Windows 7 as OpenVPN server with redirect-gateway

[Bebop]

Goal:

• Tunnel Internet traffic through a Windows 7 PC, using OpenVPN server mode. Traffic can be tunneled from any OpenVPN client.

Scope:

• This example assumes that you already know how to install OpenVPN and setup keys and/or certificates. For the scope of this example, information about key and certificate management will not be provided.

Overview:

• We'll setup a server.ovpn, a client.ovpn, and some Windows 7 tweaks.

The Code

server.ovpn

Code: Select all

port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.0   #you may choose any subnet. 10.0.0.x is used for this example.

ca ca.crt                    #certs are optional. you may choose to go with keys or passwords instead.
cert server_win7.crt
key server_win7.key  
dh dh1024.pem

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"      

#the following commands are optional
keepalive 10 120         
comp-lzo                   
persist-key                
persist-tun                
verb 3                      

#last updated May 29, 2011

Client.ovpn

Code: Select all

client
dev tun
proto udp
remote ip.of.win7.server 1194   

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
ns-cert-type server

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 2

#last updated June 04, 2011

Windows 7 tweaks for forwarding VPN traffic

Code: Select all

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

Next:

Control Panel
Network and Sharing Center
Local Area Connection
Properties
Sharing
Tick the box "Allow other network users to connect through this computer's Internet connection"
From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

Notes:

• Further tweaking and streamlining may be possible.
• Thank you to Krzee for the register-dns tweak

[maikcat]

nice howto bebop




Michael.

[pwens]

I have confirmed this config to be working as well (forwarding all TCP/IP traffic exclusively through virtual TAP adapter). Server is Windows 7, client is XP.

I should also note that page load speeds during web browsing are also much faster than expected. In fact, I barely notice any increased latency. I haven't run any formal speed tests or metrics, but as a casual observation I have no complaints.

Thanks bebop

[Bebop]

Thanks bebop

You're most welcome. And thank you for reporting your experience.

[errdos]

1)push "redirect-gateway def1"
with this method u redirect every outgoing connection trough the openvpn ... is there a way to redirect only some of the connections? (for example according to ips/subnets?)

2)is there away to choose the redirection according to the client and not the server (i mean the clinet should choose if to use the server for the connections or not in my opinion

3) ithe dns solution seems kind of weird .. what if my server cant use the google dns? (which it cant) is there another way to slove that? (like using the openvpn server as dns so it will use it own or something like it )

4)u said it is unknown if the 3 tweaks are needed... is there anything new about that subject? its kind of weird to tweak a machine for no reason (yet i will do it... just need it to work)

thanks for all the help!
er.

[Bebop]

1)push "redirect-gateway def1"
with this method u redirect every outgoing connection trough the openvpn ... is there a way to redirect only some of the connections? (for example according to ips/subnets?)

2)is there away to choose the redirection according to the client and not the server (i mean the clinet should choose if to use the server for the connections or not in my opinion

Yes on both accounts. Those two are best answered together. See this code (this code is for client.ovpn):

Code: Select all

route-nopull
route remote_host 255.255.255.255 net_gateway
route 126.21.20.256 255.255.255.255 10.0.0.1

"route-nopull" tells the client to ignore any routes pushed from the server (so, it will ignore "redirect gateway").
"route remote_host 255.255.255.255 net_gateway" tells Windows that the route to the VPN server is via the default Internet connection.
"route 126.21.20.0 255.255.255.0 10.0.0.1" tells Windows that all connections to subnet 126.21.20.x should be routed through 10.0.0.1 (VPN server LAN IP)

3) ithe dns solution seems kind of weird .. what if my server cant use the google dns? (which it cant) is there another way to slove that? (like using the openvpn server as dns so it will use it own or something like it )

Not sure yet, sorry though. If you or any of the experts does know the answer, please do share. I think it will be something very simple and obvious. After all, Windows 7 has built in DNS service, so it must be something to do with that. Potentially, you may need some 3rd party DNS serving tool.

4)u said it is unknown if the 3 tweaks are needed... is there anything new about that subject? its kind of weird to tweak a machine for no reason (yet i will do it... just need it to work)

thanks for all the help!
er.

The reason its unknown (its only unknown by me) is that I tried to set up the server with these 3 tweaks and it worked. What I didn't do, was go back and get it working without just 1 tweak at a time. Its essentially just a time/effort limitation on my behalf. If you can do that and report back it would be excellent.. If not, I do intend to do that myself soon too -- thank you for the reminder.

[peterlinuxgeek]

I got this working except for rdesktop from client (win 7) to server (win 7)

rdesktop into win7 server form a linux sitting in the same network works fine.

see my question : topic7925.html

Thanks for the tips.

Peter

[krzee]

the dns issue:
http://permalink.gmane.org/gmane.networ ... user/31978

nice guides bebop!

[Bebop]

the dns issue:
http://permalink.gmane.org/gmane.networ ... user/31978

nice guides bebop!

Thanks for the compliment :] and thank you for the (seemingly simple looking, yet ever elusive and much needed) info.

[zothen]

From the drop-down list select "Local Area Connection 2", or whatever is the connection name of your TAP server connection.

Huh? I see no dropdown list, only two check boxes for "Allow other network users to connect..." and Allow other network users to control..."

Currently I am unable to ping internet IP addresses from the client when using the above scripts but I'm able to ping the local ones so I would guess that this is my problem.

[Bebop]

I see no dropdown list, only two check boxes for "Allow other network users to connect..." and Allow other network users to control..."

Not a problem if the dropdown box is missing. It just means you only have 1 possible connection to share.

If no ping, your problem is something else.

[TopKnot]

Looks like a great howto - my only question (which may arise from my inexperience) is, why is the push "dhcp-option DNS on the server set to 8.8.8.8? is that meant to be something on the local network, or is that the IP I should use no matter what?

thanks!

[Bebop]

why is the push "dhcp-option DNS on the server set to 8.8.8.8? is that meant to be something on the local network, or is that the IP I should use no matter what?

Hi TopKnot. 8.8.8.8 is an IP for Google DNS (free public DNS server). So, with this option all of your clients will be using Google DNS to resolve domain names as they browse the web through your VPN.

You can change it do any DNS server IP you desire, or you can leave it as is.

[aaaa2209]

Hello Bebop,
Thanks for the posts. It saves me a lot of time. I use windows 2003 as server. And the config I need is quite similar to Windows 7. At first the client can connect and ping to the server. It can even open the share folders in the server. But the traffic like http 80 and smtp 25 is still passing through my own gateway instead of the server. I found this post and fixed the problem. However, there is a slightly difference here and I want to share.
I followed the same config files for server and client without changes. And then there 3 three steps to config the windows: 1, Routing and Remote Access ; 2, Internet connection sharing; 3, change regedit file.
I cannot make 1 and 2 work at the same time. The system told me one is currently running and it has to be disable while trying to enable another one. I found when I use 2 and 3 it works perfectly. 1 and 3 don't work for me.

---
Also I have a few questions to ask. My goal is trying to use some computers in the other network like in LAN environment. Those computers' IPs are 192.168.1.157 and 177.0.0.0/8. My LAN IP range is 192.168.1.0/24. I just want to route the above traffic to the server and all other traffic goes to my own network. I don't want to use VPN when I watch video online. I think the 3 codes you mention might be for me. My codes are like this:

route-nopull
route 192.168.1.157 255.255.255.255 10.8.0.6
route 177.0.0.0 255.0.0.0 10.8.0.6

10.8.0.6 is my VPN interface IP address. When I use the code above I cannot get through the computers I want. I don't use route remote_host 255.255.255.255 net_gateway because I don't quite understand it even you explain. But I did try and it didn't work. You said the code tells windows about the route to the VPN, but I think the windows already knew that before we add this code. The VPN works because the windows knows it.

What should I do to achieve this goal? I think the goal is simple and basic. Can you please simply explain or give me some hints like key words to search in google?



Thanks again.

William

[Fhilps]

Hi aaaa2209.

I have exactly the same problem you do.
I'm desperate to find how to solve this problem.

I need this for my graduating project at college.

If you find the solution send me a message, ok ?
I'll do the same.

Thanks

[Bebop]

I cannot make 1 and 2 work at the same time. The system told me one is currently running and it has to be disable while trying to enable another one. I found when I use 2 and 3 it works perfectly. 1 and 3 don't work for me.

Thanks. I was looking for feedback on this part. I got a chance to go back to my setup soon and test it with just 2 and 3.. then it might be a universal solution for 2003 / Vista / 7.

I'm thinking of a solution for your dilemma. I've not used 'iroute' with Windows server before but its designed to work in a situation like yours I think. So that would involve removing 'push redirect-gateway' from server and removing 'route no-pull' from client, and then add to server config 'iroute 177.0.0.0 255.0.0.0' (and create the appropriate 'ccd' file). To fully get it you would need to have a quick read of the iroute commands in the man page.

Where is the "192.168.1.157" computer? (not on your LAN?).

[m4f1050]

Hi, thanks for the tips. I found Windows XP and Windows 7 examples but no Linux example.

I searched and found this:

Code: Select all

http://www.howtoforge.com/internet-connection-sharing-masquerading-on-linux

Is there a better way of doing this? Or can you post the example for Linux?

Thanks!

[sprintf]

Windows 7 tweaks for forwarding VPN traffic

Code: Select all

Start -> Right-click My Computer -> Manage
Services
Right-click Routing and Remote Access -> Properties -> Automatic
Right-click Routing and Remote Access -> Start

...

regedit

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

Notes:

• Further tweaking and streamlining may be possible.
• Thank you to Krzee for the register-dns tweak

FYI, I just setup a fresh Windows 7 box with OpenVPN server and found that these two steps (enable Routing and Remote Access, and set IPEnableRouter=1) were not necessary. In other words, I setup my box without doing those two steps and OpenVPN server still worked fine.

Thanks.

[Lisa_York77]

Thank you so much. This works for me too! Keep posting such they are very helpful.

[majod]

Hello,

thank you very much for this tutorial, I have succesfully set up Internet sharing with my Windows 7 PC to another PC on local network. Unfortunately I have some trouble and I need some help with that.

The problem is that my Internet connection randomly fails for few seconds to few minutes period with the client connected to VPN (I have only one client set up). I didn't change anything in config files (except IP addresses and DNS). When the client is not connected, even with server running everything works perfectly. With the client connected, random connection problems occur for me and for the client as well. Any hint?

Thanks.