OpenVPN Support Forum

I use XP3 and openvpn gui 2.2 latest, the log as follows,

Sun Oct 23 01:58:11 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011
Sun Oct 23 01:58:24 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Oct 23 01:58:24 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Oct 23 01:58:24 2011 LZO compression initialized
Sun Oct 23 01:58:24 2011 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun Oct 23 01:58:24 2011 Socket Buffers: R=[377668->377668] S=[8192->8192]
Sun Oct 23 01:58:24 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Oct 23 01:58:24 2011 Local Options hash (VER=V4): 'bc07730e'
Sun Oct 23 01:58:24 2011 Expected Remote Options hash (VER=V4): 'b695cb4a'
Sun Oct 23 01:58:24 2011 Attempting to establish TCP connection with 192.168.9.17:9201
Sun Oct 23 01:58:25 2011 TCP connection established with 192.168.9.17:9201
Sun Oct 23 01:58:25 2011 Send to HTTP proxy: 'CONNECT 108.59.8.135:443 HTTP/1.0'
Sun Oct 23 01:58:30 2011 recv_line: TCP port read timeout expired
Sun Oct 23 01:58:30 2011 TCP/UDP: Closing socket
Sun Oct 23 01:58:30 2011 SIGUSR1[soft,init_instance] received, process restarting
Sun Oct 23 01:58:30 2011 Restart pause, 5 second(s)
Sun Oct 23 01:58:35 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Oct 23 01:58:35 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Oct 23 01:58:35 2011 Re-using SSL/TLS context
Sun Oct 23 01:58:35 2011 LZO compression initialized
Sun Oct 23 01:58:35 2011 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun Oct 23 01:58:35 2011 Socket Buffers: R=[377668->377668] S=[8192->8192]
Sun Oct 23 01:58:35 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Oct 23 01:58:35 2011 Local Options hash (VER=V4): 'bc07730e'
Sun Oct 23 01:58:35 2011 Expected Remote Options hash (VER=V4): 'b695cb4a'
Sun Oct 23 01:58:35 2011 Attempting to establish TCP connection with 192.168.9.17:9201
Sun Oct 23 01:58:38 2011 TCP connection established with 192.168.9.17:9201
Sun Oct 23 01:58:38 2011 Send to HTTP proxy: 'CONNECT 174.37.190.77:443 HTTP/1.0'
Sun Oct 23 01:58:41 2011 HTTP proxy returned: 'HTTP/1.0 200 Connection Established'
Sun Oct 23 01:58:43 2011 TCPv4_CLIENT link local: [undef]
Sun Oct 23 01:58:43 2011 TCPv4_CLIENT link remote: 192.168.9.17:9201
Sun Oct 23 01:58:43 2011 TLS: Initial packet from 192.168.9.17:9201, sid=46ad9d92 154f1123
Sun Oct 23 01:58:43 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 23 01:58:49 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Sun Oct 23 01:58:49 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Sun Oct 23 01:59:03 2011 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Oct 23 01:59:03 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 23 01:59:03 2011 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Oct 23 01:59:03 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 23 01:59:03 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Oct 23 01:59:03 2011 [server] Peer Connection Initiated with 192.168.9.17:9201
Sun Oct 23 01:59:05 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Oct 23 01:59:06 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.20.96.170,redirect-gateway def1,script-security 3 system,verb 5,tun-mtu 1500,fragment 1300,mssfix,route 172.16.20.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.20.54 172.16.20.53'
Sun Oct 23 01:59:06 2011 Options error: option 'script-security' cannot be used in this context
Sun Oct 23 01:59:06 2011 Options error: option 'tun-mtu' cannot be used in this context
Sun Oct 23 01:59:06 2011 Options error: option 'fragment' cannot be used in this context
Sun Oct 23 01:59:06 2011 Options error: option 'mssfix' cannot be used in this context
Sun Oct 23 01:59:06 2011 us=453000 OPTIONS IMPORT: --verb and/or --mute level changed
Sun Oct 23 01:59:06 2011 us=453000 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 23 01:59:06 2011 us=453000 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 23 01:59:06 2011 us=453000 OPTIONS IMPORT: route options modified
Sun Oct 23 01:59:06 2011 us=453000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Oct 23 01:59:06 2011 us=546000 ROUTE default_gateway=182.0.229.211
Sun Oct 23 01:59:06 2011 us=546000 TAP-WIN32 device [Local Area Connection 11] opened: \\.\Global\{6E5F8A2A-59C7-426C-8DB7-17F35F8974CF}.tap
Sun Oct 23 01:59:06 2011 us=562000 TAP-Win32 Driver Version 9.8
Sun Oct 23 01:59:06 2011 us=562000 TAP-Win32 MTU=1500
Sun Oct 23 01:59:06 2011 us=562000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.20.54/255.255.255.252 on interface {6E5F8A2A-59C7-426C-8DB7-17F35F8974CF} [DHCP-serv: 172.16.20.53, lease-time: 31536000]
Sun Oct 23 01:59:06 2011 us=562000 DHCP option string: 06040a14 60aa
Sun Oct 23 01:59:06 2011 us=562000 Successful ARP Flush on interface [4] {6E5F8A2A-59C7-426C-8DB7-17F35F8974CF}
Sun Oct 23 01:59:11 2011 us=765000 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Oct 23 01:59:11 2011 us=765000 C:\WINDOWS\system32\route.exe ADD 192.168.9.17 MASK 255.255.255.255 182.0.229.211
Sun Oct 23 01:59:11 2011 us=843000 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [status=87 if_index=2228230]
Sun Oct 23 01:59:11 2011 us=843000 Route addition via IPAPI failed [adaptive]
Sun Oct 23 01:59:11 2011 us=843000 Route addition fallback to route.exe
Sun Oct 23 01:59:11 2011 us=843000 openvpn_execve: CreateProcess C:\WINDOWS\system32\route.exe failed: The system cannot find the path specified. (errno=3)
Sun Oct 23 01:59:11 2011 us=843000 ERROR: Windows route add command failed [adaptive]: external program did not execute -- returned error code -1
Sun Oct 23 01:59:11 2011 us=843000 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.16.20.53
Sun Oct 23 01:59:11 2011 us=843000 Route addition via IPAPI succeeded [adaptive]
Sun Oct 23 01:59:11 2011 us=843000 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.16.20.53
Sun Oct 23 01:59:11 2011 us=843000 Route addition via IPAPI succeeded [adaptive]
Sun Oct 23 01:59:11 2011 us=859000 C:\WINDOWS\system32\route.exe ADD 172.16.20.1 MASK 255.255.255.255 172.16.20.53
Sun Oct 23 01:59:11 2011 us=859000 Route addition via IPAPI succeeded [adaptive]
Sun Oct 23 01:59:11 2011 us=859000 Initialization Sequence Completed

The problem is that the VPN is already connected and giving out assigned IP, however all browser (IE,Opera,FFox,Maxton) can't browse anything ( the setting is no proxy for all browser) and they are just blank page.
Please advise the solutions, Thanks in advance

C:\WINDOWS\system32\route.exe ADD 192.168.9.17 MASK 255.255.255.255 182.0.229.211
Sun Oct 23 01:59:11 2011 us=843000 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [status=87 if_index=2228230]
Sun Oct 23 01:59:11 2011 us=843000 Route addition via IPAPI failed [adaptive]
Sun Oct 23 01:59:11 2011 us=843000 Route addition fallback to route.exe
Sun Oct 23 01:59:11 2011 us=843000 openvpn_execve: CreateProcess C:\WINDOWS\system32\route.exe failed: The system cannot find the path specified. (errno=3)
Sun Oct 23 01:59:11 2011 us=843000 ERROR: Windows route add command failed [adaptive]: external program did not execute -- returned error code -1


route.exe is missing?!?!?

-or-

you dont have rights to run it.

can you try running gui as admin?

can you also post configs?

Michael.

this my config
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disableds
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto tcp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 108.59.8.135 443
remote 174.37.190.77 443
# remote 208.43.150.120 443
# remote 208.43.150.121 443
# remote 208.43.150.122 443
;remote my-server-2 1194

#Pass
auth-user-pass
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
http-proxy-retry # retry on connection failures
http-proxy 192.168.9.17 9201

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert hostname.crt
key hostname.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC # AES

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

win-sys c:\\winxp
============================================
after I put the 'win-sys c:\\winxp' into the config, I managed to fix the error of "us=843000 openvpn_execve: CreateProcess C:\WINDOWS\system32\route.exe failed: The system cannot find the path specified. (errno=3)
Sun Oct 23 01:59:11 2011 us=843000 ERROR: Windows route add command failed [adaptive]: external program did not execute -- returned error code -1 "
However I still cannot fix the " route addition failed using CreateIpForwardEntry: The parameter is incorrect. [status=87 if_index=2228230] us=843000 Route addition via IPAPI failed [adaptive] "
Do you now what should I include in the config to fix it ?

I am admin in openvpn gui, now the browser already can run, but some application external can't run smoothly.
So if I can fix the error above , perhaps everything will be running smoothly.

what happens if you use instead?
are you running openvpn with the right privileges (yes, even on XP you need that)

what u mean by the right privilages ? how to attain that privilage ?

are you a Network administrator or full administrator on the machine (on XP you normally are, unless it's a company controlled laptop)

full administrator on the machine I am sure

oh wait now I see what is happening: you have

http-proxy 192.168.9.17 9201

in the config file; openvpn tries to add a route to this HTTP proxy host using the existing default GW , which does NOT seem to be on the same network , hence the failure.

Is the HTTP proxy host 192.168.9.17 on the same network as the OpenVPN client? Do you really *need* this proxy host?

the HTTP proxy host 192.168.9.17 is a must in my case, to connect to the internet. So can u add some syntax to fix the problem but still including the proxy ? Thanks alot for the help this far.

what seems to be "broken" on your local network is that you need to be able to reach the proxy host 192.168.9.17 yet the default gateway on the network seems to be outside of this range.

Try adding to the client config and reconnect.

'route 192.168.9.0 255.255.255.0 net_gateway'

where to put this into config, just put anywhere or what ? thanks

you can add it pretty much anywhere to the client config; I normally put things like this near the end.

This the latest log :
Sat Nov 05 00:45:38 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011
Sat Nov 05 00:45:54 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Nov 05 00:45:54 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Nov 05 00:45:54 2011 LZO compression initialized
Sat Nov 05 00:45:54 2011 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Nov 05 00:45:54 2011 Socket Buffers: R=[377668->377668] S=[8192->8192]
Sat Nov 05 00:45:54 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov 05 00:45:54 2011 Local Options hash (VER=V4): 'bc07730e'
Sat Nov 05 00:45:54 2011 Expected Remote Options hash (VER=V4): 'b695cb4a'
Sat Nov 05 00:45:54 2011 Attempting to establish TCP connection with 192.168.62.41:9201
Sat Nov 05 00:45:57 2011 TCP connection established with 192.168.62.41:9201
Sat Nov 05 00:45:57 2011 Send to HTTP proxy: 'CONNECT 108.59.8.135:443 HTTP/1.0'
Sat Nov 05 00:45:58 2011 HTTP proxy returned: 'HTTP/1.0 200 Connection Established'
Sat Nov 05 00:46:00 2011 TCPv4_CLIENT link local: [undef]
Sat Nov 05 00:46:00 2011 TCPv4_CLIENT link remote: 192.168.62.41:9201
Sat Nov 05 00:46:01 2011 TLS: Initial packet from 192.168.62.41:9201, sid=9fb6648c 2a35d114
Sat Nov 05 00:46:01 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Nov 05 00:46:07 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Sat Nov 05 00:46:07 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Sat Nov 05 00:46:24 2011 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Nov 05 00:46:24 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 05 00:46:24 2011 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Nov 05 00:46:24 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 05 00:46:24 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Nov 05 00:46:24 2011 [server] Peer Connection Initiated with 192.168.62.41:9201
Sat Nov 05 00:46:26 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Nov 05 00:46:27 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 4.2.2.1,redirect-gateway def1,route 172.16.16.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.16.86 172.16.16.85'
Sat Nov 05 00:46:27 2011 OPTIONS IMPORT: timers and/or timeouts modified
Sat Nov 05 00:46:27 2011 OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov 05 00:46:27 2011 OPTIONS IMPORT: route options modified
Sat Nov 05 00:46:27 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Nov 05 00:46:27 2011 ROUTE default_gateway=182.0.234.85
Sat Nov 05 00:46:27 2011 TAP-WIN32 device [Local Area Connection 11] opened: \\.\Global\{6E5F8A2A-59C7-426C-8DB7-17F35F8974CF}.tap
Sat Nov 05 00:46:27 2011 TAP-Win32 Driver Version 9.8
Sat Nov 05 00:46:27 2011 TAP-Win32 MTU=1500
Sat Nov 05 00:46:27 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.16.86/255.255.255.252 on interface {6E5F8A2A-59C7-426C-8DB7-17F35F8974CF} [DHCP-serv: 172.16.16.85, lease-time: 31536000]
Sat Nov 05 00:46:27 2011 Successful ARP Flush on interface [4] {6E5F8A2A-59C7-426C-8DB7-17F35F8974CF}
Sat Nov 05 00:46:29 2011 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Sat Nov 05 00:46:29 2011 Route: Waiting for TUN/TAP interface to come up...
Sat Nov 05 00:46:31 2011 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Sat Nov 05 00:46:31 2011 Route: Waiting for TUN/TAP interface to come up...
Sat Nov 05 00:46:32 2011 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sat Nov 05 00:46:32 2011 c:\winxp\system32\route.exe ADD 192.168.62.41 MASK 255.255.255.255 182.0.234.85
Sat Nov 05 00:46:32 2011 c:\winxp\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.16.16.85
Sat Nov 05 00:46:32 2011 c:\winxp\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.16.16.85
Sat Nov 05 00:46:32 2011 c:\winxp\system32\route.exe ADD 172.16.16.1 MASK 255.255.255.255 172.16.16.85
Sat Nov 05 00:46:32 2011 Initialization Sequence Completed

everything seems going smooth on the log, but software like CamFrog still has video error, it says temporary video error repeatedly, and no sound at all.
BTW Camfrog is a live show video chat , are you familiar with camfrog ?

can you test the VPN connection first? try pinging the server, download a file from the server.
If you wish to route all traffic via the VPN then go to http://www.whatismyip.com to check that that is working.

Can you test this:

Try to browse an IP in the browser (like 209.85.147.104). If it works, then it most likely the DNS you are pushing. Try adding this line to the client's config:
If you already have a line with dhcp-option DNS xx.xx.xx.xx then just change the IP you have to 8.8.8.8 (it's Google's DNS).

I could be totally wrong, but I guess such an error could occur.

There may be some problem with the wireless card that you are making use of. If you want to check that then you will have to reset the wireless card once again check if you can open any of the site or not. If that is also not able to help you then you can try by uninstalling and installing the wireless card once again. So do these two things and I wish that it will be solved with any of them.