OpenVPN Server configured with 255.255.255.0 but XP no like?

RedPenguin · Post by **RedPenguin** » Tue Nov 29, 2011 6:07 pm

I have an OpenVPN server running on my ClearOS (formerally ClarkConnect) Linux router and had at first just been using Linux and iPhone (MacOS) clients with 10.8.0.x 255.255.255.0 and everything has been working like a charm.

Clients can see each other and the "push routed" networks. They get static IPs using a ccd directory with "ifconfig-push IP 10.8.0.0"

But then the whole setup seems to have collapsed the minute I tried to put my XP Pro laptop on to the setup.

The laptop says that the info in CCD is wrong, putting 10.8.0.1 (VPN server IP) or even the netmask the IP is also wrong. It totally refused to take any static IP unless I did "ifconfig-push 10.8.0.10 10.8.0.9" which allows it to use the VPN for Internet but not contact any other VPN client. It refuses to use any other subnet besides 255.255.255.252.

Is there a way to fix this without totally reconfiguring all my Linux/MacOS clients?

Post by **Mimiko** » Tue Nov 29, 2011 9:35 pm

Show server's config file, and client XP log.

RedPenguin · Post by **RedPenguin** » Tue Nov 29, 2011 11:21 pm

SERVER:

Code: Select all

port 500
proto udp
dev tun
ca /etc/ssl/ca-cert.pem
cert /etc/ssl/sys-0-cert.pem
key /etc/ssl/private/sys-0-key.pem
dh /etc/ssl/dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
ifconfig-pool-persist /var/lib/openvpn/ipp.txt
status /var/lib/openvpn/openvpn-status.log
verb 3
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"

# Added by Me
client-config-dir ccd
client-to-client

push "route 192.168.0.0 255.255.255.0"
push "route 10.8.1.0 255.255.255.0"

XP:

Code: Select all

Tue Nov 29 18:08:31 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Tue Nov 29 18:08:31 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Nov 29 18:08:32 2011 LZO compression initialized
Tue Nov 29 18:08:32 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Nov 29 18:08:32 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Nov 29 18:08:32 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Nov 29 18:08:32 2011 Local Options hash (VER=V4): '41690919'
Tue Nov 29 18:08:32 2011 Expected Remote Options hash (VER=V4): '530fdded'
Tue Nov 29 18:08:32 2011 UDPv4 link local: [undef]
Tue Nov 29 18:08:32 2011 UDPv4 link remote: XXX.XXX.XXX.XXX:500
Tue Nov 29 18:08:32 2011 TLS: Initial packet from XXX.XXX.XXX.XXX:500, sid=111c4b5c b0eeb7c5
Tue Nov 29 18:08:32 2011 VERIFY OK: depth=1, /O=ZEROONENETWORKS/OU=IT/emailAddress=EMAIL@gmail.com/L=X/ST=X/C=X/CN=X
Tue Nov 29 18:08:32 2011 VERIFY OK: nsCertType=SERVER
Tue Nov 29 18:08:32 2011 VERIFY OK: depth=0, /C=US/ST=X/O=ZEROONENETWORKS/OU=IT/L=X/CN=X/emailAddress=X
Tue Nov 29 18:08:32 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 29 18:08:32 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 18:08:32 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 29 18:08:32 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 29 18:08:32 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Nov 29 18:08:32 2011 [xxx.xxx.xxx.xxx] Peer Connection Initiated with xxx.xxx.xxx.xxx:500
Tue Nov 29 18:08:35 2011 SENT CONTROL [mymachine.no-ip.org]: 'PUSH_REQUEST' (status=1)
Tue Nov 29 18:08:35 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,dhcp-option DNS 8.8.8.8,dhcp-option DOMAIN ZEROONENETWORKS,redirect-gateway def1,route 192.168.0.0 255.255.255.0,route 10.8.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.13 10.8.0.14'
Tue Nov 29 18:08:35 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Nov 29 18:08:35 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Nov 29 18:08:35 2011 OPTIONS IMPORT: route options modified
Tue Nov 29 18:08:35 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Nov 29 18:08:35 2011 ROUTE default_gateway=10.85.10.1
Tue Nov 29 18:08:35 2011 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{849469AB-BD21-43A7-93AB-8AD66D1CCF04}.tap
Tue Nov 29 18:08:35 2011 TAP-Win32 Driver Version 9.8 
Tue Nov 29 18:08:35 2011 TAP-Win32 MTU=1500
Tue Nov 29 18:08:35 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.13/255.255.255.252 on interface {849469AB-BD21-43A7-93AB-8AD66D1CCF04} [DHCP-serv: 10.8.0.14, lease-time: 31536000]
Tue Nov 29 18:08:35 2011 Successful ARP Flush on interface [23] {849469AB-BD21-43A7-93AB-8AD66D1CCF04}
Tue Nov 29 18:08:40 2011 TEST ROUTES: 4/4 succeeded len=3 ret=1 a=0 u/d=up
Tue Nov 29 18:08:40 2011 C:\WINDOWS\system32\route.exe ADD 207.255.52.248 MASK 255.255.255.255 10.85.10.1
Tue Nov 29 18:08:40 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Nov 29 18:08:40 2011 Route addition via IPAPI succeeded [adaptive]
Tue Nov 29 18:08:40 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.14
Tue Nov 29 18:08:40 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue Nov 29 18:08:40 2011 Route addition via IPAPI succeeded [adaptive]
Tue Nov 29 18:08:40 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.14
Tue Nov 29 18:08:40 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue Nov 29 18:08:40 2011 Route addition via IPAPI succeeded [adaptive]
Tue Nov 29 18:08:40 2011 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.14
Tue Nov 29 18:08:40 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue Nov 29 18:08:40 2011 Route addition via IPAPI succeeded [adaptive]
Tue Nov 29 18:08:40 2011 C:\WINDOWS\system32\route.exe ADD 10.8.1.0 MASK 255.255.255.0 10.8.0.14
Tue Nov 29 18:08:40 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue Nov 29 18:08:40 2011 Route addition via IPAPI succeeded [adaptive]
Tue Nov 29 18:08:40 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.14
Tue Nov 29 18:08:40 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue Nov 29 18:08:40 2011 Route addition via IPAPI succeeded [adaptive]
Tue Nov 29 18:08:40 2011 Initialization Sequence Completed

Post by **Mimiko** » Wed Nov 30, 2011 6:04 am

ifconfig-push IP 10.8.0.0

is wrong sintax.

I see that the client gets and sets correct parameters.

RedPenguin · Post by **RedPenguin** » Wed Nov 30, 2011 1:02 pm

I attempted the following from this page:

http://mtehrani30.blogspot.com/2008/03/ ... ic-ip.html

and

http://blog.gauner.org/blog/2008/07/17/ ... signments/

The first says for Windows Clients do "ifconfig-push CLIENT-IP SERVER-IP" and for Ubuntu (Linux clients) do "ifconfig-push IP NETMASK" but both of those failed for me on my Linux clients and the second link's using the "network address" seemed to work at least with Linux clients.

Post by **Mimiko** » Wed Nov 30, 2011 2:03 pm

ifconfig-push IP NETMASK

is used when is used "topology subnet". In your case its "topology net3" which require "ifconfig-push CLIENT-IP SERVER-IP" for all clients.

RedPenguin · Post by **RedPenguin** » Wed Nov 30, 2011 4:03 pm

That seems to work now.

But the problem I am seeing now is, OpenVPN sometimes will assign IPs that static as DHCP.

Do I have to create to separate subnets one for static and the other for DHCP, or can I just change a few settings?

Post by **Mimiko** » Wed Nov 30, 2011 6:22 pm

RedPenguin wrote:OpenVPN sometimes will assign IPs that static as DHCP.

What do you mean?

RedPenguin · Post by **RedPenguin** » Wed Nov 30, 2011 6:39 pm

Well I made a typo and meant "that are static".

But anyway, I mean 10.8.0.6/24 is assigned currently to a Linux client via a ccd file, but when the Linux client was not connected and I connected my XP machine without a ccd for the XP, OpenVPN gave out 10.8.0.6/30 to the XP.

Post by **Mimiko** » Wed Nov 30, 2011 8:02 pm

In your configuration "topology" is "net30", but in ccd file for linux you use ifconfig-push like the topology is "subnet". That's why ccd file is ignored at first. But, to avoid the conflicts, make a ccd file for every client.

RedPenguin · Post by **RedPenguin** » Thu Dec 01, 2011 3:30 am

I just changed my topology to "subnet" and everything works exactly like I desire.

I don't have to dedicate 4 addresses to Windows clients (/30) and Windows can ping everything including Linux clients now.

Also, I am using

ifconfig-push IP NETMASK

just like every guide says to use for topology subnet, yet DHCP still wishes to assign statically assigned IPs in it's DHCP pool, so I just will have to make a ccd for every client which is what I do anyway.

OpenVPN Support Forum

OpenVPN Server configured with 255.255.255.0 but XP no like?

OpenVPN Server configured with 255.255.255.0 but XP no like?

Re: OpenVPN Server configured with 255.255.255.0 but XP no l

Re: OpenVPN Server configured with 255.255.255.0 but XP no l

Re: OpenVPN Server configured with 255.255.255.0 but XP no l

Re: OpenVPN Server configured with 255.255.255.0 but XP no l

Re: OpenVPN Server configured with 255.255.255.0 but XP no l

Re: OpenVPN Server configured with 255.255.255.0 but XP no l

Re: OpenVPN Server configured with 255.255.255.0 but XP no l

Re: OpenVPN Server configured with 255.255.255.0 but XP no l

Re: OpenVPN Server configured with 255.255.255.0 but XP no l

Re: OpenVPN Server configured with 255.255.255.0 but XP no l