OpenVPN Support Forum

This is my first time setting up OpenVPN on Linksys E2000 with DD-WRT v24-sp2 (04/13/11) with OpenVPN GUI v1.03.

The Linksys E2000 IP is: 192.168.10.1
OpenVPN Server: 10.121.40.1

Server config: (Services->VPN):
Start OpenVPN Server: Enable
Start Type: WAN Up
Config via: Config File

CA Cert: ca.crt
Public Server Key: server.csr
DH PEM: dh1024.pem

Additional Config:
push "route 192.168.10.0 255.255.255.0"
server 10.121.40.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
comp-lzo
management localhost 5001

Firewall Setting (Administration -> Commands -> Firewall):
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 10.121.40.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Client Config file:
client
dev tun0
remote-cert-tls server
float
proto udp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert PC.crt
key PC.key
ns-cert-type server
comp-lzo
verb 3

I can VPN to the server; however, it gave me wrong subnet mask and no GW info:
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::75eb:a4d4:352b:6a8%34
IPv4 Address. . . . . . . . . . . : 10.121.40.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :

I can not ping the client (192.168.10.10, static) behind the VPN server unless I turn off the Windows 7 Firewall. I can ping the router via 192.168.10.1.

Please help.

I can VPN to the server; however, it gave me wrong subnet mask and no GW info:
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::75eb:a4d4:352b:6a8%34
IPv4 Address. . . . . . . . . . . : 10.121.40.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :

nop the ip gave you is correct..

in your config you are pushing only route for 192.168.10.0 net
in your client can you see it in your routing table?

do you run gui with admin rights?
what openvpn version are you using on 7?

Michael.

maikcat wrote:

I can VPN to the server; however, it gave me wrong subnet mask and no GW info:
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::75eb:a4d4:352b:6a8%34
IPv4 Address. . . . . . . . . . . : 10.121.40.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :

nop the ip gave you is correct..

in your config you are pushing only route for 192.168.10.0 net
in your client can you see it in your routing table?

do you run gui with admin rights?
what openvpn version are you using on 7?

Michael.

My account has Admin right and I also set "Run this program as an administrator" in "OpenVPN GUI Properties -> Compatibility".

I am using OpenVPN 2.2.2 built on Dec 15 2011.

Wed Jan 11 07:14:22 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 10.121.40.1,topology net30,ping 10,ping-restart 120,ifconfig 10.121.40.6 10.121.40.5'
Wed Jan 11 07:14:22 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 11 07:14:22 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 11 07:14:22 2012 OPTIONS IMPORT: route options modified
Wed Jan 11 07:14:22 2012 ROUTE default_gateway=192.168.1.1
Wed Jan 11 07:14:22 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{16F366EA-47CC-4D03-ACEE-C826818A33E8}.tap
Wed Jan 11 07:14:22 2012 TAP-Win32 Driver Version 9.9
Wed Jan 11 07:14:22 2012 TAP-Win32 MTU=1500
Wed Jan 11 07:14:22 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.121.40.6/255.255.255.252 on interface {16F366EA-47CC-4D03-ACEE-C826818A33E8} [DHCP-serv: 10.121.40.5, lease-time: 31536000]
Wed Jan 11 07:14:22 2012 Successful ARP Flush on interface [34] {16F366EA-47CC-4D03-ACEE-C826818A33E8}
Wed Jan 11 07:14:27 2012 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed Jan 11 07:14:27 2012 C:\WINDOWS\system32\route.exe ADD 192.168.10.0 MASK 255.255.255.0 10.121.40.5
Wed Jan 11 07:14:27 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jan 11 07:14:27 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 07:14:27 2012 C:\WINDOWS\system32\route.exe ADD 10.121.40.1 MASK 255.255.255.255 10.121.40.5
Wed Jan 11 07:14:27 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jan 11 07:14:27 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 07:14:27 2012 Initialization Sequence Completed
Wed Jan 11 07:15:33 2012 TCP/UDP: Closing socket
Wed Jan 11 07:15:33 2012 C:\WINDOWS\system32\route.exe DELETE 10.121.40.1 MASK 255.255.255.255 10.121.40.5
Wed Jan 11 07:15:33 2012 Route deletion via IPAPI succeeded [adaptive]
Wed Jan 11 07:15:33 2012 C:\WINDOWS\system32\route.exe DELETE 192.168.10.0 MASK 255.255.255.0 10.121.40.5
Wed Jan 11 07:15:33 2012 Route deletion via IPAPI succeeded [adaptive]

On the "remote xx.xx.xx.xx" 1194", where xx.xx.xx.xx is Linksys E2000 WAN IP. Is this ok?

Here is my setup:
Wins7 (192.168.1.100 DHCP, OpenVPN client) -> Netgear router (192.168.1.1) -> Internet -> Linksys E2000 (192.168.10.1, wan: 75.108.208.26)-> client (Wins7: 192.168.10.10, static)

On the "remote xx.xx.xx.xx" 1194", where xx.xx.xx.xx is my WAN IP. Is this ok?

yeap...

all seems ok to me...

what exactly is the problem?

Michael.

maikcat wrote:

On the "remote xx.xx.xx.xx" 1194", where xx.xx.xx.xx is my WAN IP. Is this ok?

yeap...

all seems ok to me...

what exactly is the problem?

Michael.

I think the subnet mask (255.255.255.252) is wrong and I don't gave Default Gateway; therefore, I can NOT ping or map the drive from any machine behind the VPN Server (Linksys E2000). I have to lower the public firewall to make it to work.

I think the subnet mask (255.255.255.252) is wrong

if you dont use mode subnet is correct...

I don't gave Default Gateway

you can if you want to use

push "redirect-gateway def1"

to your server but it is not neccecary..

I can NOT ping or map the drive from any machine behind the VPN Server (Linksys E2000). I have to lower the public firewall to make it to work.

this has nothing to do with openvpn...
you can still create rules to allow traffic from openvpn network to your windows pcs.

cheers,


Michael.

maikcat wrote:

I think the subnet mask (255.255.255.252) is wrong

if you dont use mode subnet is correct...

I don't gave Default Gateway

you can if you want to use

push "redirect-gateway def1"

to your server but it is not neccecary..

I can NOT ping or map the drive from any machine behind the VPN Server (Linksys E2000). I have to lower the public firewall to make it to work.

this has nothing to do with openvpn...
you can still create rules to allow traffic from openvpn network to your windows pcs.

cheers,


Michael.

I tried: push "redirect-gateway def1" but still the same. can not ping the pc behind the VPN server:
push "route 192.168.10.0 255.255.255.0"
server 10.121.40.0 255.255.255.0
push "redirect-gateway def1"

Not sure how to create the inbound rule for pc behind the VPN server because I don't think it knows anything about the VPN server. It's a stand-alone PC.

I tried: push "redirect-gateway def1" but still the same. can not ping the pc behind the VPN server:

if you disable its firewall ,does it responds?

maikcat wrote:

I tried: push "redirect-gateway def1" but still the same. can not ping the pc behind the VPN server:

if you disable its firewall ,does it responds?

yes, I have to disable the firewall (public profile) to make it to work.

tambui wrote:

maikcat wrote:

I think the subnet mask (255.255.255.252) is wrong

if you dont use mode subnet is correct...

I don't gave Default Gateway

you can if you want to use

push "redirect-gateway def1"

to your server but it is not neccecary..

I can NOT ping or map the drive from any machine behind the VPN Server (Linksys E2000). I have to lower the public firewall to make it to work.

this has nothing to do with openvpn...
you can still create rules to allow traffic from openvpn network to your windows pcs.

cheers,


Michael.

I tried: push "redirect-gateway def1" but still the same. can not ping the pc behind the VPN server:
push "route 192.168.10.0 255.255.255.0"
server 10.121.40.0 255.255.255.0
push "redirect-gateway def1"

Not sure how to create the inbound rule for pc behind the VPN server because I don't think it knows anything about the VPN server. It's a stand-alone PC.

On another subject, I have to remove the following line on the VPN server to get my office machine to work with the corp. network:
push "redirect-gateway def1"

With the above line, the VPN server gave me the GW info but the subnet still shows *.255.252. My office machine has a "TAP-win32 adapter" already. How can I config the server to make both home and office machine to work? I need to use tap instead of tun on the VPN server?

maikcat wrote:

I tried: push "redirect-gateway def1" but still the same. can not ping the pc behind the VPN server:

if you disable its firewall ,does it responds?

I created a new rule in the client and got it to work:

Control Panel --> System and security --> Windows Firewall --> Advanced settings --> Inbound rules --> New rule --> custom rule

in Protocol and ports: Protocol: ICMPv4
on the same panel go to customize, choose "Specific ICMP types", check the box "echo request"

I can ping the client via static IP. I can map the drive also. The firewall is ON.

Thanks for all your helps.

the .252 mask is correct

tun is for routing and tap is for bridging

tun is a layer 3 device
tap is a layer 2 device.

cheers,

Michael.