Route Internet traffic via OpenVPN on a W2008 box

[daniel]

I have a W2008 box running RRAS. I use it as a PPTP VPN server to redirect all traffic and it works OK. I want to add OpenVPN to the same machine for better security, but I have some issues. I would like to keep both PPTP (from RRAS) and the new OpenVPN functionality.

I have the following network setup:

Ethernet adapter OpenVPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
IPv4 Address. . . . . . . . . . . : 10.109.254.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :

Ethernet adapter VPN Adapter:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Loopback Adapter
IPv4 Address. . . . . . . . . . . : 192.168.0.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 0.0.0.0


Ethernet adapter PublicNetwork-A:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : A.B.C.130(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : A.B.C.129


OpenVPN is the TAP adapter created by OpenVPN.
VPN Adapter is a Microsoft Loopback Adapter used by RRAS for VPN and NAT.
PublicNetwork is a physical adapter, with a public IP address assigned.
Not important at all, but I have another physical adapter, named PrivateNetwork that is only used for internal networking. It should make no difference with or without it.

I successfully installed OpenVPN but can not get the Internet traffic from a client connection to OpenVPN redirected through the server.

My config files below:

server.ovpn

port 80
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 10.109.254.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1" # This will force the clients to use the server`s internet connection
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 254
persist-key
persist-tun
script-security 3
auth-user-pass-verify "cscript.exe Auth4OpenVPN.vbs" via-env
client-cert-not-required
username-as-common-name
status openvpn-status.log
verb 4

client.ovpn:

client
dev tun
proto udp
remote A.B.C.130 80
route 192.168.0.0 255.255.255.0
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
auth-user-pass
cipher BF-CBC # Blowfish (default) encrytion
comp-lzo
redirect-gateway def1
verb 1

I would like to route all OpenVPN client traffic via the server.

I enabled [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"IPEnableRouter"=dword:00000001 .

The OpenVPN TAP adapter does not appear in the NAT interface list when I try to add it. If I try to add it via netsh I get an error, saying that “the adapter is not connected to the router” (or something like this). After some more reading it seems that Microsoft does not like virtual adapters much, unless it`s their own.

ICS is not an option as it will not run in parallel with RRAS.
Also I`d like to avoid any 3rd party software like NAT32 and just use the builtin RRAS functionality, without messing the PPTP VPN up.

I guess the only option I have is to configure some static routes, but I am unsure as to what static route(s) should I add to the routing table.I tried different route add command, coupled with the push route X.Y.Z.Q in the config file with no success.

Can someone please provide some input as for the route(s) I should add to the Windows routing table and to the server.ovpn file, taking into consideration my config.


Thank you very much,

[Mimiko]

The OpenVPN TAP adapter does not appear in the NAT interface list when I try to add it. If I try to add it via netsh I get an error, saying that “the adapter is not connected to the router” (or something like this). After some more reading it seems that Microsoft does not like virtual adapters much, unless it`s their own.

Does some client is connected to OpenVPN? Windows routing is very tricky.

Why use OpenVPN for RRAS clients? Anyone who will breack in the connection, will be on phone company. Even if you use OpenVPN, crackers could gain access to your server anyway, needed only decript connection. Using VPN on RRAS is redundantly.

[daniel]

Does some client is connected to OpenVPN? Windows routing is very tricky.

Clients can successfully connect to the OpenVPN server, but the client Internet traffic is not getting routed via the server after all my attempts. Windows routing is indeed tricky.

Why use OpenVPN for RRAS clients? Anyone who will breack in the connection, will be on phone company. Even if you use OpenVPN, crackers could gain access to your server anyway, needed only decript connection. Using VPN on RRAS is redundantly.

OpenVPN is safer than PPTP and it can also break through firewalls , that is why I want to use it, but I also want to keep the PPTP setup.

I don`t use OpenVPN for RRAS clients, I use OpenVPN for OpenVPN clients.

VPN on RRAS is not redundant, as RRAS is needed to perform the NAT needed to route the OpenVPN client`s Internet traffic.

Can you point me to the right direction as to how can this be achieved (via RRAS).

[Mimiko]

Hello.

I would like to route all OpenVPN client traffic via the server.

Via server to where? What traffic from client where to route?

Clients can successfully connect to the OpenVPN server, but the client Internet traffic is not getting routed via the server after all my attempts.

In order to add or remove routes, vpn need to have at least one client connected.

VPN on RRAS is not redundant, as RRAS is needed to perform the NAT needed to route the OpenVPN client`s Internet traffic.

For some time RRAS is old already. Mostly it was used to connect dial-up clients to local network or internet. May be for now some mobile providers also uses it, but there already is wap.

Partially I get the idea. Of course OpenVPN will not appear in RRAS adapter list, because RRAS is not VPN provider.
After clarrifying what trafic from client where you want to route, may be defined some static routes, although OpenVPN must do this automatticaly.

[daniel]

I want to route all OpenVPN client Internet traffic via the OpenVPN server`s Internet connection, sort of like a proxy does.

OpenVPN howto says:

Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy.

So I want to configure RRAS on the W2008 box to also perform NAT between the OpenVPN TAP adapter and the public NIC of the server (that has Internet access), in order to route the OpenVPN client`s Internet traffic.

However I am unsure as to how I should configure NAT on the OpenVPN adapter via RRAS (because RRAS -> IPv4 -> NAT -> New interface does not list the TAP adaper, so I can not add it as a "private interface"). Netsh commands to this purpose have also failed.

Can this be done by adding static routes to the Windows routing table?


Thanks,

[Mimiko]

Can this be done by adding static routes to the Windows routing table?

I'm afraid its not possible.

If reading this:

Code: Select all

--redirect-gateway flags...
    (Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN.

    This option performs three steps:

    (1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop.

    (2) Delete the default gateway route.

    (3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).

    When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.

    Option flags:

    local -- Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above to be omitted.

    def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.

    bypass-dhcp -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).

    bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).

    Using the def1 flag is highly recommended. 

this option makes OpenVPN on client to change default gateway, eg

Code: Select all

route 0.0.0.0 0.0.0.0 OpenVPN server IP

and is done automaticaly. Nor RRAS or PPTP have such feature, they do not modify default gateway on clients. So in order to give clients internet from server you must modify default gateway on cients, or use a proxy.
So for OpenVPN using this optin you dont need to do anything, because its done automatically.
For RRAS: if users connect to server via dial-up - it'll get the default gateway from server automatically, if PPTP you have to define default gateway as Server's IP on every client.

In both case you will have to use ICS anyway, because OpenVPN does not does NAT. And windows routing does not have internal natting.

I'll try RRAS and ICS on W2k8 to be sure.

[daniel]

I am using the redirect-gateway flag on the client config.

To configure NAT on the server side I can not use ICS because it will not run in the same time with RRAS.

I want to configure NAT between the OpenVPN adapter and public adapter by using RRAS. This can be normally achieved by adding the OpenVPN adapter as private and the public adapter as "connected to the Internet".

However, the OpenVPN adapter does not appear in the list when I try to add it.
Does anyone know how can I add the OpenVPN TAP adapter to the NAT component of RRAS, or how can I configure NAT (by using a different component) on the OpenVPN adapter without disabling RRAS?


Thanks,

[Mimiko]

Try this qestion: http://openvpn.net/index.php/open-sourc ... evice.html
May be changing to dev tap will allow adapter to RRAS.

[daniel]

I found a solution for my problem. If anyone else has this issue here is the solution.

You need to install RRAS after you install OpenVPN for RRAS to see the TAP adapter. On my setup RRAS was already installed, but disabling it (you will lose your RRAS config by disabling) and reconfiguring RRAS will make the TAP adapter appear in RRAS.

After that just add the OpenVPN TAP adapter as "private" in NAT:
RRAS -> IPv4 -> NAT -> New interface -> OpenVPN TAP adapter.

[Mimiko]

Good to hear you made it. Definattely this question must go to OpenVPN official FAQ.

What did yuo use when defining device in your config file: dev tun or dev tap?

[daniel]

dev tun

my config files are up in this thread.