OpenVPN Support Forum

Posted: **Fri Nov 11, 2011 11:21 am**

Hi,
I've been running openvpn with net30 for a long time, and recently came across topology subnet via the following post.

http://permalink.gmane.org/gmane.networ ... devel/1240

However (b) is less of an issue now since the "topology
subnet" feature was added, because it allows a tun-based tunnel to operate
without requiring any mandatory route pushes in order to function. Of
course, if you are pushing custom routes, or are pushing
"redirect-gateway" to clients, then those routes cannot be added if the
user lacks administrative privileges (is there a finer-grained
privilege that allows route modification without full admin privileges?).

This paragraph intrigued me, so I setup a open vpn instance with topology subnet, and change my ccd file to

Code: Select all

 ifconfig-push address subnet mask

.

I've got my VPN connected in this manner, however as I'm not pushing any routes, so am unsure as to how to talk to my vpn server.

I have the following routes:

Code: Select all

       
10.92.0.18  255.255.255.255         On-link        10.92.0.18    286
10.92.0.255  255.255.255.255         On-link        10.92.0.18    286

Is it possible to talk to the VPN server without pushing routes? Or have I misunderstood the quoted paragraph?

Many thanks,
Chris

Posted: **Fri Nov 11, 2011 12:03 pm**

when the VPN connection is established you should always be able to talk to the VPN server, regardless of pushed routes; the VPN server is on the same subnet as the VPN client , so no routes are needed for them to "see" each other.

In 'net30' mode the VPN server remote endpoint is at 10.92.0.17 , which falls inside the /30 network. The actual VPN server IP is most likely 10.92.0.1 , which should be reachable via an extra route that is always added when the VPN comes up.

In 'subnet' mode the VPN client adapter is initialized at 10.92.0.18/255.255.255.0, which means the server @ 10.92.0.1/255.255.255.0 is directly reachable.

Posted: **Fri Nov 11, 2011 2:06 pm**

Hi,
Thanks for the confirmation. It turned out I have a config issue with server address, so it wasn't being sent properly.

I've been trying out running OpenVPN in this mode as non-admin. I've included the client log file below.

Everything is working - in that I can communicate with the server. However, I'm getting a FlushIpNetTable failed. I was wondering is it is possibly to try and prevent this from happening, as between that notification and the next, there is a 5 second delay. It would be good to get rid of that.

I'd also like to understand how it is working when it says it has a "failure".

..
Fri Nov 11 14:01:34 2011 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.90.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.90.0.18 255.255.255.0'
Fri Nov 11 14:01:34 2011 OPTIONS IMPORT: timers and/or timeouts modified
Fri Nov 11 14:01:34 2011 OPTIONS IMPORT: --ifconfig/up options modified
Fri Nov 11 14:01:34 2011 OPTIONS IMPORT: route-related options modified
Fri Nov 11 14:01:34 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{796588D0-C6FE-4FE0-B964-1F5B09A7D5DF}.tap
Fri Nov 11 14:01:34 2011 TAP-Win32 Driver Version 9.8
Fri Nov 11 14:01:34 2011 TAP-Win32 MTU=1500
Fri Nov 11 14:01:34 2011 Set TAP-Win32 TUN subnet mode network/local/netmask = 10.90.0.0/10.90.0.18/255.255.255.0 [SUCCEEDED]
Fri Nov 11 14:01:34 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.90.0.18/255.255.255.0 on interface {796588D0-C6FE-4FE0-B964-1F5B09A7D5DF} [DHC
P-serv: 10.90.0.254, lease-time: 31536000]
Fri Nov 11 14:01:34 2011 NOTE: FlushIpNetTable failed on interface [13] {796588D0-C6FE-4FE0-B964-1F5B09A7D5DF} (status=5) : Access is denied.
Fri Nov 11 14:01:39 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Fri Nov 11 14:01:39 2011 Initialization Sequence Completed

Many thanks,
Chris

Posted: **Fri Nov 11, 2011 3:44 pm**

the message

NOTE: FlushIpNetTable failed on interface [13] {796588D0-C6FE-4FE0-B964-1F5B09A7D5DF} (status=5) : Access is denied.

can be caused because

a) you are not running as administrator (or at least Network Administrator)
b) you are running RRAS on the client

In the second case the message is harmless.

Posted: **Fri Nov 11, 2011 4:08 pm**

I'm not running as administrator, which is why I'll be getting this. (RRAS is disabled)

Is there a way to prevent the call to this command, given it doesn't work in this context, but doesn't impact on the tunnel? (e.g. --no-flushipnettable).

Posted: **Fri Nov 11, 2011 4:16 pm**

if you're not running as administrator then all routes pushed by the VPN server will NOT be added; either run as administrator or add 'Network Operator' privileges to your account.

A VPN client is about networking, so you will need *some* access to the routing tables for it to work properly.

Posted: **Fri Nov 11, 2011 4:24 pm**

But even though that message appears, I can still talk to the VPN Server through the tunnel, and the routes appear to be added?

Posted: **Fri Nov 11, 2011 6:40 pm**

Your connection is workin because ip is assigned by a virtual DHCP-server on client. OpenVPN assigns IP to tun adapter by answering do DHCP-request by the adapter. When IP is set, the windows adds default routes to routing table under the system account (because DHCP-client service works under system account). So, you will have access to server and other clients (if client-to-client is enabled). But without admin privileges you will not be able access LAN behind OpenVPN server, even not be able redirect all traffic thru the tunnel. Also never will server have access to the client's LAN. If this enough for you, then ignore the error.

Posted: **Fri Nov 11, 2011 6:53 pm**

This is enough for me. I'm using NAT rules on my VPN to redirect traffic from my clients, so this approach will work fine in this scenario.

As this routing step is redundant, it'd be great if I could bypass it. It is taking 5 seconds to do nothing - which is a substantial enough delay - this is the slowest part of the VPN connection procedure.

Is there a way to do this with openvpn, or is it a Windows OS feature?

Cheers,
Chris

Posted: **Fri Nov 11, 2011 7:10 pm**

To clients add "--route-noexec" option to tell OpenVPN to not add routes.

I'm using NAT rules on my VPN to redirect traffic from my clients

Which traffic? Clients will not have their internet traffic redirected thru tunnel.

Posted: **Fri Nov 11, 2011 7:15 pm**

unfortunately route-noexec in the config file didn't make any impact when I tried it.

by traffic redirect, i just mean vpn traffic. clients access a server on a specific port, but they use VPNSERVER:PORT which then nats to the actual server.

Posted: **Sat Nov 12, 2011 9:57 pm**

if you want to ignore routes pushed by the server, use
[codte]route-nopull[/code]
(instead of noexec).

Posted: **Tue Nov 15, 2011 9:27 am**

I have tried both, and my log says the following:

Tue Nov 15 09:25:20 2011 TAP-Win32 Driver Version 9.8
Tue Nov 15 09:25:20 2011 TAP-Win32 MTU=1500
Tue Nov 15 09:25:20 2011 Set TAP-Win32 TUN subnet mode network/local/netmask = 10.90.0.0/10.90.0.18/255.255.255.0 [SUCCEEDED]
Tue Nov 15 09:25:20 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.90.0.18/255.255.255.0 on interface {796588D0-C6FE-4FE0-B964-1F5B09A7D5DF} [DHCP-serv: 10.90.0.254, lease-time: 31536000]
Tue Nov 15 09:25:20 2011 Successful ARP Flush on interface [13] {796588D0-C6FE-4FE0-B964-1F5B09A7D5DF}
Tue Nov 15 09:25:26 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Tue Nov 15 09:25:26 2011 Initialization Sequence Completed

I assume "TEST ROUTES" indicates a routing directive has occurred?

Posted: **Tue Nov 15, 2011 2:49 pm**

normally openvpn will try to add a route for the VPN IP address itself, so you will always see 1 TEST ROUTE message; the fact that there are no other messages, and no warnings/errors suggests that the 'route-nopull' worked.

Posted: **Tue Nov 15, 2011 3:43 pm**

ok, that makes sense.

And last question on this then: Do I just live with the 5 second delay that adding the 1 route causes? There are no easy workarounds to accelerate this part of the process? (It is ~50% of my VPN initialisation sequence

)

Posted: **Tue Nov 15, 2011 6:20 pm**

either use

Code: Select all

route-delay 0

or

Code: Select all

route-noexec

YMMV

OpenVPN Support Forum

topology subnet explanation

topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation

Re: topology subnet explanation