OpenVPN Support Forum

Posted: **Sat Mar 19, 2011 7:59 pm**

Hi,

I'm a newbie when it comes to OpenVPN but have a need to install a working service, I followed this guide:

http://www.itsatechworld.com/2006/01/29 ... e-openvpn/

and have installed a server & a single client, both Windoze XP pro machines, on my LAN which is
behind a Netgear nat'ed router with a static public ip address. I am currently testing only on the local LAN but will endeavour to test further from a remote site.

The client connects to the server, both can successfuly ping each other. Windows firewalls have been turned off with no exceptions, the router is port forwarding a udp port to a private ip address

The problem I'm encounterring is that whilst the server machine can still happily gain access to the internet, the client loses internet connectivity once connected. The document I followed verbatim indicates that there may lie within a routing issue but mentions no more. I know so little in the arena of networking that when faced with routing tables my eyes glaze over & I think of my 'happy place'

Whilst looking at the client.logs I notice near the bottom there is an error but I do not know how to remedy the situation. The configurations used are very near to the sample ones given in the 'how-to' tutorial

I have included the server, client configs, the client logs and a dump of the current client routing entry.

SERVER.OPVN

Code: Select all

local 10.66.77.100
port 6850 
proto udp 
mssfix 1400
push "dhcp-option DNS 194.72.9.38"  
push "dhcp-option DNS 62.6.40.162"  
dev tap
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"  
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"   
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 192.168.10.0 255.255.255.128  
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1" 
keepalive 10 120
cipher BF-CBC 
comp-lzo
max-clients 2
persist-key
persist-tun
status openvpn-status.log
verb 4

CLIENT.OPVN

Code: Select all

client
dev tap
#dev-node MyTAP  
proto udp
remote xxx.xxx.xxx.xxx 6850  
route 10.66.77.1 255.0.0.0 vpn_gateway 3 
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt" 
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"  
ns-cert-type server
cipher BF-CBC       
comp-lzo
route-method exe
route-delay 2
verb 4

The portion of the client log that highlight an error, (this may ultimately be the problem

):

Code: Select all

Sat Mar 19 18:08:41 2011 us=648028 route ADD 128.0.0.0 MASK 128.0.0.0 192.168.10.1
Sat Mar 19 18:08:41 2011 us=762298 route ADD 192.168.10.1 MASK 255.255.255.128 192.168.10.1 METRIC 3
The route addition failed: The specified mask parameter is invalid. (Destination & Mask) != Destination.
Sat Mar 19 18:08:41 2011 us=863576 Initialization Sequence Completed
Sat Mar 19 18:09:31 2011 us=27588 TCP/UDP: Closing socket

The client routing table:

Code: Select all

C:\route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 90 4b cc 66 01 ...... Dell Wireless 1450 Dual Band WLAN Mini-PCI Card
- Packet Scheduler Miniport
0x3 ...00 ff 5d 2a a4 9f ...... TAP-Win32 Adapter V8 - Packet Scheduler Miniport

0x10005 ...00 10 c6 5b 84 26 ...... Bluetooth Device (Personal Area Network) #2
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.66.77.1     10.66.77.74       25
         10.0.0.0        255.0.0.0      10.66.77.74     10.66.77.74       25
      10.66.77.74  255.255.255.255        127.0.0.1       127.0.0.1       25
   10.255.255.255  255.255.255.255      10.66.77.74     10.66.77.74       25
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      169.254.0.0      255.255.0.0      10.66.77.74     10.66.77.74       20
        224.0.0.0        240.0.0.0      10.66.77.74     10.66.77.74       25
  255.255.255.255  255.255.255.255      10.66.77.74           10005       1
  255.255.255.255  255.255.255.255      10.66.77.74     10.66.77.74       1
  255.255.255.255  255.255.255.255      10.66.77.74               3       1
Default Gateway:        10.66.77.1
===========================================================================
Persistent Routes:
  None

If anybody could possibly shed some resolving light on this or point me in the right direction that may lead to a resolution I would be very greatfull.

Many thanks in advance for taking the time to read all this. If I have missed pertinent information with reagrds this then please let me know.

Kind regards

Posted: **Sat Mar 19, 2011 8:14 pm**

What is your precise goal?

I think you want to make an OpenVPN server on Windows XP, and use it as a gateway/tunnel for Internet access from OpenVPN clients?

If yes, I think your setup is too complicated to begin with. The manual routes are not explicitly required, and a line in server.conf such as push "redirect-gateway def1" would take care of that route for you.

There's a Windows 7 guide (work-in-progress) here: topic7343.html

Look for the 7th post down, which is labeled My Setup So Far.

I suggest you read that and work a solution from it for Windows XP.

Posted: **Sun Mar 20, 2011 12:02 pm**

Hi Bebop,

Many thanks for your speedy response.

My ultimate goal is for the ability of client computers (satellites) to connect to available network resources of a small business LAN (hub). The clients themselves will be communicating from their own small office LAN and will have resources (including the internet) that they wish to still gain access to.

Without doubt I agree that the setup is probably way too compluicated (the manual routes example I posted has not been modified in any way and I assume services such as OpenVPN have made such modification)

I have read the post including My Setup So Far and will pursue this course verbatim, will post to let all know of the outcome.

With kind regards & thanks

Posted: **Mon Mar 21, 2011 11:47 am**

Hi,

I have now applied the settings as advised in Bebops previous postings. I eventually had to provide paths to the certificates / keys but apart from that all connected without notification of any errors whatsoever (example: routing).

As yet I do not need to tweak configurations further for the purpose of testing. However, having said that, my test client still cannot browse the web in any shape or form. I will soon be testing remotely to see if existing network resources are still accessible. Sadly, I am not confident any of this will be a resolvable problem any time in the near future.

I may have to give up on OpenVPN and look into a router based VPN end point solution, which is frustrating as a currently in use Qnap NAS device has the ability to operate OpenVPN and would ultimately make for a tidy VPN end point.

Thanks for the efforts of this forum in helping me with my problem to date, if anyone has any other suggestions, recommendations etc I would gladly take them on board and investigate.

With kind regards

Jon

Posted: **Mon Mar 21, 2011 10:12 pm**

chief druid wrote: having said that, my test client still cannot browse the web in any shape or form

Did you enable Routing service?

Did you enable Internet Connection Sharing?

Of course it wont work without trying these things.

If I had the time I would do a guide for XP for you.

Hang in there and see what you can do.

Posted: **Tue Mar 22, 2011 6:23 am**

chief druid wrote:my test client still cannot browse the web in any shape or form. I will soon be testing remotely to see if existing network resources are still accessible. Sadly, I am not confident any of this will be a resolvable problem any time in the near future

Board index » Server Administration » Examples » Windows XP as OpenVPN server with redirtect-gateway

I went ahead and created a Windows Xp working example for you, and it does indeed work. To be honest, it is exactly the same setup as the Windows 7 setup I pointed you to, except for the addition of a line of code for DNS. Go ahead and follow the example. It will work for you.

Note: you are taking on multiple challenges. You can't take on all the challenges at once. Tunneling Internet vs sharing resources such as LANs, devices etc, are two totally different procedures. I have only helped you with achieving the secure Internet tunnel for tunneling Internet traffic.

Posted: **Tue Mar 22, 2011 10:51 am**

Hi Bebop,

Thanks for your continual support in this issue. I have tried the configuration(s) as depicted in your Windows XP as OpenVPN server with redirtect-gateway post. Connection is established without error. When it comes to the following additonal Server setting requirements:

Code: Select all

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

Next:

Control Panel
Network Connections
Local Area Connection   (or whichever is your primary Internet interface [with your WAN ip])
Properties
Advanced
Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP OpenVPN server interface.

Start->run->regedit (you type regedit)*

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

*Since this is Windows XP, you should restart Windows after making changes to registry

Slight "fuzziness" here. With no problem the following is acheived:

- The Routing & Remote Access service is already started and set to Automatic.
- The IPEnableRouter registry setting has already been set as per information found from previous posts.

The grey area presents itself in the form of the:

Allow other network users to connect through this computer's Internet connection

When it comes to ticking this check box, XP doesn't present a drop down box to allow for selection of another adapter in this case, the TAP-Win 32 Adapter , there are no options, (advanced or other that can be follwed to acheive this), I can only manipulate the properties of the Server Local Area Connection that ultimately provides internet connectivity. So I've assumed, (probably wrongly), that just enabling the sharing of this adapter will suffice

All of the aforementioned has yet to be tested , server connectivity from a remote location

When all is said and done, still the client computer can not gain access through to the internet.

As a side note: I realise I have presented multiple challenges in this post. These are to be considered the "ultimate goals" but I'm starting on purely client internet connectivity before moving forward and adding more layers of complexity.

I really do appreciate all your help

Kind regards

Posted: **Tue Mar 22, 2011 7:34 pm**

chief druid wrote:I've assumed, (probably wrongly), that just enabling the sharing of this adapter will suffice

Seems the logical thing to do. Do you have Windows XP SP3? That's what I have on the working setup. Do you have Windows Firewall, or some other firewall enabled? I know that even with some proper rules added, some 3rd party firewalls (eg Sygate) can still cause problems. Temporarily disable all firewalls whilst testing. Here is a screen cap of my settings page in XP SP3:

chief druid wrote:All of the aforementioned has yet to be tested , server connectivity from a remote location When all is said and done, still the client computer can not gain access through to the internet.

How are you testing it in the mean time?

Posted: **Tue Mar 22, 2011 9:31 pm**

Both my test & server computer are running XP Pro SP3.

Windows firewalls have been turned off, hardware firewall facilities are provided by the router.

The "Windows Firewall/Internet Connection Sharing (ICS)" services are reported as being started on both machines.

To be certain, I used the 'Network Setup Wizard' to establish a 'home' network. This re-enabled the firewall on both LAN connections but made no difference to the ultimate result. I turned off any firewall advanced settings leaving the current exceptions list as is

I can't directly post an image into this topic, but here is a link to a screen shot of the LAN connection properties that I have:

http://217.41.71.29:2010/PublicImages/L ... erties.bmp

This is a screen shot of my current firewall exceptions / advanced settings:

http://217.41.71.29:2010/PublicImages/L ... rties2.bmp

As you can see from the image in the FIRST link, there are no selectable 'drop down' adapter settings on either adapter. From the looks of things it seems possible that there is an ICS issue which I'll have to look further into as I've never had need to use ICS - come to think of it I've never used a Windows firewall - always been turned off, and no longer use any 3rd prty software firewalls.

As far as testing goes, it couldn't be simpler:

The server is physically connected via the ethernet cable to a Netgear ADSL router, the client connects to this router via wireless. The client can go out and come back in on my public static ip address (the Netgear allows for originating private NAT LAN addresses to acheive this. Not all routers will perform like this, apparently, Linksys DON'T Netgear DOES

))

I have not turned off as yet the AVG antivirus guard but contemplating doing so.

Kind regards

Posted: **Tue Mar 22, 2011 10:11 pm**

Do off the AVG guard. If only for the 10 minute testing period.

Off the firewalls completely.

The last problem is the testing method. If you are testing from LAN only, then open the client.ovpn, and delete the public IP of the server and replace it with the router assigned LAN ip of the Windows machine which is acting as the server. Keep at it - this setup does work - I have tried it from both LAN (via virtual machine), and from separate ISP-to-ISP (2 seperate physical locations).

Sidenote: I found this on an the Microsoft site "Home networking connection and the Select a private network connection drop-down box are present only when two or more adapters that can connect to the private network are installed."

So I dare say, don't worry that the option is missing from yours. It just means that you don't have as many possible connections as I do. It wont affect your ICS setup. Concentrate on the testing method, firewalls, AVG guard.

Posted: **Wed Mar 23, 2011 8:41 am**

I've again ensured all firewalls are off along with AVG, also have changed the ip address of the client to reflect the servers internal private ip address. Still no joy

I'm consdiering going along the lines of firstly testing the configuration ISP to ISP (I'm fairly confident it will connect, but not much else

) I may then try the virtual world as mentioned in your previous post and see how that fairs.

Will post my findings in the next few days

Many thanks & kind regards

Posted: **Thu Mar 24, 2011 6:15 pm**

Hi,

I have now tested ISP to ISP. My test client can connect quickly & without error, I can browse the local network for available resources. I can then map a drive, view & access data etc.

On client machine whilst connected to the VPN server, using a DOS prompt I issue:

net view \\10.0.0.1

I can then list shares on the VPN server. if I then issue:

net use z: \\10.0.0.1\<share name>

I can successfully map a network drive and gain access to the data held within

However, the ongoing problem of internet / web access once a connection has been established to the VPN remote server still remains.

This level of outcome is all very encouraging and makes me determined to continue. In my previous post I suggested the possibility of going through the virtual machine route. Is it felt that this is an option that still needs to be pursued

With kind regards & many thanks

Jon

Posted: **Sat Mar 26, 2011 10:07 am**

For this problem of Internet / web-browsing, can you enter the conversation at:

Board index » Server Administration » Examples » Windows XP as OpenVPN server with redirtect-gateway

We can nail the solution by finding the specific difference between your non-working setup, and my working setup. Go through the first post there and tell me which steps you can absolutely confirm to be verbatim on your own setup.

As for the VM.. i'd say its the 3rd best option. With 1st best being ISP-ISP, and 2nd best being some other PC on the router/LAN.

Posted: **Sat Mar 26, 2011 1:00 pm**

I'm fuming at the moment, I've just been kicked out of this forum after composing a reply and have lost everything written

Paraphrasing all that has been lost:

- All configs have been used verbatim as given in the "example" posted topic.

Minor differences in the configs do exist and are as follows:

- The udp port has been changed for security resons but works - this can be changed to 1194 if desired.
- The certificates had need to have paths added in order for successful connection, but when added no problems occur.

XP settings - SERVER

- The XP server has routing & remote access started & set to automatic, the client is set to manual and is currently stopped.
- The server network connection properties only allow for other users to share the computers internet connection - this has been checked, a drop down option for NIC selection does not exist as both the server & test client use only 1 physical NIC in this example (this has been discussed in previous topic posts).
- The registry entry IPEnableRouter has been added.

XP settings - CLIENT

- On the client, Routing & Remote Access is set to manual & has NOT been started.
- the internet connection sharing has also NOT been selected from LAN connection network properties.
- There is NO IPEnableRouter entry in the registry.

The version of OpenVPN currently used is: openvpn-2.0.5-gui-1.0.3-install-auto_xp64.exe This was the version used in the original article that I followed. Have tried a new stable version of OpenVPN but had connection problems (client would NOT connect).

Is it possible to allow for client internet traffic to pass over the physical network connection of the client instead of the virtual adapter?

I ask this as recently reading a non OpenVPN forum thread of the same nature spoke of iptables & masquerading at the root of the problem. (The server being connected to was an Ubuntu server in that instance, though this does generally look like a whole new world of hurt, pain & suferring)

I'm back to currently testing client & server on the same LAN but will go back to ISP-ISP BTW ASAP

Kind regards

P.S - Once the client was connected to the VPN, one small thing I have noticed is the dialogue: "No connection to intenert is currently availble ..." "Work Offline" "Try Again" popped up. This is the first, and only time, I have been greated with this message

Posted: **Mon Mar 28, 2011 10:43 pm**

I've had to move onwards with this.

I've installed OpenVPN server on a Qnap NAS device and all is working OK

I was pleasently surprised to gain access to both shares on the NAS device AND still maintain internet access on my test client, as well as be able to browse and connect to resources on the local network that the test client is currently residing on.

Further research points to the ability to reach the network behind the OpenVPN server. This requires adding a static route on the clients and activating ip forwarding on the NAS device thus:

Code: Select all

# echo "1" > /proc/sys/net/ipv4/ip_forward

I'm unsure as to the correct syntax of the ROUTE command to add a persistent statc route, (address, subnet gateway etc), under M$ Windows within my current scenario.

(I admit I'm not savy enough when it comes to network routing manipulation, and staic routes - too much of a novice I'm afraid, with very little time left to traverse a steep learning curve

)

I did asked the Qnap community for their advice / opinion the suggested answer was: owing to my general uneasiness regarding network routing NOT to put OpenVPN server on the NAS as an endnode sighting things such as security risks, but use a hardware solution such as a VPN, firewalled enabled router instead - Would anyone care to comment on this suggestion made or like to counter it with an alternative

(Whilst I agree in general that the use of a router may offer possibly a more stable / durable implementation, I can't get away from the fact that OpenVPN is an available package to be installed on this particular NAS product and the very fact it works proving OpenVPN to be a worthy contender for the final solution!!!!

I intent to submit the installation path I followed to get OpenVPN working on Qnap NAS for the benefit of others - I don't have the information to hand, but will do this within a day or so.

Kind regards & thanks for all help attained

OpenVPN Support Forum

Possible routing problem

Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem

Re: Possible routing problem