need to route windows xp traffic through openvpn client

[vivhost]

Hello, I am new to OpenVPN but have some reasonable understanding of how it works.
What I'd like to do is connect my Windows XP OpenVPN client to a CentOS VPN server and route all web traffic through the VPN server. On the server I have this configuration which cannot be modified because it gets overwritten:
# Automatically generated by Plesk VPN module
#
rport 1194
lport 1194
ifconfig 172.16.0.1 255.255.255.252
daemon
secret /usr/local/psa/var/modules/vpn/vpn-key
writepid /usr/local/psa/var/modules/vpn/openvpn.pid
mtu-disc yes
comp-lzo
dev tap
float
keepalive 10 60
ping-timer-rem
resolv-retry infinite

On the client I have the vpn key and this configuration:
#
# Automatically generated by Plesk VPN module
#
remote ns1.vivhost.com
lport 1194
rport 1194
ifconfig 172.16.0.2 255.255.255.252
secret system/vpn-key
comp-lzo
dev tap
float
keepalive 10 60
ping-timer-rem
resolv-retry infinite
route-gateway 172.16.0.1
redirect-gateway def1
dhcp-option DNS 172.16.0.1

startup client openvpn reports:
Sat May 21 16:50:53 2011 OpenVPN 2.0 Win32-MinGW [SSL] [LZO] built on Apr 17 200
5
Sat May 21 16:50:53 2011 LZO compression initialized
Sat May 21 16:50:53 2011 TAP-WIN32 device [TAP] opened: \\.\Global\{342D9C9C-107
A-41AC-BFA7-995C48654BEF}.tap
Sat May 21 16:50:53 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
72.16.0.2/255.255.255.252 on interface {342D9C9C-107A-41AC-BFA7-995C48654BEF} [D
HCP-serv: 172.16.0.0, lease-time: 31536000]
Sat May 21 16:50:53 2011 Successful ARP Flush on interface [131078] {342D9C9C-10
7A-41AC-BFA7-995C48654BEF}
Sat May 21 16:50:53 2011 UDPv4 link local (bound): [undef]:1194
Sat May 21 16:50:53 2011 UDPv4 link remote: 95.211.120.206:1194
Sat May 21 16:50:59 2011 Peer Connection Initiated with 95.211.120.206:1194
Sat May 21 16:51:00 2011 Initialization Sequence Completed

ipconfig /all reports:
[c:\4nt]ipconfig /all

Windows IP-configuratie

Host-naam . . . . . . . . . . . .: UPSTAIRS
Primair DNS-achtervoegsel. . . . .:
Knooppunttype . . . . . . . . . . : gemengd
IP-routering ingeschakeld. . . . .: nee
WINS-proxy ingeschakeld . . . . . : nee

Ethernet-adapter LAN-verbinding:

Verbindingsspec. DNS-achtervoegsel:
Beschrijving . . . . . . . . . . .:
Realtek RTL8139/810x Family Fast Ethernet NIC
Fysiek adres. . . . . . . . . . . : 00-13-D3-29-E6-B6
DHCP ingeshakeld. . . . . . . . . : ja
Autom. configuratie ingeschakeld. : ja
IP-adres. . . . . . . . . . . . . : 192.168.1.15
Subnetmasker. . . . . . . . . . . : 255.255.255.0
Standaardgateway. . . . . . . . . : 192.168.1.1
DHCP-server . . . . . . . . . . . : 192.168.1.1
DNS-servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
Lease verkregen . . . . . . . . . : Saturday, May 21, 2011 4:52:07 PM
Lease verlopen . . . . . . . . . : Tuesday, May 24, 2011 4:52:07 PM

Ethernet-adapter TAP:

Verbindingsspec. DNS-achtervoegsel:
Beschrijving . . . . . . . . . . .:
TAP-Win32 Adapter V8
Fysiek adres. . . . . . . . . . . : 00-FF-34-2D-9C-9C
DHCP ingeshakeld. . . . . . . . . : ja
Autom. configuratie ingeschakeld. : ja
IP-adres. . . . . . . . . . . . . : 172.16.0.2
Subnetmasker. . . . . . . . . . . : 255.255.255.252
Standaardgateway. . . . . . . . . : 172.16.0.1
DHCP-server . . . . . . . . . . . : 172.16.0.0
DNS-servers . . . . . . . . . . . : 172.16.0.1
Lease verkregen . . . . . . . . . : Saturday, May 21, 2011 4:50:56 PM
Lease verlopen . . . . . . . . . : Sunday, May 20, 2012 4:50:56 PM

I can ping from Windows to the VPN server and back with no problem.
However I cannot figure out how to set the default gateway to the VPN server and to route all the Windows XP traffic through the VPN server. I've searched and read all I could find about it and it's still not clear to me how this is done on the client side. Thanks in advance for your help.

[janjust]

this part of your 'ipconfig' output

Standaardgateway. . . . . . . . . : 172.16.0.1

shows that the default GW for the tap-win32 adapter is indeed the VPN remote endpoint ; to get routing to work properly you need to enable ip forwarding and perhaps masquerading on your vpn server as well.

Also, please upgrade your XP client to 2.1.4 or 2.2 - 2.0 is REALLY old

[vivhost]

Thank you, I've already done this command on the VPN server:
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE

is there anything else I need to do or check?

[janjust]

check that ip forwarding is enabled

Code: Select all

cat /proc/sys/net/ipv4/ip_forward

(should return '1')

if possible, switch from 'tap' mode to 'tun' mode ; you'd need to change your client config to match the new server config, however.

[vivhost]

I have it now... same behaviour, am not sure how to switch to TUN... is there nothing on windows xp that needs to know to use the VPN gateway for all traffic?

[root@ns1 modules]# cat /proc/sys/net/ipv4/ip_forward
1
[root@ns1 modules]# iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE
[root@ns1 modules]# iptables -L -v
Chain INPUT (policy ACCEPT 3074 packets, 293K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2410 packets, 550K bytes)
pkts bytes target prot opt in out source destination


Also on XP client I see this in the openvpn window:
Sat May 21 17:19:55 2011 OpenVPN 2.0 Win32-MinGW [SSL] [LZO] built on Apr 17 200
5
Sat May 21 17:19:55 2011 LZO compression initialized
Sat May 21 17:19:56 2011 TAP-WIN32 device [TAP] opened: \\.\Global\{342D9C9C-107
A-41AC-BFA7-995C48654BEF}.tap
Sat May 21 17:19:56 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
72.16.0.2/255.255.255.252 on interface {342D9C9C-107A-41AC-BFA7-995C48654BEF} [D
HCP-serv: 172.16.0.0, lease-time: 31536000]
Sat May 21 17:19:56 2011 Successful ARP Flush on interface [131078] {342D9C9C-10
7A-41AC-BFA7-995C48654BEF}
Sat May 21 17:19:56 2011 UDPv4 link local (bound): [undef]:1194
Sat May 21 17:19:56 2011 UDPv4 link remote: 95.211.120.206:1194
Sat May 21 17:19:57 2011 Peer Connection Initiated with 95.211.120.206:1194
Sat May 21 17:19:59 2011 NOTE: unable to redirect default gateway -- Cannot read
current default gateway from system
Sat May 21 17:19:59 2011 Initialization Sequence Completed

[janjust]

1) upgrade to openvpn 2.1.4 or later
2) comment out

Code: Select all

route-gateway 172.16.0.1

and let openvpn try to figure out the routes.

[vivhost]

OK, tried it with 2.1.4 and removed route-gateway option, similar results (cannot redirect default gateway, does not route through VPN)

Sat May 21 17:40:11 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] bui
lt on Nov 8 2010
Sat May 21 17:40:11 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
her to call user-defined scripts or executables
Sat May 21 17:40:11 2011 LZO compression initialized
Sat May 21 17:40:11 2011 TAP-WIN32 device [LAN-verbinding 6] opened: \\.\Global\
{460495FE-39E8-45DF-819E-52723BAD9F78}.tap
Sat May 21 17:40:11 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
72.16.0.2/255.255.255.252 on interface {460495FE-39E8-45DF-819E-52723BAD9F78} [D
HCP-serv: 172.16.0.0, lease-time: 31536000]
Sat May 21 17:40:11 2011 Successful ARP Flush on interface [327682] {460495FE-39
E8-45DF-819E-52723BAD9F78}
Sat May 21 17:40:11 2011 UDPv4 link local (bound): [undef]:1194
Sat May 21 17:40:11 2011 UDPv4 link remote: 95.211.120.206:1194
Sat May 21 17:40:14 2011 Peer Connection Initiated with 95.211.120.206:1194
Sat May 21 17:40:19 2011 NOTE: unable to redirect default gateway -- VPN gateway
parameter (--route-gateway or --ifconfig) is missing
Sat May 21 17:40:19 2011 Initialization Sequence Completed

[janjust]

oh doh, of course: you're not running in client/server mode, so the route-gateway is not known.

This is one of the problems when running openvpn in tap mode, esp on Windows: routing is a bit harder. Can you try using

Code: Select all

route-gateway 172.16.0.2

(yes , that's the IP of the tap-win32 adapter itself).

[vivhost]

Still no worky, confusing error about not being able to set default gateway

Sat May 21 17:48:27 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] bui
lt on Nov 8 2010
Sat May 21 17:48:27 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
her to call user-defined scripts or executables
Sat May 21 17:48:27 2011 LZO compression initialized
Sat May 21 17:48:28 2011 TAP-WIN32 device [LAN-verbinding 6] opened: \\.\Global\
{460495FE-39E8-45DF-819E-52723BAD9F78}.tap
Sat May 21 17:48:28 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
72.16.0.2/255.255.255.252 on interface {460495FE-39E8-45DF-819E-52723BAD9F78} [D
HCP-serv: 172.16.0.0, lease-time: 31536000]
Sat May 21 17:48:28 2011 Successful ARP Flush on interface [327682] {460495FE-39
E8-45DF-819E-52723BAD9F78}
Sat May 21 17:48:28 2011 UDPv4 link local (bound): [undef]:1194
Sat May 21 17:48:28 2011 UDPv4 link remote: 95.211.120.206:1194
Sat May 21 17:48:34 2011 Peer Connection Initiated with 95.211.120.206:1194
Sat May 21 17:48:40 2011 NOTE: unable to redirect default gateway -- Cannot read
current default gateway from system
Sat May 21 17:48:40 2011 Initialization Sequence Completed

[janjust]

this is strange - it is having problems reading the current default gateway, but the 'ipconfig' info shows that that should 192.168.1.1 ...

try running openvpn with 'verb 7' set and watch for GDGR messages - that's what OpenVPN thinks is the current routing table.

[vivhost]

298 Sat May 21 18:04:16 2011 us=296000 GDGR: route[0] 0.0.0.0/128.0.0.0 i=65541 m=1
299 Sat May 21 18:04:16 2011 us=296000 GDGR: route[1] 95.211.120.206/255.255.255.255 i=65541 m=1
300 Sat May 21 18:04:16 2011 us=296000 GDGR: route[2] 127.0.0.0/255.0.0.0 i=1 m=1
301 Sat May 21 18:04:16 2011 us=296000 GDGR: route[3] 128.0.0.0/128.0.0.0 i=65541 m=1
302 Sat May 21 18:04:16 2011 us=296000 GDGR: route[4] 192.168.1.0/255.255.255.0 i=65541 m=20
303 Sat May 21 18:04:16 2011 us=296000 GDGR: route[5] 192.168.1.15/255.255.255.255 i=1 m=20
304 Sat May 21 18:04:16 2011 us=296000 GDGR: route[6] 192.168.1.255/255.255.255.255 i=65541 m=20
305 Sat May 21 18:04:16 2011 us=296000 GDGR: route[7] 224.0.0.0/240.0.0.0 i=65541 m=20
306 Sat May 21 18:04:16 2011 us=296000 GDGR: route[8] 255.255.255.255/255.255.255.255 i=327682 m=1
307 Sat May 21 18:04:16 2011 us=296000 GDGR: route[9] 255.255.255.255/255.255.255.255 i=65541 m=1
308 Sat May 21 18:04:16 2011 us=296000 GDGR: best=-1 lm=4294967295
309 Sat May 21 18:04:16 2011 us=296000 GDGR: route[0] 0.0.0.0/128.0.0.0 i=65541 m=1
310 Sat May 21 18:04:16 2011 us=296000 GDGR: route[1] 95.211.120.206/255.255.255.255 i=65541 m=1
311 Sat May 21 18:04:16 2011 us=296000 GDGR: route[2] 127.0.0.0/255.0.0.0 i=1 m=1
312 Sat May 21 18:04:16 2011 us=296000 GDGR: route[3] 128.0.0.0/128.0.0.0 i=65541 m=1
313 Sat May 21 18:04:16 2011 us=296000 GDGR: route[4] 192.168.1.0/255.255.255.0 i=65541 m=20
314 Sat May 21 18:04:16 2011 us=296000 GDGR: route[5] 192.168.1.15/255.255.255.255 i=1 m=20
315 Sat May 21 18:04:16 2011 us=296000 GDGR: route[6] 192.168.1.255/255.255.255.255 i=65541 m=20
316 Sat May 21 18:04:16 2011 us=296000 GDGR: route[7] 224.0.0.0/240.0.0.0 i=65541 m=20
317 Sat May 21 18:04:16 2011 us=296000 GDGR: route[8] 255.255.255.255/255.255.255.255 i=327682 m=1
318 Sat May 21 18:04:16 2011 us=296000 GDGR: route[9] 255.255.255.255/255.255.255.255 i=65541 m=1
319 Sat May 21 18:04:16 2011 us=296000 GDGR: best=-1 lm=4294967295
321 Sat May 21 18:04:16 2011 us=296000 GDGR: route[0] 0.0.0.0/128.0.0.0 i=65541 m=1
322 Sat May 21 18:04:16 2011 us=296000 GDGR: route[1] 95.211.120.206/255.255.255.255 i=65541 m=1
323 Sat May 21 18:04:16 2011 us=296000 GDGR: route[2] 127.0.0.0/255.0.0.0 i=1 m=1
324 Sat May 21 18:04:16 2011 us=296000 GDGR: route[3] 128.0.0.0/128.0.0.0 i=65541 m=1
325 Sat May 21 18:04:16 2011 us=296000 GDGR: route[4] 192.168.1.0/255.255.255.0 i=65541 m=20
326 Sat May 21 18:04:16 2011 us=296000 GDGR: route[5] 192.168.1.15/255.255.255.255 i=1 m=20
327 Sat May 21 18:04:16 2011 us=296000 GDGR: route[6] 192.168.1.255/255.255.255.255 i=65541 m=20
328 Sat May 21 18:04:16 2011 us=296000 GDGR: route[7] 224.0.0.0/240.0.0.0 i=65541 m=20
329 Sat May 21 18:04:16 2011 us=296000 GDGR: route[8] 255.255.255.255/255.255.255.255 i=327682 m=1
330 Sat May 21 18:04:16 2011 us=296000 GDGR: route[9] 255.255.255.255/255.255.255.255 i=65541 m=1
331 Sat May 21 18:04:16 2011 us=296000 GDGR: best=-1 lm=4294967295

[janjust]

the routing table seems screwed up with 0.0.0.0/128.0.0.0 routes from earlier connection attempts; try rebooting the win xp box to see if it can then determine the right GW.

Also, if that did not help, post the output of 'route print' prior to starting the openvpn client.

[vivhost]

OK, rebooted and here is the route output before running OpenVPN:

[c:\4nt]route print
===========================================================================
Interfacelijst
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff 46 04 95 fe ...... TAP-Win32 Adapter V9 - Pakketplanner-minipoort
0x10004 ...00 13 d3 29 e6 b6 ...... Realtek RTL8139/810x Family Fast Ethernet NI
C - Pakketplanner-minipoort
===========================================================================
===========================================================================
Actieve routes:
Netwerkadres Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.15 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.15 192.168.1.15 20
192.168.1.15 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.15 192.168.1.15 20
224.0.0.0 240.0.0.0 192.168.1.15 192.168.1.15 20
255.255.255.255 255.255.255.255 192.168.1.15 192.168.1.15 1
255.255.255.255 255.255.255.255 192.168.1.15 2 1
Standaard-gateway: 192.168.1.1
===========================================================================
Permanente routes:
Geen

and the log shows:
298 Sat May 21 18:19:33 2011 us=828000 GDGR: route[0] 0.0.0.0/0.0.0.0 i=65540 m=20
299 Sat May 21 18:19:33 2011 us=828000 GDGR: route[1] 127.0.0.0/255.0.0.0 i=1 m=1
300 Sat May 21 18:19:33 2011 us=828000 GDGR: route[2] 192.168.1.0/255.255.255.0 i=65540 m=20
301 Sat May 21 18:19:33 2011 us=828000 GDGR: route[3] 192.168.1.15/255.255.255.255 i=1 m=20
302 Sat May 21 18:19:33 2011 us=828000 GDGR: route[4] 192.168.1.255/255.255.255.255 i=65540 m=20
303 Sat May 21 18:19:33 2011 us=828000 GDGR: route[5] 224.0.0.0/240.0.0.0 i=65540 m=20
304 Sat May 21 18:19:33 2011 us=828000 GDGR: route[6] 255.255.255.255/255.255.255.255 i=65540 m=1
305 Sat May 21 18:19:33 2011 us=828000 GDGR: route[7] 255.255.255.255/255.255.255.255 i=2 m=1
306 Sat May 21 18:19:33 2011 us=828000 GDGR: best=0 lm=20
308 Sat May 21 18:19:33 2011 us=828000 GDGR: route[0] 0.0.0.0/0.0.0.0 i=65540 m=20
309 Sat May 21 18:19:33 2011 us=828000 GDGR: route[1] 127.0.0.0/255.0.0.0 i=1 m=1
310 Sat May 21 18:19:33 2011 us=828000 GDGR: route[2] 192.168.1.0/255.255.255.0 i=65540 m=20
311 Sat May 21 18:19:33 2011 us=828000 GDGR: route[3] 192.168.1.15/255.255.255.255 i=1 m=20
312 Sat May 21 18:19:33 2011 us=828000 GDGR: route[4] 192.168.1.255/255.255.255.255 i=65540 m=20
313 Sat May 21 18:19:33 2011 us=828000 GDGR: route[5] 224.0.0.0/240.0.0.0 i=65540 m=20
314 Sat May 21 18:19:33 2011 us=828000 GDGR: route[6] 255.255.255.255/255.255.255.255 i=65540 m=1
315 Sat May 21 18:19:33 2011 us=828000 GDGR: route[7] 255.255.255.255/255.255.255.255 i=2 m=1
316 Sat May 21 18:19:33 2011 us=828000 GDGR: best=0 lm=20
318 Sat May 21 18:19:33 2011 us=828000 GDGR: route[0] 0.0.0.0/0.0.0.0 i=65540 m=20
319 Sat May 21 18:19:33 2011 us=828000 GDGR: route[1] 127.0.0.0/255.0.0.0 i=1 m=1
320 Sat May 21 18:19:33 2011 us=828000 GDGR: route[2] 192.168.1.0/255.255.255.0 i=65540 m=20
321 Sat May 21 18:19:33 2011 us=828000 GDGR: route[3] 192.168.1.15/255.255.255.255 i=1 m=20
322 Sat May 21 18:19:33 2011 us=828000 GDGR: route[4] 192.168.1.255/255.255.255.255 i=65540 m=20
323 Sat May 21 18:19:33 2011 us=828000 GDGR: route[5] 224.0.0.0/240.0.0.0 i=65540 m=20
324 Sat May 21 18:19:33 2011 us=828000 GDGR: route[6] 255.255.255.255/255.255.255.255 i=65540 m=1
325 Sat May 21 18:19:33 2011 us=828000 GDGR: route[7] 255.255.255.255/255.255.255.255 i=2 m=1
326 Sat May 21 18:19:33 2011 us=828000 GDGR: best=0 lm=20

but now I cannot connect to any web sites (browser times out), I think we may be on the right track though, thanks so much for the help so far

[c:\4nt]ipconfig /all

Windows IP-configuratie

Host-naam . . . . . . . . . . . .: UPSTAIRS
Primair DNS-achtervoegsel. . . . .:
Knooppunttype . . . . . . . . . . : gemengd
IP-routering ingeschakeld. . . . .: nee
WINS-proxy ingeschakeld . . . . . : nee

Ethernet-adapter LAN-verbinding 6:

Verbindingsspec. DNS-achtervoegsel:
Beschrijving . . . . . . . . . . .:
TAP-Win32 Adapter V9
Fysiek adres. . . . . . . . . . . : 00-FF-46-04-95-FE
DHCP ingeshakeld. . . . . . . . . : ja
Autom. configuratie ingeschakeld. : ja
IP-adres. . . . . . . . . . . . . : 172.16.0.2
Subnetmasker. . . . . . . . . . . : 255.255.255.252
Standaardgateway. . . . . . . . . : 172.16.0.2
DHCP-server . . . . . . . . . . . : 172.16.0.0
DNS-servers . . . . . . . . . . . : 172.16.0.1
Lease verkregen . . . . . . . . . : Saturday, May 21, 2011 6:19:39 PM
Lease verlopen . . . . . . . . . : Sunday, May 20, 2012 6:19:39 PM

Ethernet-adapter LAN-verbinding:

Verbindingsspec. DNS-achtervoegsel:
Beschrijving . . . . . . . . . . .:
Realtek RTL8139/810x Family Fast Ethernet NIC
Fysiek adres. . . . . . . . . . . : 00-13-D3-29-E6-B6
DHCP ingeshakeld. . . . . . . . . : ja
Autom. configuratie ingeschakeld. : ja
IP-adres. . . . . . . . . . . . . : 192.168.1.15
Subnetmasker. . . . . . . . . . . : 255.255.255.0
Standaardgateway. . . . . . . . . : 192.168.1.1
DHCP-server . . . . . . . . . . . : 192.168.1.1
DNS-servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
Lease verkregen . . . . . . . . . : Saturday, May 21, 2011 6:17:12 PM
Lease verlopen . . . . . . . . . : Tuesday, May 24, 2011 6:17:12 PM

Is there a way for me to test the IP forwarding on the server side? Maybe now that's the problem.

[vivhost]

yes! it's working now!

[janjust]

Excellent! does this mean I can close this topic?

groetjes

[vivhost]

It works great now. I had earlier set a route-gateway option but it had the wrong option. After rebooting and fixing that entry, it now works great and connects through the VPN server.

Thank you again, so much for your help. I would have gone crazy trying to fix it on my own.