[resolved] ICMP Redirect /Internet traffic via OpenVPN

[sidplayos2]

Hi,

The goal I am trying to achieve is for the client to be able to route ALL traffic including internet traffic over the VPN.

Network Details

Code: Select all

DLink 624 Router connected to Internet (10.11.12.254 LAN IP/a.b.c.d Internet/Public WAN IP) (This is the Gateway for LAN)
Internal LAN Subnet	10.11.12.0/24

Laptop (10.9.0.1) --- VPN Tunnel --- OpenVPN Server(10.8.0.1/10.11.12.250) --- DLINK (10.11.12.254/a.b.c.d Public WAN IP) --- INTERNET

[/size]
I have successfully set up OpenVPN and am able to connect/ping from the client to all LAN clients across the VPN, map shares etc.
However I am unable to ping any internet addresses, even by IP (been testing with 8.8.8.8 to take any DNS out of the equation).
I have configured the server with the "redirect-gatway def1" option to force all traffic through the VPN tunnel, as well as enable
IP Forwarding on the OpenVPN Server host.

Traceroute from client (10.9.0.1)

Code: Select all

Tracing route to 8.8.8.8 over a maximum of 30 hops
  1   136 ms    99 ms    99 ms  RAID-1 [10.8.0.1]
  2   139 ms    99 ms    99 ms  10.11.12.254		<--- Reaches DLINK Router OK
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.

Wireshark from client(10.9.0.1)

Code: Select all

4	18:38:35.031928	10.9.0.1	8.8.8.8	ICMP	Echo (ping) request
	Ethernet II, Src: 00:ff:10:d1:cd:18 (00:ff:10:d1:cd:18), Dst: 00:ff:11:d1:cd:18 (00:ff:11:d1:cd:18)
	Internet Protocol, Src: 10.9.0.1 (10.9.0.1), Dst: 8.8.8.8 (8.8.8.8)
	
5	18:38:35.559574	10.11.12.254	10.9.0.1	ICMP	Redirect (Redirect for host)
	Ethernet II, Src: 00:ff:11:d1:cd:18 (00:ff:11:d1:cd:18), Dst: 00:ff:10:d1:cd:18 (00:ff:10:d1:cd:18)
	Internet Protocol, Src: 10.11.12.254 (10.11.12.254), Dst: 10.9.0.1 (10.9.0.1)
	Internet Control Message Protocol
		Type: 5 (Redirect)
		Code: 1 (Redirect for host)
		Gateway address: a.b.c.d (a.b.c.d)   <---- I think this is the problem,
                                           DLINK(10.11.12.254) is telling to use the Public Internet IP?

Traceroute from server (10.11.12.250)

Code: Select all

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
  1    <1 ms    <1 ms    <1 ms  10.11.12.254
  2     *        *        *     Request timed out.
  3   130 ms   115 ms   118 ms  z.y.x.w.static.exetel.com.au [w.x.y.z]
  4    64 ms    34 ms    29 ms  as15169.sydney.pipenetworks.com [218.100.2.98]
  5    34 ms    34 ms    32 ms  66.249.95.226
  6   138 ms   156 ms   158 ms  66.249.95.235
  7    96 ms   110 ms   120 ms  72.14.237.21
  8   119 ms   101 ms   119 ms  google-public-dns-a.google.com [8.8.8.8]

Wireshark from Server(10.11.12.250)

Code: Select all

1	0.000000	10.9.0.1	8.8.8.8	ICMP	Echo (ping) request
	Ethernet II, Src: 00:ff:0a:8f:84:8b (00:ff:0a:8f:84:8b), Dst: 00:ff:09:8f:84:8b (00:ff:09:8f:84:8b)
	Internet Protocol, Src: 10.9.0.1 (10.9.0.1), Dst: 8.8.8.8 (8.8.8.8)

4	0.000431	10.11.12.254	10.9.0.1	ICMP	Redirect (Redirect for host)
	Ethernet II, Src: 00:ff:09:8f:84:8b (00:ff:09:8f:84:8b), Dst: 00:ff:0a:8f:84:8b (00:ff:0a:8f:84:8b)
	Internet Protocol, Src: 10.11.12.254 (10.11.12.254), Dst: 10.9.0.1 (10.9.0.1)
	Internet Control Message Protocol
		Type: 5 (Redirect)
		Code: 1 (Redirect for host)
		Gateway address: a.b.c.d (a.b.c.d)	<---- I think this is the problem,
                                           DLINK(10.11.12.254) is telling to use the Public Internet IP?

At first I thought it was some routing table issues but now after running wireshark traces above, on the TAP Interface at the client I can see that a response is actually coming back over the VPN to the client, however it is a "ICMP Redirect (For Host)" message not a "ICMP echo reply" message.

Now I am no networking expert, but from the searching I have done this seems to basically be a message from a gateway saying "Hey I found a better path for you to route these packets". The better path it is offering however is my external public facing IP (a.b.c.d), which the client is not going to be able to route to. So now I am a bit confused where to go from here. I have read that the ICMP Redirects can be disabled on Windows in the registry but I am not sure what effect this will have on other network functions and if it is advisable or not? Plus I can see the source is the DLINK Router (10.11.12.254) so I am not sure that will help anyway.

OpenVPN Server Details

Code: Select all

Windows 2003 Server x64 SP2 running OpenVPN 2.2.1 , IP 10.11.12.250

Ethernet adapter Local Area Connection 3:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Win32 Adapter V9
   Physical Address. . . . . . . . . : 00-FF-09-8F-84-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 10.8.0.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Default Gateway . . . . . . . . . : 10.11.12.254
   DHCP Server . . . . . . . . . . . : 10.8.0.2
   Lease Obtained. . . . . . . . . . : Monday, 12 December 2011 6:32:56 PM
   Lease Expires . . . . . . . . . . : Tuesday, 11 December 2012 6:32:56 PM

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR8131 PCI-E Gigabit Ethernet Controller
   Physical Address. . . . . . . . . : 90-E6-BA-A8-66-D8
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.11.12.250
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.11.12.254
   DNS Servers . . . . . . . . . . . : 10.11.12.254

Server Routes BEFORE OpenVPN Started

Code: Select all

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.11.12.254     10.11.12.250     20
       10.11.12.0    255.255.255.0     10.11.12.250     10.11.12.250     20
     10.11.12.250  255.255.255.255        127.0.0.1        127.0.0.1     20
   10.255.255.255  255.255.255.255     10.11.12.250     10.11.12.250     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
    192.168.142.0    255.255.255.0    192.168.142.1    192.168.142.1     20
    192.168.142.1  255.255.255.255        127.0.0.1        127.0.0.1     20
  192.168.142.255  255.255.255.255    192.168.142.1    192.168.142.1     20
        224.0.0.0        240.0.0.0     10.11.12.250     10.11.12.250     20
        224.0.0.0        240.0.0.0    192.168.142.1    192.168.142.1     20
  255.255.255.255  255.255.255.255     10.11.12.250     10.11.12.250      1
  255.255.255.255  255.255.255.255     10.11.12.250                3      1
  255.255.255.255  255.255.255.255    192.168.142.1    192.168.142.1      1
Default Gateway:      10.11.12.254

Server Routes AFTER OpenVPN Started

Code: Select all

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.11.12.254         10.8.0.1     30
          0.0.0.0          0.0.0.0     10.11.12.254     10.11.12.250     20
         10.8.0.0  255.255.255.252         10.8.0.1         10.8.0.1     30
         10.8.0.0    255.255.255.0         10.8.0.2         10.8.0.1      1
         10.8.0.1  255.255.255.255        127.0.0.1        127.0.0.1     30
         10.9.0.0    255.255.255.0         10.8.0.2         10.8.0.1      1
       10.11.12.0    255.255.255.0     10.11.12.250     10.11.12.250     20
     10.11.12.250  255.255.255.255        127.0.0.1        127.0.0.1     20
   10.255.255.255  255.255.255.255         10.8.0.1         10.8.0.1     30
   10.255.255.255  255.255.255.255     10.11.12.250     10.11.12.250     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
    192.168.142.0    255.255.255.0    192.168.142.1    192.168.142.1     20
    192.168.142.1  255.255.255.255        127.0.0.1        127.0.0.1     20
  192.168.142.255  255.255.255.255    192.168.142.1    192.168.142.1     20
        224.0.0.0        240.0.0.0         10.8.0.1         10.8.0.1     30
        224.0.0.0        240.0.0.0     10.11.12.250     10.11.12.250     20
        224.0.0.0        240.0.0.0    192.168.142.1    192.168.142.1     20
  255.255.255.255  255.255.255.255         10.8.0.1         10.8.0.1      1
  255.255.255.255  255.255.255.255     10.11.12.250     10.11.12.250      1
  255.255.255.255  255.255.255.255    192.168.142.1    192.168.142.1      1
Default Gateway:      10.11.12.254

server.ovpn

Code: Select all

local 10.11.12.250
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.11.12.0 255.255.255.0"
client-config-dir ccd
route 10.9.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.11.12.254"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

ccd file

Code: Select all

ifconfig-push 10.9.0.1 10.9.0.2

Client Details

Code: Select all

Windows 2003 Server x64 SP2 running OpenVPN 2.2.1

PPP adapter Telstra.DataPack:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.106.8.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 10.106.8.15
   DNS Servers . . . . . . . . . . . : 10.4.176.234
                                       10.4.85.138
   NetBIOS over Tcpip. . . . . . . . : Disabled

Client Routes BEFORE OpenVPN Connection

Code: Select all

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.106.8.15      10.106.8.15      1
      10.106.8.15  255.255.255.255        127.0.0.1        127.0.0.1     50
   10.255.255.255  255.255.255.255      10.106.8.15      10.106.8.15     50
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
        224.0.0.0        240.0.0.0      10.106.8.15      10.106.8.15      1
  255.255.255.255  255.255.255.255      10.106.8.15                6      1
  255.255.255.255  255.255.255.255      10.106.8.15                3      1
  255.255.255.255  255.255.255.255      10.106.8.15            10008      1
  255.255.255.255  255.255.255.255      10.106.8.15                2      1
  255.255.255.255  255.255.255.255      10.106.8.15      10.106.8.15      1
Default Gateway:       10.106.8.15

Client Routes AFTER OpenVPN Connection

Code: Select all

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0        128.0.0.0         10.9.0.2         10.9.0.1      1
          0.0.0.0          0.0.0.0      10.106.8.15      10.106.8.15      1
         10.8.0.1  255.255.255.255         10.9.0.2         10.9.0.1      1
         10.9.0.0  255.255.255.252         10.9.0.1         10.9.0.1     30
         10.9.0.1  255.255.255.255        127.0.0.1        127.0.0.1     30
       10.11.12.0    255.255.255.0         10.9.0.2         10.9.0.1      1
      10.106.8.15  255.255.255.255        127.0.0.1        127.0.0.1     50
   10.255.255.255  255.255.255.255         10.9.0.1         10.9.0.1     30
   10.255.255.255  255.255.255.255      10.106.8.15      10.106.8.15     50
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
        128.0.0.0        128.0.0.0         10.9.0.2         10.9.0.1      1
   	a.b.c.d	   255.255.255.255      10.106.8.15      10.106.8.15      1   <---- This is my Public IP (a.b.c.d)
        224.0.0.0        240.0.0.0         10.9.0.1         10.9.0.1     30
        224.0.0.0        240.0.0.0      10.106.8.15      10.106.8.15      1
  255.255.255.255  255.255.255.255         10.9.0.1         10.9.0.1      1
  255.255.255.255  255.255.255.255      10.106.8.15            10008      1
  255.255.255.255  255.255.255.255      10.106.8.15                2      1
  255.255.255.255  255.255.255.255      10.106.8.15      10.106.8.15      1
  255.255.255.255  255.255.255.255      10.106.8.15                3      1
Default Gateway:          10.9.0.2

client.ovpn

Code: Select all

client
dev tun
proto tcp
remote a.b.c.d 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 4

I can't see any option in the router about disabling ICMP Redirects although I'm not sure that is what will fix the issue anyway. Any help will be appreciated.

[janjust]

the CCD file

ifconfig-push 10.9.0.1 10.9.0.2

is screwing things up - do you need it? does it work without the CCD file?

[sidplayos2]

Hi janjust thanks for the reply.

Unfortunately it does not work when I removed the CCD options from the server config, and I get the same result, except that now my VPN IP is 10.8.0.6. Otherwise there is no difference. I also get the same in wireshark on the client interface, ICMP Redirect for Host with my public IP a.b.c.d as the suggested new gateway.

Traceroute

Code: Select all

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1   236 ms    43 ms    43 ms  RAID-1 [10.8.0.1]
  2    44 ms    43 ms    43 ms  10.11.12.254
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

Here is the logs of server and client with ccd removed. Any other tests I can perform?

server.log

Code: Select all

Tue Dec 13 08:30:26 2011 us=656000 Current Parameter Settings:
Tue Dec 13 08:30:26 2011 us=656000   config = 'server.ovpn'
Tue Dec 13 08:30:26 2011 us=656000   mode = 1
Tue Dec 13 08:30:26 2011 us=656000   show_ciphers = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   show_digests = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   show_engines = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   genkey = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   key_pass_file = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   show_tls_ciphers = DISABLED
Tue Dec 13 08:30:26 2011 us=656000 Connection profiles [default]:
Tue Dec 13 08:30:26 2011 us=656000   proto = tcp-server
Tue Dec 13 08:30:26 2011 us=656000   local = '10.11.12.250'
Tue Dec 13 08:30:26 2011 us=656000   local_port = 1194
Tue Dec 13 08:30:26 2011 us=656000   remote = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   remote_port = 1194
Tue Dec 13 08:30:26 2011 us=656000   remote_float = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   bind_defined = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   bind_local = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   connect_retry_seconds = 5
Tue Dec 13 08:30:26 2011 us=656000   connect_timeout = 10
Tue Dec 13 08:30:26 2011 us=656000   connect_retry_max = 0
Tue Dec 13 08:30:26 2011 us=656000   socks_proxy_server = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   socks_proxy_port = 0
Tue Dec 13 08:30:26 2011 us=656000   socks_proxy_retry = DISABLED
Tue Dec 13 08:30:26 2011 us=656000 Connection profiles END
Tue Dec 13 08:30:26 2011 us=656000   remote_random = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   ipchange = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   dev = 'tun'
Tue Dec 13 08:30:26 2011 us=656000   dev_type = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   dev_node = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   lladdr = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   topology = 1
Tue Dec 13 08:30:26 2011 us=656000   tun_ipv6 = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_local = '10.8.0.1'
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_remote_netmask = '10.8.0.2'
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_noexec = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_nowarn = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   shaper = 0
Tue Dec 13 08:30:26 2011 us=656000   tun_mtu = 1500
Tue Dec 13 08:30:26 2011 us=656000   tun_mtu_defined = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   link_mtu = 1500
Tue Dec 13 08:30:26 2011 us=656000   link_mtu_defined = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   tun_mtu_extra = 0
Tue Dec 13 08:30:26 2011 us=656000   tun_mtu_extra_defined = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   fragment = 0
Tue Dec 13 08:30:26 2011 us=656000   mtu_discover_type = -1
Tue Dec 13 08:30:26 2011 us=656000   mtu_test = 0
Tue Dec 13 08:30:26 2011 us=656000   mlock = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   keepalive_ping = 10
Tue Dec 13 08:30:26 2011 us=656000   keepalive_timeout = 120
Tue Dec 13 08:30:26 2011 us=656000   inactivity_timeout = 0
Tue Dec 13 08:30:26 2011 us=656000   ping_send_timeout = 10
Tue Dec 13 08:30:26 2011 us=656000   ping_rec_timeout = 240
Tue Dec 13 08:30:26 2011 us=656000   ping_rec_timeout_action = 2
Tue Dec 13 08:30:26 2011 us=656000   ping_timer_remote = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   remap_sigusr1 = 0
Tue Dec 13 08:30:26 2011 us=656000   explicit_exit_notification = 0
Tue Dec 13 08:30:26 2011 us=656000   persist_tun = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   persist_local_ip = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   persist_remote_ip = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   persist_key = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   mssfix = 1450
Tue Dec 13 08:30:26 2011 us=656000   resolve_retry_seconds = 1000000000
Tue Dec 13 08:30:26 2011 us=656000   username = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   groupname = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   chroot_dir = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   cd_dir = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   writepid = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   up_script = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   down_script = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   down_pre = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   up_restart = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   up_delay = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   daemon = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   inetd = 0
Tue Dec 13 08:30:26 2011 us=656000   log = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   suppress_timestamps = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   nice = 0
Tue Dec 13 08:30:26 2011 us=656000   verbosity = 4
Tue Dec 13 08:30:26 2011 us=656000   mute = 0
Tue Dec 13 08:30:26 2011 us=656000   gremlin = 0
Tue Dec 13 08:30:26 2011 us=656000   status_file = 'openvpn-status.log'
Tue Dec 13 08:30:26 2011 us=656000   status_file_version = 1
Tue Dec 13 08:30:26 2011 us=656000   status_file_update_freq = 60
Tue Dec 13 08:30:26 2011 us=656000   occ = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   rcvbuf = 0
Tue Dec 13 08:30:26 2011 us=656000   sndbuf = 0
Tue Dec 13 08:30:26 2011 us=656000   sockflags = 0
Tue Dec 13 08:30:26 2011 us=656000   fast_io = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   lzo = 7
Tue Dec 13 08:30:26 2011 us=656000   route_script = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   route_default_gateway = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   route_default_metric = 0
Tue Dec 13 08:30:26 2011 us=656000   route_noexec = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   route_delay = 0
Tue Dec 13 08:30:26 2011 us=656000   route_delay_window = 30
Tue Dec 13 08:30:26 2011 us=656000   route_delay_defined = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   route_nopull = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   route_gateway_via_dhcp = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   max_routes = 100
Tue Dec 13 08:30:26 2011 us=656000   allow_pull_fqdn = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   route 10.8.0.0/255.255.255.0/nil/nil
Tue Dec 13 08:30:26 2011 us=656000   management_addr = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   management_port = 0
Tue Dec 13 08:30:26 2011 us=656000   management_user_pass = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   management_log_history_cache = 250
Tue Dec 13 08:30:26 2011 us=656000   management_echo_buffer_size = 100
Tue Dec 13 08:30:26 2011 us=656000   management_write_peer_info_file = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   management_client_user = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   management_client_group = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   management_flags = 0
Tue Dec 13 08:30:26 2011 us=656000   shared_secret_file = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   key_direction = 0
Tue Dec 13 08:30:26 2011 us=656000   ciphername_defined = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   ciphername = 'BF-CBC'
Tue Dec 13 08:30:26 2011 us=656000   authname_defined = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   authname = 'SHA1'
Tue Dec 13 08:30:26 2011 us=656000   prng_hash = 'SHA1'
Tue Dec 13 08:30:26 2011 us=656000   prng_nonce_secret_len = 16
Tue Dec 13 08:30:26 2011 us=656000   keysize = 0
Tue Dec 13 08:30:26 2011 us=656000   engine = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   replay = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   mute_replay_warnings = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   replay_window = 64
Tue Dec 13 08:30:26 2011 us=656000   replay_time = 15
Tue Dec 13 08:30:26 2011 us=656000   packet_id_file = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   use_iv = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   test_crypto = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   tls_server = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   tls_client = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   key_method = 2
Tue Dec 13 08:30:26 2011 us=656000   ca_file = 'ca.crt'
Tue Dec 13 08:30:26 2011 us=656000   ca_path = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   dh_file = 'dh1024.pem'
Tue Dec 13 08:30:26 2011 us=656000   cert_file = 'server.crt'
Tue Dec 13 08:30:26 2011 us=656000   priv_key_file = 'server.key'
Tue Dec 13 08:30:26 2011 us=656000   pkcs12_file = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   cryptoapi_cert = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   cipher_list = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   tls_verify = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   tls_export_cert = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   tls_remote = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   crl_file = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   ns_cert_type = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_ku[i] = 0
Tue Dec 13 08:30:26 2011 us=656000   remote_cert_eku = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   tls_timeout = 2
Tue Dec 13 08:30:26 2011 us=656000   renegotiate_bytes = 0
Tue Dec 13 08:30:26 2011 us=656000   renegotiate_packets = 0
Tue Dec 13 08:30:26 2011 us=656000   renegotiate_seconds = 3600
Tue Dec 13 08:30:26 2011 us=656000   handshake_window = 60
Tue Dec 13 08:30:26 2011 us=656000   transition_window = 3600
Tue Dec 13 08:30:26 2011 us=656000   single_session = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   push_peer_info = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   tls_exit = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   tls_auth_file = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   server_network = 10.8.0.0
Tue Dec 13 08:30:26 2011 us=656000   server_netmask = 255.255.255.0
Tue Dec 13 08:30:26 2011 us=656000   server_bridge_ip = 0.0.0.0
Tue Dec 13 08:30:26 2011 us=656000   server_bridge_netmask = 0.0.0.0
Tue Dec 13 08:30:26 2011 us=656000   server_bridge_pool_start = 0.0.0.0
Tue Dec 13 08:30:26 2011 us=656000   server_bridge_pool_end = 0.0.0.0
Tue Dec 13 08:30:26 2011 us=656000   push_entry = 'route 10.11.12.0 255.255.255.0'
Tue Dec 13 08:30:26 2011 us=656000   push_entry = 'redirect-gateway def1 bypass-dhcp'
Tue Dec 13 08:30:26 2011 us=656000   push_entry = 'dhcp-option DNS 10.11.12.254'
Tue Dec 13 08:30:26 2011 us=656000   push_entry = 'dhcp-option DNS 8.8.8.8'
Tue Dec 13 08:30:26 2011 us=656000   push_entry = 'route 10.8.0.1'
Tue Dec 13 08:30:26 2011 us=656000   push_entry = 'topology net30'
Tue Dec 13 08:30:26 2011 us=656000   push_entry = 'ping 10'
Tue Dec 13 08:30:26 2011 us=656000   push_entry = 'ping-restart 120'
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_pool_defined = ENABLED
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_pool_start = 10.8.0.4
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_pool_end = 10.8.0.251
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_pool_netmask = 0.0.0.0
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_pool_persist_filename = 'ipp.txt'
Tue Dec 13 08:30:26 2011 us=656000   ifconfig_pool_persist_refresh_freq = 600
Tue Dec 13 08:30:26 2011 us=656000   n_bcast_buf = 256
Tue Dec 13 08:30:26 2011 us=656000   tcp_queue_limit = 64
Tue Dec 13 08:30:26 2011 us=656000   real_hash_size = 256
Tue Dec 13 08:30:26 2011 us=656000   virtual_hash_size = 256
Tue Dec 13 08:30:26 2011 us=656000   client_connect_script = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   learn_address_script = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   client_disconnect_script = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   client_config_dir = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   ccd_exclusive = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   tmp_dir = 'C:\WINDOWS\TEMP\'
Tue Dec 13 08:30:26 2011 us=656000   push_ifconfig_defined = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   push_ifconfig_local = 0.0.0.0
Tue Dec 13 08:30:26 2011 us=656000   push_ifconfig_remote_netmask = 0.0.0.0
Tue Dec 13 08:30:26 2011 us=656000   enable_c2c = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   duplicate_cn = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   cf_max = 0
Tue Dec 13 08:30:26 2011 us=656000   cf_per = 0
Tue Dec 13 08:30:26 2011 us=656000   max_clients = 1024
Tue Dec 13 08:30:26 2011 us=656000   max_routes_per_client = 256
Tue Dec 13 08:30:26 2011 us=656000   auth_user_pass_verify_script = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   auth_user_pass_verify_script_via_file = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   ssl_flags = 0
Tue Dec 13 08:30:26 2011 us=656000   client = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   pull = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   auth_user_pass_file = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   show_net_up = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   route_method = 0
Tue Dec 13 08:30:26 2011 us=656000   ip_win32_defined = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   ip_win32_type = 3
Tue Dec 13 08:30:26 2011 us=656000   dhcp_masq_offset = 0
Tue Dec 13 08:30:26 2011 us=656000   dhcp_lease_time = 31536000
Tue Dec 13 08:30:26 2011 us=656000   tap_sleep = 10
Tue Dec 13 08:30:26 2011 us=656000   dhcp_options = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   dhcp_renew = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   dhcp_pre_release = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   dhcp_release = DISABLED
Tue Dec 13 08:30:26 2011 us=656000   domain = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   netbios_scope = '[UNDEF]'
Tue Dec 13 08:30:26 2011 us=656000   netbios_node_type = 0
Tue Dec 13 08:30:26 2011 us=656000   disable_nbt = DISABLED
Tue Dec 13 08:30:26 2011 us=656000 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Tue Dec 13 08:30:26 2011 us=656000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Dec 13 08:30:26 2011 us=718000 Diffie-Hellman initialized with 1024 bit key
Tue Dec 13 08:30:26 2011 us=718000 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Dec 13 08:30:26 2011 us=718000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Dec 13 08:30:26 2011 us=734000 ROUTE default_gateway=10.11.12.254
Tue Dec 13 08:30:26 2011 us=734000 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{098F848B-7EBE-45DD-AA80-98F782B848C6}.tap
Tue Dec 13 08:30:26 2011 us=734000 TAP-Win32 Driver Version 9.8 
Tue Dec 13 08:30:26 2011 us=734000 TAP-Win32 MTU=1500
Tue Dec 13 08:30:26 2011 us=734000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {098F848B-7EBE-45DD-AA80-98F782B848C6} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
Tue Dec 13 08:30:26 2011 us=734000 Sleeping for 10 seconds...
Tue Dec 13 08:30:36 2011 us=734000 Successful ARP Flush on interface [2] {098F848B-7EBE-45DD-AA80-98F782B848C6}
Tue Dec 13 08:30:36 2011 us=734000 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
Tue Dec 13 08:30:36 2011 us=734000 Route addition via IPAPI succeeded [adaptive]
Tue Dec 13 08:30:36 2011 us=734000 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 13 08:30:36 2011 us=734000 Listening for incoming TCP connection on 10.11.12.250:1194
Tue Dec 13 08:30:36 2011 us=734000 TCPv4_SERVER link local (bound): 10.11.12.250:1194
Tue Dec 13 08:30:36 2011 us=734000 TCPv4_SERVER link remote: [undef]
Tue Dec 13 08:30:36 2011 us=734000 MULTI: multi_init called, r=256 v=256
Tue Dec 13 08:30:36 2011 us=734000 IFCONFIG POOL: base=10.8.0.4 size=62
Tue Dec 13 08:30:36 2011 us=734000 IFCONFIG POOL LIST
Tue Dec 13 08:30:36 2011 us=734000 pconklin,10.8.0.4
Tue Dec 13 08:30:36 2011 us=734000 MULTI: TCP INIT maxclients=60 maxevents=64
Tue Dec 13 08:30:36 2011 us=734000 Initialization Sequence Completed
Tue Dec 13 08:30:53 2011 us=359000 MULTI: multi_create_instance called
Tue Dec 13 08:30:53 2011 us=359000 Re-using SSL/TLS context
Tue Dec 13 08:30:53 2011 us=359000 LZO compression initialized
Tue Dec 13 08:30:53 2011 us=359000 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Dec 13 08:30:53 2011 us=359000 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 13 08:30:53 2011 us=359000 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Dec 13 08:30:53 2011 us=359000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Dec 13 08:30:53 2011 us=359000 Local Options hash (VER=V4): 'c0103fa8'
Tue Dec 13 08:30:53 2011 us=359000 Expected Remote Options hash (VER=V4): '69109d17'
Tue Dec 13 08:30:53 2011 us=359000 TCP connection established with 110.174.53.14:1504
Tue Dec 13 08:30:53 2011 us=359000 TCPv4_SERVER link local: [undef]
Tue Dec 13 08:30:53 2011 us=359000 TCPv4_SERVER link remote: 110.174.53.14:1504
Tue Dec 13 08:30:53 2011 us=359000 110.174.53.14:1504 TLS: Initial packet from 110.174.53.14:1504, sid=73b7657c c7534856
Tue Dec 13 08:30:55 2011 us=562000 110.174.53.14:1504 VERIFY OK: depth=1, /C=AU/ST=NSW/L=Sydney/O=Veridian_Solutions/OU=PETER-HOME/CN=OPENVPN/name=OPENVPN/emailAddress=****************
Tue Dec 13 08:30:55 2011 us=562000 110.174.53.14:1504 VERIFY OK: depth=0, /C=AU/ST=NSW/L=Sydney/O=Veridian_Solutions/OU=PETER-HOME/CN=pconklin/name=pconklin/emailAddress=******************
Tue Dec 13 08:30:56 2011 us=484000 110.174.53.14:1504 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 13 08:30:56 2011 us=484000 110.174.53.14:1504 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 13 08:30:56 2011 us=484000 110.174.53.14:1504 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 13 08:30:56 2011 us=484000 110.174.53.14:1504 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 13 08:30:57 2011 us=31000 110.174.53.14:1504 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Dec 13 08:30:57 2011 us=31000 110.174.53.14:1504 [pconklin] Peer Connection Initiated with 110.174.53.14:1504
Tue Dec 13 08:30:57 2011 us=31000 pconklin/110.174.53.14:1504 MULTI: Learn: 10.8.0.6 -> pconklin/110.174.53.14:1504
Tue Dec 13 08:30:57 2011 us=31000 pconklin/110.174.53.14:1504 MULTI: primary virtual IP for pconklin/110.174.53.14:1504: 10.8.0.6
Tue Dec 13 08:30:59 2011 us=93000 pconklin/110.174.53.14:1504 PUSH: Received control message: 'PUSH_REQUEST'
Tue Dec 13 08:30:59 2011 us=93000 pconklin/110.174.53.14:1504 SENT CONTROL [pconklin]: 'PUSH_REPLY,route 10.11.12.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.11.12.254,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

client.log

Code: Select all

Tue Dec 13 08:31:05 2011 us=578000 Current Parameter Settings:
Tue Dec 13 08:31:05 2011 us=578000   config = 'client.ovpn'
Tue Dec 13 08:31:05 2011 us=578000   mode = 0
Tue Dec 13 08:31:05 2011 us=578000   show_ciphers = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   show_digests = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   show_engines = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   genkey = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   key_pass_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   show_tls_ciphers = DISABLED
Tue Dec 13 08:31:05 2011 us=578000 Connection profiles [default]:
Tue Dec 13 08:31:05 2011 us=578000   proto = tcp-client
Tue Dec 13 08:31:05 2011 us=578000   local = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   local_port = 0
Tue Dec 13 08:31:05 2011 us=578000   remote = 'a.b.c.d'
Tue Dec 13 08:31:05 2011 us=578000   remote_port = 1194
Tue Dec 13 08:31:05 2011 us=578000   remote_float = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   bind_defined = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   bind_local = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   connect_retry_seconds = 5
Tue Dec 13 08:31:05 2011 us=578000   connect_timeout = 10
Tue Dec 13 08:31:05 2011 us=578000   connect_retry_max = 0
Tue Dec 13 08:31:05 2011 us=578000   socks_proxy_server = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   socks_proxy_port = 0
Tue Dec 13 08:31:05 2011 us=578000   socks_proxy_retry = DISABLED
Tue Dec 13 08:31:05 2011 us=578000 Connection profiles END
Tue Dec 13 08:31:05 2011 us=578000   remote_random = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   ipchange = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   dev = 'tun'
Tue Dec 13 08:31:05 2011 us=578000   dev_type = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   dev_node = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   lladdr = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   topology = 1
Tue Dec 13 08:31:05 2011 us=578000   tun_ipv6 = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   ifconfig_local = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   ifconfig_remote_netmask = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   ifconfig_noexec = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   ifconfig_nowarn = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   shaper = 0
Tue Dec 13 08:31:05 2011 us=578000   tun_mtu = 1500
Tue Dec 13 08:31:05 2011 us=578000   tun_mtu_defined = ENABLED
Tue Dec 13 08:31:05 2011 us=578000   link_mtu = 1500
Tue Dec 13 08:31:05 2011 us=578000   link_mtu_defined = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   tun_mtu_extra = 0
Tue Dec 13 08:31:05 2011 us=578000   tun_mtu_extra_defined = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   fragment = 0
Tue Dec 13 08:31:05 2011 us=578000   mtu_discover_type = -1
Tue Dec 13 08:31:05 2011 us=578000   mtu_test = 0
Tue Dec 13 08:31:05 2011 us=578000   mlock = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   keepalive_ping = 0
Tue Dec 13 08:31:05 2011 us=578000   keepalive_timeout = 0
Tue Dec 13 08:31:05 2011 us=578000   inactivity_timeout = 0
Tue Dec 13 08:31:05 2011 us=578000   ping_send_timeout = 0
Tue Dec 13 08:31:05 2011 us=578000   ping_rec_timeout = 0
Tue Dec 13 08:31:05 2011 us=578000   ping_rec_timeout_action = 0
Tue Dec 13 08:31:05 2011 us=578000   ping_timer_remote = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   remap_sigusr1 = 0
Tue Dec 13 08:31:05 2011 us=578000   explicit_exit_notification = 0
Tue Dec 13 08:31:05 2011 us=578000   persist_tun = ENABLED
Tue Dec 13 08:31:05 2011 us=578000   persist_local_ip = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   persist_remote_ip = DISABLED
Tue Dec 13 08:31:05 2011 us=578000   persist_key = ENABLED
Tue Dec 13 08:31:05 2011 us=578000   mssfix = 1450
Tue Dec 13 08:31:05 2011 us=578000   resolve_retry_seconds = 1000000000
Tue Dec 13 08:31:05 2011 us=578000   username = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   groupname = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   chroot_dir = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   cd_dir = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=578000   writepid = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=890000   up_script = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=890000   down_script = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=890000   down_pre = DISABLED
Tue Dec 13 08:31:05 2011 us=890000   up_restart = DISABLED
Tue Dec 13 08:31:05 2011 us=890000   up_delay = DISABLED
Tue Dec 13 08:31:05 2011 us=890000   daemon = DISABLED
Tue Dec 13 08:31:05 2011 us=890000   inetd = 0
Tue Dec 13 08:31:05 2011 us=890000   log = DISABLED
Tue Dec 13 08:31:05 2011 us=890000   suppress_timestamps = DISABLED
Tue Dec 13 08:31:05 2011 us=890000   nice = 0
Tue Dec 13 08:31:05 2011 us=890000   verbosity = 4
Tue Dec 13 08:31:05 2011 us=890000   mute = 0
Tue Dec 13 08:31:05 2011 us=890000   gremlin = 0
Tue Dec 13 08:31:05 2011 us=890000   status_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=890000   status_file_version = 1
Tue Dec 13 08:31:05 2011 us=890000   status_file_update_freq = 60
Tue Dec 13 08:31:05 2011 us=890000   occ = ENABLED
Tue Dec 13 08:31:05 2011 us=890000   rcvbuf = 0
Tue Dec 13 08:31:05 2011 us=890000   sndbuf = 0
Tue Dec 13 08:31:05 2011 us=921000   sockflags = 0
Tue Dec 13 08:31:05 2011 us=921000   fast_io = DISABLED
Tue Dec 13 08:31:05 2011 us=921000   lzo = 7
Tue Dec 13 08:31:05 2011 us=921000   route_script = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=921000   route_default_gateway = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=921000   route_default_metric = 0
Tue Dec 13 08:31:05 2011 us=921000   route_noexec = DISABLED
Tue Dec 13 08:31:05 2011 us=921000   route_delay = 5
Tue Dec 13 08:31:05 2011 us=921000   route_delay_window = 30
Tue Dec 13 08:31:05 2011 us=921000   route_delay_defined = ENABLED
Tue Dec 13 08:31:05 2011 us=921000   route_nopull = DISABLED
Tue Dec 13 08:31:05 2011 us=921000   route_gateway_via_dhcp = DISABLED
Tue Dec 13 08:31:05 2011 us=921000   max_routes = 100
Tue Dec 13 08:31:05 2011 us=921000   allow_pull_fqdn = DISABLED
Tue Dec 13 08:31:05 2011 us=921000   management_addr = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=921000   management_port = 0
Tue Dec 13 08:31:05 2011 us=921000   management_user_pass = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=921000   management_log_history_cache = 250
Tue Dec 13 08:31:05 2011 us=921000   management_echo_buffer_size = 100
Tue Dec 13 08:31:05 2011 us=921000   management_write_peer_info_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=921000   management_client_user = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=921000   management_client_group = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=921000   management_flags = 0
Tue Dec 13 08:31:05 2011 us=921000   shared_secret_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=921000   key_direction = 0
Tue Dec 13 08:31:05 2011 us=921000   ciphername_defined = ENABLED
Tue Dec 13 08:31:05 2011 us=921000   ciphername = 'BF-CBC'
Tue Dec 13 08:31:05 2011 us=921000   authname_defined = ENABLED
Tue Dec 13 08:31:05 2011 us=921000   authname = 'SHA1'
Tue Dec 13 08:31:05 2011 us=921000   prng_hash = 'SHA1'
Tue Dec 13 08:31:05 2011 us=921000   prng_nonce_secret_len = 16
Tue Dec 13 08:31:05 2011 us=921000   keysize = 0
Tue Dec 13 08:31:05 2011 us=937000   engine = DISABLED
Tue Dec 13 08:31:05 2011 us=937000   replay = ENABLED
Tue Dec 13 08:31:05 2011 us=937000   mute_replay_warnings = DISABLED
Tue Dec 13 08:31:05 2011 us=937000   replay_window = 64
Tue Dec 13 08:31:05 2011 us=937000   replay_time = 15
Tue Dec 13 08:31:05 2011 us=937000   packet_id_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   use_iv = ENABLED
Tue Dec 13 08:31:05 2011 us=937000   test_crypto = DISABLED
Tue Dec 13 08:31:05 2011 us=937000   tls_server = DISABLED
Tue Dec 13 08:31:05 2011 us=937000   tls_client = ENABLED
Tue Dec 13 08:31:05 2011 us=937000   key_method = 2
Tue Dec 13 08:31:05 2011 us=937000   ca_file = 'ca.crt'
Tue Dec 13 08:31:05 2011 us=937000   ca_path = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   dh_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   cert_file = 'client.crt'
Tue Dec 13 08:31:05 2011 us=937000   priv_key_file = 'client.key'
Tue Dec 13 08:31:05 2011 us=937000   pkcs12_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   cryptoapi_cert = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   cipher_list = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   tls_verify = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   tls_export_cert = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   tls_remote = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   crl_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=937000   ns_cert_type = 64
Tue Dec 13 08:31:05 2011 us=937000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_ku[i] = 0
Tue Dec 13 08:31:05 2011 us=953000   remote_cert_eku = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=953000   tls_timeout = 2
Tue Dec 13 08:31:05 2011 us=953000   renegotiate_bytes = 0
Tue Dec 13 08:31:05 2011 us=953000   renegotiate_packets = 0
Tue Dec 13 08:31:05 2011 us=953000   renegotiate_seconds = 3600
Tue Dec 13 08:31:05 2011 us=953000   handshake_window = 60
Tue Dec 13 08:31:05 2011 us=953000   transition_window = 3600
Tue Dec 13 08:31:05 2011 us=953000   single_session = DISABLED
Tue Dec 13 08:31:05 2011 us=953000   push_peer_info = DISABLED
Tue Dec 13 08:31:05 2011 us=953000   tls_exit = DISABLED
Tue Dec 13 08:31:05 2011 us=968000   tls_auth_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=968000   server_network = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   server_netmask = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   server_bridge_ip = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   server_bridge_netmask = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   server_bridge_pool_start = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   server_bridge_pool_end = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   ifconfig_pool_defined = DISABLED
Tue Dec 13 08:31:05 2011 us=968000   ifconfig_pool_start = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   ifconfig_pool_end = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   ifconfig_pool_netmask = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=968000   ifconfig_pool_persist_refresh_freq = 600
Tue Dec 13 08:31:05 2011 us=968000   n_bcast_buf = 256
Tue Dec 13 08:31:05 2011 us=968000   tcp_queue_limit = 64
Tue Dec 13 08:31:05 2011 us=968000   real_hash_size = 256
Tue Dec 13 08:31:05 2011 us=968000   virtual_hash_size = 256
Tue Dec 13 08:31:05 2011 us=968000   client_connect_script = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=968000   learn_address_script = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=968000   client_disconnect_script = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=968000   client_config_dir = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=968000   ccd_exclusive = DISABLED
Tue Dec 13 08:31:05 2011 us=968000   tmp_dir = 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\'
Tue Dec 13 08:31:05 2011 us=968000   push_ifconfig_defined = DISABLED
Tue Dec 13 08:31:05 2011 us=968000   push_ifconfig_local = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   push_ifconfig_remote_netmask = 0.0.0.0
Tue Dec 13 08:31:05 2011 us=968000   enable_c2c = DISABLED
Tue Dec 13 08:31:05 2011 us=968000   duplicate_cn = DISABLED
Tue Dec 13 08:31:05 2011 us=968000   cf_max = 0
Tue Dec 13 08:31:05 2011 us=968000   cf_per = 0
Tue Dec 13 08:31:05 2011 us=968000   max_clients = 1024
Tue Dec 13 08:31:05 2011 us=968000   max_routes_per_client = 256
Tue Dec 13 08:31:05 2011 us=968000   auth_user_pass_verify_script = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=968000   auth_user_pass_verify_script_via_file = DISABLED
Tue Dec 13 08:31:05 2011 us=968000   ssl_flags = 0
Tue Dec 13 08:31:05 2011 us=968000   client = ENABLED
Tue Dec 13 08:31:05 2011 us=968000   pull = ENABLED
Tue Dec 13 08:31:05 2011 us=968000   auth_user_pass_file = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=968000   show_net_up = DISABLED
Tue Dec 13 08:31:05 2011 us=968000   route_method = 0
Tue Dec 13 08:31:05 2011 us=968000   ip_win32_defined = DISABLED
Tue Dec 13 08:31:05 2011 us=968000   ip_win32_type = 3
Tue Dec 13 08:31:05 2011 us=968000   dhcp_masq_offset = 0
Tue Dec 13 08:31:05 2011 us=968000   dhcp_lease_time = 31536000
Tue Dec 13 08:31:05 2011 us=968000   tap_sleep = 0
Tue Dec 13 08:31:05 2011 us=968000   dhcp_options = DISABLED
Tue Dec 13 08:31:05 2011 us=984000   dhcp_renew = DISABLED
Tue Dec 13 08:31:05 2011 us=984000   dhcp_pre_release = DISABLED
Tue Dec 13 08:31:05 2011 us=984000   dhcp_release = DISABLED
Tue Dec 13 08:31:05 2011 us=984000   domain = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=984000   netbios_scope = '[UNDEF]'
Tue Dec 13 08:31:05 2011 us=984000   netbios_node_type = 0
Tue Dec 13 08:31:05 2011 us=984000   disable_nbt = DISABLED
Tue Dec 13 08:31:05 2011 us=984000 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Tue Dec 13 08:31:05 2011 us=984000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Dec 13 08:31:06 2011 us=78000 LZO compression initialized
Tue Dec 13 08:31:06 2011 us=78000 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Dec 13 08:31:06 2011 us=78000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Dec 13 08:31:06 2011 us=78000 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 13 08:31:06 2011 us=78000 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Dec 13 08:31:06 2011 us=78000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Dec 13 08:31:06 2011 us=78000 Local Options hash (VER=V4): '69109d17'
Tue Dec 13 08:31:06 2011 us=78000 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Dec 13 08:31:06 2011 us=78000 Attempting to establish TCP connection with a.b.c.d:1194
Tue Dec 13 08:31:06 2011 us=125000 TCP connection established with a.b.c.d:1194
Tue Dec 13 08:31:06 2011 us=125000 TCPv4_CLIENT link local: [undef]
Tue Dec 13 08:31:06 2011 us=125000 TCPv4_CLIENT link remote: a.b.c.d:1194
Tue Dec 13 08:31:06 2011 us=156000 TLS: Initial packet from a.b.c.d:1194, sid=2a4749eb 14036ca9
Tue Dec 13 08:31:07 2011 us=390000 VERIFY OK: depth=1, /C=AU/ST=NSW/L=Sydney/O=Veridian_Solutions/OU=PETER-HOME/CN=OPENVPN/name=OPENVPN/emailAddress=**********************
Tue Dec 13 08:31:07 2011 us=390000 VERIFY OK: nsCertType=SERVER
Tue Dec 13 08:31:07 2011 us=390000 VERIFY OK: depth=0, /C=AU/ST=NSW/L=Sydney/O=Veridian_Solutions/OU=PETER-HOME/CN=server/name=server/emailAddress=*****************************
Tue Dec 13 08:31:09 2011 us=531000 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 13 08:31:09 2011 us=531000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 13 08:31:09 2011 us=546000 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 13 08:31:09 2011 us=546000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 13 08:31:09 2011 us=546000 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Dec 13 08:31:09 2011 us=546000 [server] Peer Connection Initiated with a.b.c.d:1194
Tue Dec 13 08:31:11 2011 us=859000 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Dec 13 08:31:11 2011 us=937000 PUSH: Received control message: 'PUSH_REPLY,route 10.11.12.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.11.12.254,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Dec 13 08:31:11 2011 us=937000 OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec 13 08:31:11 2011 us=937000 OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec 13 08:31:11 2011 us=937000 OPTIONS IMPORT: route options modified
Tue Dec 13 08:31:11 2011 us=937000 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Dec 13 08:31:11 2011 us=968000 ROUTE default_gateway=10.1.1.1
Tue Dec 13 08:31:12 2011 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{10D1CD18-C082-4542-8450-D7881375C955}.tap
Tue Dec 13 08:31:12 2011 TAP-Win32 Driver Version 9.8 
Tue Dec 13 08:31:12 2011 TAP-Win32 MTU=1500
Tue Dec 13 08:31:12 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {10D1CD18-C082-4542-8450-D7881375C955} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue Dec 13 08:31:12 2011 DHCP option string: 06080a0b 0cfe0808 0808
Tue Dec 13 08:31:12 2011 Successful ARP Flush on interface [4] {10D1CD18-C082-4542-8450-D7881375C955}
Tue Dec 13 08:31:17 2011 us=171000 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Tue Dec 13 08:31:17 2011 us=171000 C:\WINDOWS\system32\route.exe ADD a.b.c.d MASK 255.255.255.255 10.1.1.1   <--- Please see *NOTE* below
Tue Dec 13 08:31:17 2011 us=171000 Route addition via IPAPI succeeded [adaptive]
Tue Dec 13 08:31:17 2011 us=171000 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Dec 13 08:31:17 2011 us=171000 Route addition via IPAPI succeeded [adaptive]
Tue Dec 13 08:31:17 2011 us=171000 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Dec 13 08:31:17 2011 us=171000 Route addition via IPAPI succeeded [adaptive]
Tue Dec 13 08:31:17 2011 us=171000 C:\WINDOWS\system32\route.exe ADD 10.11.12.0 MASK 255.255.255.0 10.8.0.5
Tue Dec 13 08:31:17 2011 us=187000 Route addition via IPAPI succeeded [adaptive]
Tue Dec 13 08:31:17 2011 us=187000 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Dec 13 08:31:17 2011 us=187000 Route addition via IPAPI succeeded [adaptive]
Tue Dec 13 08:31:17 2011 us=187000 Initialization Sequence Completed

*NOTE* from client.log
In client.log it is adding my Public IP a.b.c.d as a route to go out the local clients offsite gateway 10.1.1.1 and not the VPN.I assume this is something to do with needing to send traffic related to the VPN tunnel itself?

[Mimiko]

On windows 2003 server the quickest solution is to "share" the server's internet connection with the tap-adapter. Please see "Internet Connection Sharing" in windows help.
The other option is to enable forwarding. Please search the internet on how to enable forwarding in Windows 2003.
And 3rd solution is to install a routeting software on server.

[maikcat]

the ccd file is wrong,

you are assigning ip using a *different* subnet (10.9.0.x) and your vpn is 10.8.0.0..

fix it or remove it.

Michael.

[sidplayos2]

the ccd file is wrong,

you are assigning ip using a *different* subnet (10.9.0.x) and your vpn is 10.8.0.0..

fix it or remove it.

Michael.

Hi Michael, yes I did remove ccd settings as suggested by janjust, results mentioned in the second post with the same results (no ccd file). You can see it in the log trace it is not using ccd anymore.

Tue Dec 13 08:31:12 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {10D1CD18-C082-4542-8450-D7881375C955} [DHCP-serv: 10.8.0.5, lease-time: 31536000]

Hi Mimiko, I will try sharing the Internet connection as you mentioned and see what results I get. As mentioned in the first post I have enabled IP Forwarding by editing the registry and rebooting as shown in the link in the HOWTO guide. I was unable to access even the local LAN clients as well until the IP Forwarding was done.

EDIT: I have since discovered the issue seems to be something strange with the DLINK DI 624 router. This router does not allow the addition of static routes in the routing table. Strangely enough it will somehow send back ICMP Redirects to the client end, even though in theory it shouldn't know how to get back to 10.8.0.x subnet at all without some kind of route I would think.
Replacing with a Netcomm NB1300 loaned by a friend and adding a static route back to 10.8.0.0 and it now works. So something strange about this DLINK router.

I will continue to investigate Mimiko's suggestions as I don't really want to have to buy another router if I can avoid it. I will post further test results soon.

EDIT: After taking Mimiko's suggestion of ICS this is now working with the DLINK DI 624. So if you have a router that does not have access to the routing table, I suspect you will need to enable ICS to get it working. Most of the DLINK routers under the 624 also did not have access to routing tables so food for thought for all you DLINK owners out there

I still find it interesting that the DI 624 was able to return a ICMP Redirect all the way to the client on 10.8.0.6 without any explicit static route to that subnet in the router, but the actual ping of the DLINK itself on 10.11.12.254 returned a successful Echo Reply. Very Strange.

[Mimiko]

I still find it interesting that the DI 624 was able to return a ICMP Redirect all the way to the client on 10.8.0.6 without any explicit static route to that subnet in the router, but the actual ping of the DLINK itself on 10.11.12.254 returned a successful Echo Reply. Very Strange.

More and more routers are found to poorly implement static routes.