Windows 7 as OpenVPN server with redirect-gateway

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Windows 7 as OpenVPN server with redirect-gateway

Post by Bebop » Sun Mar 20, 2011 7:46 am

Goal:
  • Tunnel Internet traffic through a Windows 7 PC, using OpenVPN server mode. Traffic can be tunneled from any OpenVPN client.
Scope:
  • This example assumes that you already know how to install OpenVPN and setup keys and/or certificates. For the scope of this example, information about key and certificate management will not be provided.
Overview:
  • We'll setup a server.ovpn, a client.ovpn, and some Windows 7 tweaks.
The Code

server.ovpn

Code: Select all

port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.0   #you may choose any subnet. 10.0.0.x is used for this example.

ca ca.crt                    #certs are optional. you may choose to go with keys or passwords instead.
cert server_win7.crt
key server_win7.key  
dh dh1024.pem

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"      

#the following commands are optional
keepalive 10 120         
comp-lzo                   
persist-key                
persist-tun                
verb 3                      

#last updated May 29, 2011
Client.ovpn

Code: Select all

client
dev tun
proto udp
remote ip.of.win7.server 1194   

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
ns-cert-type server

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 2

#last updated June 04, 2011
Windows 7 tweaks for forwarding VPN traffic

Code: Select all

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

Next:

Control Panel
Network and Sharing Center
Local Area Connection
Properties
Sharing
Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)
Notes:
  • Further tweaking and streamlining may be possible.
  • Thank you to Krzee for the register-dns tweak
Last edited by Bebop on Sat Jun 04, 2011 9:46 am, edited 8 times in total.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by maikcat » Mon Mar 21, 2011 9:57 am

nice howto bebop

:D


Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

pwens
OpenVpn Newbie
Posts: 9
Joined: Wed Mar 16, 2011 8:58 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by pwens » Thu Mar 24, 2011 1:01 pm

I have confirmed this config to be working as well (forwarding all TCP/IP traffic exclusively through virtual TAP adapter). Server is Windows 7, client is XP.

I should also note that page load speeds during web browsing are also much faster than expected. In fact, I barely notice any increased latency. I haven't run any formal speed tests or metrics, but as a casual observation I have no complaints.

Thanks bebop

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by Bebop » Sat Mar 26, 2011 9:52 am

pwens wrote:Thanks bebop
You're most welcome. And thank you for reporting your experience.
The cure for boredom is curiosity

errdos
OpenVpn Newbie
Posts: 1
Joined: Wed Apr 06, 2011 10:09 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by errdos » Wed Apr 06, 2011 10:14 pm

1)push "redirect-gateway def1"
with this method u redirect every outgoing connection trough the openvpn ... is there a way to redirect only some of the connections? (for example according to ips/subnets?)

2)is there away to choose the redirection according to the client and not the server (i mean the clinet should choose if to use the server for the connections or not in my opinion

3) ithe dns solution seems kind of weird .. what if my server cant use the google dns? (which it cant) is there another way to slove that? (like using the openvpn server as dns so it will use it own or something like it )

4)u said it is unknown if the 3 tweaks are needed... is there anything new about that subject? its kind of weird to tweak a machine for no reason (yet i will do it... just need it to work)

thanks for all the help!
er.

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by Bebop » Sun Apr 10, 2011 9:07 am

errdos wrote:1)push "redirect-gateway def1"
with this method u redirect every outgoing connection trough the openvpn ... is there a way to redirect only some of the connections? (for example according to ips/subnets?)
errdos wrote:2)is there away to choose the redirection according to the client and not the server (i mean the clinet should choose if to use the server for the connections or not in my opinion
Yes on both accounts. Those two are best answered together. See this code (this code is for client.ovpn):

Code: Select all

route-nopull
route remote_host 255.255.255.255 net_gateway
route 126.21.20.256 255.255.255.255 10.0.0.1
"route-nopull" tells the client to ignore any routes pushed from the server (so, it will ignore "redirect gateway").
"route remote_host 255.255.255.255 net_gateway" tells Windows that the route to the VPN server is via the default Internet connection.
"route 126.21.20.0 255.255.255.0 10.0.0.1" tells Windows that all connections to subnet 126.21.20.x should be routed through 10.0.0.1 (VPN server LAN IP)
errdos wrote:3) ithe dns solution seems kind of weird .. what if my server cant use the google dns? (which it cant) is there another way to slove that? (like using the openvpn server as dns so it will use it own or something like it )
Not sure yet, sorry though. If you or any of the experts does know the answer, please do share. I think it will be something very simple and obvious. After all, Windows 7 has built in DNS service, so it must be something to do with that. Potentially, you may need some 3rd party DNS serving tool.
errdos wrote:4)u said it is unknown if the 3 tweaks are needed... is there anything new about that subject? its kind of weird to tweak a machine for no reason (yet i will do it... just need it to work)

thanks for all the help!
er.
The reason its unknown (its only unknown by me) is that I tried to set up the server with these 3 tweaks and it worked. What I didn't do, was go back and get it working without just 1 tweak at a time. Its essentially just a time/effort limitation on my behalf. If you can do that and report back it would be excellent.. If not, I do intend to do that myself soon too -- thank you for the reminder.
The cure for boredom is curiosity

peterlinuxgeek
OpenVpn Newbie
Posts: 6
Joined: Mon Apr 11, 2011 7:23 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by peterlinuxgeek » Mon Apr 11, 2011 9:21 pm

I got this working except for rdesktop from client (win 7) to server (win 7)

rdesktop into win7 server form a linux sitting in the same network works fine.

see my question : topic7925.html

Thanks for the tips.

Peter

User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by krzee » Thu May 12, 2011 8:58 am


User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by Bebop » Thu May 26, 2011 12:12 pm

krzee wrote:the dns issue:
http://permalink.gmane.org/gmane.networ ... user/31978

nice guides bebop!
Thanks for the compliment :] and thank you for the (seemingly simple looking, yet ever elusive and much needed) info.
The cure for boredom is curiosity

zothen
OpenVpn Newbie
Posts: 3
Joined: Tue Jun 21, 2011 5:11 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by zothen » Tue Jun 21, 2011 6:09 pm

From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.
Huh? I see no dropdown list, only two check boxes for "Allow other network users to connect..." and Allow other network users to control..."

Currently I am unable to ping internet IP addresses from the client when using the above scripts but I'm able to ping the local ones so I would guess that this is my problem.

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by Bebop » Wed Jul 13, 2011 4:40 am

zothen wrote: I see no dropdown list, only two check boxes for "Allow other network users to connect..." and Allow other network users to control..."
Not a problem if the dropdown box is missing. It just means you only have 1 possible connection to share.

If no ping, your problem is something else.
The cure for boredom is curiosity

TopKnot
OpenVpn Newbie
Posts: 1
Joined: Thu Aug 19, 2010 8:50 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by TopKnot » Wed Jul 20, 2011 11:19 pm

Looks like a great howto - my only question (which may arise from my inexperience) is, why is the push "dhcp-option DNS on the server set to 8.8.8.8? is that meant to be something on the local network, or is that the IP I should use no matter what?

thanks!

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by Bebop » Fri Jul 22, 2011 12:29 am

TopKnot wrote:why is the push "dhcp-option DNS on the server set to 8.8.8.8? is that meant to be something on the local network, or is that the IP I should use no matter what?
Hi TopKnot. 8.8.8.8 is an IP for Google DNS (free public DNS server). So, with this option all of your clients will be using Google DNS to resolve domain names as they browse the web through your VPN.

You can change it do any DNS server IP you desire, or you can leave it as is.
The cure for boredom is curiosity

aaaa2209
OpenVpn Newbie
Posts: 3
Joined: Sat Oct 22, 2011 6:59 am

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by aaaa2209 » Sat Oct 22, 2011 1:54 pm

Hello Bebop,
Thanks for the posts. It saves me a lot of time. I use windows 2003 as server. And the config I need is quite similar to Windows 7. At first the client can connect and ping to the server. It can even open the share folders in the server. But the traffic like http 80 and smtp 25 is still passing through my own gateway instead of the server. I found this post and fixed the problem. However, there is a slightly difference here and I want to share.
I followed the same config files for server and client without changes. And then there 3 three steps to config the windows: 1, Routing and Remote Access ; 2, Internet connection sharing; 3, change regedit file.
I cannot make 1 and 2 work at the same time. The system told me one is currently running and it has to be disable while trying to enable another one. I found when I use 2 and 3 it works perfectly. 1 and 3 don't work for me.

---
Also I have a few questions to ask. My goal is trying to use some computers in the other network like in LAN environment. Those computers' IPs are 192.168.1.157 and 177.0.0.0/8. My LAN IP range is 192.168.1.0/24. I just want to route the above traffic to the server and all other traffic goes to my own network. I don't want to use VPN when I watch video online. I think the 3 codes you mention might be for me. My codes are like this:

route-nopull
route 192.168.1.157 255.255.255.255 10.8.0.6
route 177.0.0.0 255.0.0.0 10.8.0.6

10.8.0.6 is my VPN interface IP address. When I use the code above I cannot get through the computers I want. I don't use route remote_host 255.255.255.255 net_gateway because I don't quite understand it even you explain. But I did try and it didn't work. You said the code tells windows about the route to the VPN, but I think the windows already knew that before we add this code. The VPN works because the windows knows it.

What should I do to achieve this goal? I think the goal is simple and basic. Can you please simply explain or give me some hints like key words to search in google?



Thanks again.

William

Fhilps
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 27, 2011 9:34 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by Fhilps » Tue Nov 22, 2011 10:39 pm

Hi aaaa2209.

I have exactly the same problem you do.
I'm desperate to find how to solve this problem.

I need this for my graduating project at college.

If you find the solution send me a message, ok ?
I'll do the same.

Thanks

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by Bebop » Thu Nov 24, 2011 12:54 am

aaaa2209 wrote: I cannot make 1 and 2 work at the same time. The system told me one is currently running and it has to be disable while trying to enable another one. I found when I use 2 and 3 it works perfectly. 1 and 3 don't work for me.
Thanks. I was looking for feedback on this part. I got a chance to go back to my setup soon and test it with just 2 and 3.. then it might be a universal solution for 2003 / Vista / 7.

I'm thinking of a solution for your dilemma. I've not used 'iroute' with Windows server before but its designed to work in a situation like yours I think. So that would involve removing 'push redirect-gateway' from server and removing 'route no-pull' from client, and then add to server config 'iroute 177.0.0.0 255.0.0.0' (and create the appropriate 'ccd' file). To fully get it you would need to have a quick read of the iroute commands in the man page.

Where is the "192.168.1.157" computer? (not on your LAN?).
The cure for boredom is curiosity

m4f1050
OpenVpn Newbie
Posts: 8
Joined: Sat Jan 07, 2012 9:27 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by m4f1050 » Sat Jan 07, 2012 9:31 pm

Hi, thanks for the tips. I found Windows XP and Windows 7 examples but no Linux example.

I searched and found this:

Code: Select all

http://www.howtoforge.com/internet-connection-sharing-masquerading-on-linux
Is there a better way of doing this? Or can you post the example for Linux?

Thanks!

sprintf
OpenVpn Newbie
Posts: 2
Joined: Sun May 15, 2011 12:25 am

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by sprintf » Tue Jan 24, 2012 3:50 am

Bebop wrote: Windows 7 tweaks for forwarding VPN traffic

Code: Select all

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

...

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)
Notes:
  • Further tweaking and streamlining may be possible.
  • Thank you to Krzee for the register-dns tweak
FYI, I just setup a fresh Windows 7 box with OpenVPN server and found that these two steps (enable Routing and Remote Access, and set IPEnableRouter=1) were not necessary. In other words, I setup my box without doing those two steps and OpenVPN server still worked fine.

Thanks.

Lisa_York77
OpenVpn Newbie
Posts: 1
Joined: Tue Jan 24, 2012 10:15 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by Lisa_York77 » Tue Jan 24, 2012 10:23 pm

Thank you so much. This works for me too! Keep posting such they are very helpful.

majod
OpenVpn Newbie
Posts: 1
Joined: Sun Apr 22, 2012 8:33 pm

Re: Windows 7 as OpenVPN server with redirect-gateway

Post by majod » Sun Apr 22, 2012 8:35 pm

Hello,

thank you very much for this tutorial, I have succesfully set up Internet sharing with my Windows 7 PC to another PC on local network. Unfortunately I have some trouble and I need some help with that.

The problem is that my Internet connection randomly fails for few seconds to few minutes period with the client connected to VPN (I have only one client set up). I didn't change anything in config files (except IP addresses and DNS). When the client is not connected, even with server running everything works perfectly. With the client connected, random connection problems occur for me and for the client as well. Any hint?

Thanks.

Locked