OpenVPN Support Forum

Dear Friends
I have an OpenVPN server running on FreeBSD 8.0 in bridge mode serving Windows clients. My DHCP lease which was given out for one year has been resolved, thanks to Janjust.
This problem was there all the while, however I dint mention it in my last question since it was not related.

The issue is this

1: All Windows XP clients are able to logon to OpenVPN using either a Wired home DSL connection or a Datacard. All applications works too.

2: A Windows 7 Home edition I tested using my Wired home DSL connection works perfectly fine too.

3: But all Windows 7 users at office using Datacard are getting connected, receiving an IP address from OpenVPN, but are unable to communicate to either their Default Gateway (the OpenVPN Server) or any other machines behind the Gateway.

Multiple Datacards from different ISPs were tested on the Windows 7 machines, but the results are the same. No Ping or other form of communication. These very same Datacards works perfectly fine on XP Laptops.
What do you think the problem could be, since most users are moving to Windows 7, I would require this to start working on Windows 7 too.


Thanks
Blue

Can you elaborate what you mean by datacards?

Also output of route print on the clients with the issue would be helpful, as well as your server and client configs.

Hi George
The datacards are simply those Pen drive sized USB plug and play devices that has a Mobile SIM card and an inbuilt modem to give you Internet access.

My Server.conf file contains these lines

-------------------------------------------

port 1194
proto tcp
dev tap

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/<Firewall Name>.crt
key /etc/openvpn/keys/<Firewall Name>.key
dh /etc/openvpn/keys/dh1024.pem

plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openldap/ldap.conf

ifconfig-pool-persist ipp.txt

server-bridge 10.10.108.1 255.255.240.0 10.10.108.201 10.10.108.210
push "route 10.10.108.0 255.255.240.0"
push "redirect-gateway"
push "dhcp-option DNS <Primary DNS>"
push "dhcp-option DNS <Secondary DNS>"
push "ip-win32 dynamic 0 3600"

client-to-client

keepalive 10 120
comp-lzo

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 3
-------------------------------------------

My Client config file contains these lines

-------------------------------------------
client
dev tap
proto tcp
remote <OpenVPN Server Public IP>
persist-key
persist-tun
ca ca.crt
cert <client-name.crt>
key <client-name.key>
auth-user-pass
comp-lzo
verb 3
-------------------------------------------

My machine is an XP, therefore I have requested someone else with Windows 7 to give me those route print outputs. I will post it as soon as I have them.


Thanks
Blue

Please post the "route print" output when the client connected via datacard, and also the log file of the client.

Dear Friends
Apologise for the late reply, I was trying to look up the logs myself to see if I could make something off it.

I tried doing a comparision between the XP and Windows 7 machines and here are the findings. The route addition part is where its failing on Windows 7.

-------------------
On Windows 7
Tue Dec 13 17:16:41 2011 C:\Windows\system32\route.exe ADD <Public IP A.B.C.D> MASK 255.255.255.255 <Default Gateway W.X.Y.Z>
Tue Dec 13 17:16:41 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=40 and dwForwardType=4
Tue Dec 13 17:16:41 2011 Route addition via IPAPI succeeded [adaptive]
Tue Dec 13 17:16:41 2011 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 <Default Gateway W.X.Y.Z>
Tue Dec 13 17:16:41 2011 Route deletion via IPAPI succeeded [adaptive]
Tue Dec 13 17:16:41 2011 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.10.108.1
Tue Dec 13 17:16:41 2011 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [status=160 if_index=17]
Tue Dec 13 17:16:41 2011 Route addition via IPAPI failed [adaptive]
Tue Dec 13 17:16:41 2011 Route addition fallback to route.exe
OK!


On Windows XP

Tue Dec 13 16:55:07 2011 C:\WINDOWS\system32\route.exe ADD <Public IP A.B.C.D> MASK 255.255.255.255 <Default Gateway W.X.Y.Z>
Tue Dec 13 16:55:07 2011 Route addition via IPAPI succeeded [adaptive]
Tue Dec 13 16:55:07 2011 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 <Default Gateway W.X.Y.Z>
Tue Dec 13 16:55:07 2011 Route deletion via IPAPI succeeded [adaptive]
Tue Dec 13 16:55:07 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.10.108.1
Tue Dec 13 16:55:07 2011 Route addition via IPAPI succeeded [adaptive]
-------------------

I found some probable solutions from the forum itself which suggested adding these two lines into the Windows 7's config file

route-method exe
route-delay 5 30

I put these lines in the Windows 7 config file and tried again. This time there's a small change in the log, but still the results are the same. I am able to ping the Default Gateway anyway, i.e. 10.10.108.1, but nothing behind it.

Log after adding route statements

-----------------------

Thu Dec 15 15:25:44 2011 C:\Windows\system32\route.exe ADD <Public IP A.B.C.D> MASK 255.255.255.255 <Default Gateway W.X.Y.Z>
The route addition failed: The object already exists.

Thu Dec 15 15:25:44 2011 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 <Default Gateway W.X.Y.Z>
The route deletion failed: Element not found.

Thu Dec 15 15:25:44 2011 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.10.108.1
OK!
Thu Dec 15 15:25:44 2011 MANAGEMENT: >STATE:1323942944,ADD_ROUTES,,,
Thu Dec 15 15:25:44 2011 C:\Windows\system32\route.exe ADD 10.10.108.0 MASK 255.255.240.0 10.10.108.1
The route addition failed: The parameter is incorrect.

--------------------------

C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.10.108.1

You have to update to the latest version of OpenVPN. This type of routing redirect is not used in current versions.

Hi Mimiko
You mean I should update the OpenVPN on the Server side to the latest or the client?

Also, sorry if this sounds silly, that route-method and route-delay statements are currently in the client config files, do they have to be present in the Server config as well...?

Thanks
Blue

You mean I should update the OpenVPN on the Server side to the latest or the client?

On both sides will be better.
Also route-method and route-delay may be used on server as well (if it is on windows).

Hi Mimiko
Okay, I will get this updated and keep you posted on the results.

The OpenVPN on the Server side is on FreeBSD 8.0 and the currently installed version was from the ports collection and shows as "openvpn-2.0.6_9". I suppose I should be using OpenVPN 2.2.1.

Thanks and will come back quickly


Blue

Hi Mimiko
Sorry for deviating from the main subject, but in line with the upgradation, I am running into a lot of rough weather. I downloaded OpenVPN 2.2.1 and was trying to compile it when it gave me errors stating lzo headers and library files are not found.
Although there was an option to disable lzo, I read that they are used for high speed compression and saves Bandwidth, therefore I downloded and installed the lzo 1.08 version and used the "./configure --with-lzo-header=/usr/local/include/lzo --with-lzo-lib=/usr/local/lib" which resolved the error during compilation. However during "make" it fails with the following error.
---------------------
In file included from lzo/lzo1x.h:39,
from lzo.h:32,
from options.h:42,
from ssl.h:45,
from ps.h:32,
from error.c:37:
/usr/include/lzoconf.h:433: error: conflicting types for '__lzo_pu_u'
/usr/include/lzo/lzoconf.h:362: error: previous declaration of '__lzo_pu_u' was here
/usr/include/lzoconf.h:434: error: conflicting types for '__lzo_pu32_u'
/usr/include/lzo/lzoconf.h:363: error: previous declaration of '__lzo_pu32_u' was here
/usr/include/lzoconf.h:435: error: conflicting types for 'lzo_align_t'
/usr/include/lzo/lzoconf.h:364: error: previous declaration of 'lzo_align_t' was here
*** Error code 1

Stop in /usr/local/etc/openvpn.
*** Error code 1

Stop in /usr/local/etc/openvpn.
*** Error code 1

Stop in /usr/local/etc/openvpn.
---------------------
There's not much information on how to resolve this issue, although some say its because of different versions installed. I checked my pkg_info and found lzo 2.0 installed and removed it, however the make stops again with the same error and I am struck. Kindly help.


Thanks, Blue

Hi Mimiko and Team
I was able to get past the above mentioned problem relating to lzo in the following way. I learnt openvpn requires lzo 1.08 which I had earlier downloaded and installed, however in my case i.e. on FreeBSD 8.0, I noticed that the header files were installed into /usr/local/include/lzo and Library files into /usr/local/lib.
I had earlier tried to provide these paths in the form of ./configuire --with-lzo-header=/usr/local/include/lzo --with-lzo-lib=/usr/local/lib however during the "make" it threw up the errors mentioned above.

FreeBSD was looking for them in /usr/include/lzo and /usr/lib respectively. I therefore copied the lzo directory from where it was installed to /usr/include/ and the library files to /usr/lib. That's it, the make and make install went well.

I will keep you posted on the primary error of route once I am through with configuring the new version.


Thanks, Blue

Hi Mimiko and Team
I've got the OpenVPN 2.2 running, although I've not been able to check the Windows 7 route problem yet, I've a smaller problem on hand.

The OpenVPN simply does not start upon reboot. As mentioned earlier, I am running it on FreeBSD 8.0 and I have these lines in my /etc/rc.conf file

openvpn_enable="YES"
openvpn_configfile="/etc/openvpn/server.conf"
openvpn_flags="--script-security 3"
openvpn_if="tap"

When I start it manually by either using "openvpn --config /etc/openvpn/server.conf", it starts up perfectly fine. Any idea why it won't start automatically...?

My File permissions are set to

-rw-rw-r-- 1 root wheel 10242 Dec 28 22:52 /etc/openvpn/server.conf


Thanks, Blue

Check startup logs, to find why it is not starting.

Hi Mimiko
My /var/log/openvpn.log file is actually not showing anything, matter of fact I had checked this file before posting the message.
All error messages are corresponding to the days before I uninstalled OpenVPN 2.0. There was just one error message corresponding to Dec 27 2011 which stated, it cannot read the ldap.conf file, which has been corrected.

Am I looking at the right file...? If yes, why is it not logging anything... A Manual start as I mentioned earlier works, but I found the log file is not logging anything from the manual start either.


Thanks, Blue

I mean look in systems log about start up problems of services.

Dear Mimiko
I've checked all possible logs, but there's simply no mention of anything that's wrong. When I check the running process, there's simply no OpenVPN.

Oh! There's good news however on the primary problem of Windows 7 connectivity. We checked with one Windows 7 machine at office which was earlier not working, but after this upgrade, it works perfectly fine. All applications are communicating perfectly! Thanks to you.

Take a look at the logs now...

-------------------------------
Mon Jan 02 16:56:49 2012 C:\Windows\system32\route.exe ADD <Public IP A.B.C.D> MASK 255.255.255.255 <Default Gateway W.X.Y.Z>
Mon Jan 02 16:56:49 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=40 and dwForwardType=4
Mon Jan 02 16:56:49 2012 Route addition via IPAPI succeeded [adaptive]
Mon Jan 02 16:56:49 2012 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 115.184.20.83
Mon Jan 02 16:56:49 2012 Route deletion via IPAPI succeeded [adaptive]
Mon Jan 02 16:56:49 2012 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.10.108.1
Mon Jan 02 16:56:49 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Jan 02 16:56:49 2012 Route addition via IPAPI succeeded [adaptive]
-------------------------------

The only minor issues remains is to start it automatically. Please ask for any inputs you may require...


Thanks, Blue

I had a very similar issue this past fall- I updated OpenVPN and updated my Win7 cxn's and it fixed it. My IT guy called it an "IP conflict" for DAAAAYS before it magically fixed itself.

I actually got like this problem. My OS in my personal computer is Windows 7 and I use to have OpenVPN, when I'm about to connect it I got several errors like blueaquan experienced. I actually stumbled across here finding some solutions about it, thanks to following information and solution.

blueaquan wrote:The only minor issues remains is to start it automatically.

Any system has a general system log, where it writes info, warning and error messages. It also have messages about starting other services, so it must have some mention about openVPN service.