: Fri Mar 18, 2011 5:39 pm
by pwens
m00 wrote:Hello,
I came from
Topic 7787 with pretty much the same issue.
I am running Win 7 for a host, and Win XP for a client.
I am out of suggestions, but am anxiously awaiting further info. Thank you to all who are involved already.
Looking at your configs from the other thread, to do what you're seeking, you minimally need to add to your server file:
or, in my case, on the client file I specify:
This effectively will force all traffic from the client to use the VPN connection for the internet exclusively. This is what people do when they want their client to appear to the internet as if it's on the server's WAN IP - for example, to circumvent your corporate firewall, or to get around region blocking (for licensed television broadcasts, etc).
The way you have it set up right now (without the route-gateway parameter), all you've done is established a successful connection to the VPN for traffic that operates on the VPN subnet only (the 10.8.0.x network).
What I suspect will happen is, you'll add the parameter as I suggested, but when you attempt to access websites on the client, you'll fail to reach anything. Seems that Windows 7 and XP as the OpenVPN server has trouble with NAT'ing. I'm working with a Win7 OpenVPN server too, and am trying Bebop's suggestions on another thread (check out my profile and post history - there's another thread I'm on where I'm using Bebop's advices to troubleshoot the NAT problem on Windows 7 as the server).
So in conclusion, this thread answers the question of "how do you configure OpenVPN to accomplish the IP cloaking/true secure tunneling to bypass corporate networks/etc" - the answer is that route-gateway parameter.
The other thread I'm on is to troubleshoot why Windows7/XP as the server still has trouble doing that.
Re: Expecting client to show host's WAN IP, but it's not
Posted: Fri Mar 18, 2011 8:37 pm
by m00
Cool.
I had tried, with the same results, the steps you did in this thread, and got the same error message from my browser.
I am concurrently looking into other options for getting this accomplished.
Using Windows built in vpn things, I got really close, but my router won't forward GRE traffic, so that was a dead-end without buying new hardware.
Re: Expecting client to show host's WAN IP, but it's not
Posted: Fri Mar 18, 2011 11:47 pm
by Bebop
Janjust + m00,
I created a solution that might work, here at this thread:
topic7343.html
When I say
might, that means I performed all setups and tests from an XP VM on a Win7 Host. It looked like it was working great, but with no remote 7 machine its hard to know.
The solution I am talking about is Win 7 as an OpenVPN server / Internet tunnel.
[edit]
It works. Follow the link. Just gotta sort DNS.