madabdul82
asked on
OpenVPN Configuration Problems
Thank you for taking a look at this:
I'm trying to establish a VPN server within our LAN that has the capability for 4 or 5 remote offices to connect to and be a part of our LAN.
The server component of OpenVPN is installed on a Windows Server 2003 machine and has two NIC's. One for the external interface and one for the internal (LAN) interface.
This server is behind a firewall which has UDP port 1194 open specifically for it.
For this purpose I'll define the external IP for the server as 66.66.66.66 and the internal IP as 10.250.150.54
I've chosen the bridging method so that broadcasts can traverse the VPN connection.
I have created a bridged network connection on the server between the Tap32 adapter and the LAN interface. The bridge interface now has the server's LAN IP, netmask, gateway, and DNS server addresses.
Here is the server OpenVPN config file:
local 66.66.66.66
port 1194
proto udp
dev tap
dev-node VPNServer # The Tap32 adapter is named "VPNServer"
ca "C:\\Program Files\\OpenVPN\\config\\ca
cert "C:\\Program Files\\OpenVPN\\config\\se
key "C:\\Program Files\\OpenVPN\\config\\se
dh "C:\\Program Files\\OpenVPN\\config\\dh
ifconfig-pool-persist ipp.txt
server-bridge 10.250.150.54 255.255.255.0 10.250.150.5 10.250.150.15
keepalive 10 120
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 9
management localhost 7505
and here is the client config file:
client
dev-tap
dev-node VPNClient # The name of the Tap32 adapter on the client is "VPNClient"
proto udp
remote 66.66.66.66 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca
cert "C:\\Program Files\\OpenVPN\\config\\se
key "C:\\Program Files\\OpenVPN\\config\\se
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
Here is the end of the log where the server finishes starting up:
Tue Mar 21 23:26:45 2006 us=974943 MTU DYNAMIC mtu=1500, flags=3, 1450 -> 1450
Tue Mar 21 23:26:45 2006 us=974987 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Mar 21 23:26:45 2006 us=975051 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 21 23:26:45 2006 us=975086 UDPv4 link local (bound): 66.66.66.66:1194
Tue Mar 21 23:26:45 2006 us=975107 UDPv4 link remote: [undef]
Tue Mar 21 23:26:45 2006 us=975136 MULTI: multi_init called, r=256 v=256
Tue Mar 21 23:26:45 2006 us=975210 IFCONFIG POOL: base=10.250.150.5 size=11
Tue Mar 21 23:26:45 2006 us=975274 IFCONFIG POOL LIST
Tue Mar 21 23:26:45 2006 us=975294 client,10.250.150.5
Tue Mar 21 23:26:45 2006 us=975326 WE_INIT maxevents=4 flags=0x00000002
Tue Mar 21 23:26:45 2006 us=975350 WE_INIT maxevents=4 capacity=8
Tue Mar 21 23:26:45 2006 us=975396 Initialization Sequence Completed
And here is most of the log file for when the client connects:
Tue Mar 21 23:27:01 2006 us=98937 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Tue Mar 21 23:27:01 2006 us=99249 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Mar 21 23:27:01 2006 us=106185 LZO compression initialized Tue Mar 21 23:27:01 2006 us=106516 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 21 23:27:01 2006 us=121028 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Mar 21 23:27:01 2006 us=121164 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 21 23:27:01 2006 us=121194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 21 23:27:01 2006 us=121267 Local Options hash (VER=V4): 'b498be7c' Tue Mar 21 23:27:01 2006 us=152776 Expected Remote Options hash (VER=V4): '26e19fc0'
Tue Mar 21 23:27:01 2006 us=152923 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 21 23:27:01 2006 us=152957 UDPv4 link local: [undef] Tue Mar 21 23:27:01 2006 us=152969 UDPv4 link remote: 66.66.66.66:1194 Tue Mar 21 23:27:01 2006 us=274080 TLS: Initial packet from 66.66.66.66:1194, sid=507a5992 c577bf93
Tue Mar 21 23:27:01 2006 us=617605 VERIFY OK: depth=1, <<cert info>>
Tue Mar 21 23:27:01 2006 us=618121 VERIFY OK: nsCertType=SERVER Tue Mar 21 23:27:01 2006 us=618133 VERIFY OK: depth=0, <<cert info>>
Tue Mar 21 23:27:02 2006 us=190863 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 21 23:27:02 2006 us=190929 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 21 23:27:02 2006 us=190960 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 21 23:27:02 2006 us=190990 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 21 23:27:02 2006 us=197993 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Mar 21 23:27:02 2006 us=198109 [server] Peer Connection Initiated with 66.66.66.66:1194
Tue Mar 21 23:27:02 2006 us=643808 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Mar 21 23:27:02 2006 us=702319 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.250.150.54,ping 10,ping-restart 120,ifconfig 10.250.150.5 255.255.255.0'
Tue Mar 21 23:27:02 2006 us=702411 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 21 23:27:02 2006 us=702432 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 21 23:27:02 2006 us=702450 OPTIONS IMPORT: route options modified Tue Mar 21 23:27:02 2006 us=705129 TAP-WIN32 device [VPNCLient] opened: \\.\Global\{948612EB-CC1F-
Tue Mar 21 23:27:02 2006 us=705201 TAP-Win32 Driver Version 8.1 Tue Mar 21 23:27:02 2006 us=705228 TAP-Win32 MTU=1500 Tue Mar 21 23:27:02 2006 us=705269 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.250.150.5/255.255.255.0
Tue Mar 21 23:27:02 2006 us=752169 NOTE: could not get adapter index for \DEVICE\TCPIP_{948612EB-CC
Tue Mar 21 23:27:02 2006 us=764910 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Tue Mar 21 23:27:02 2006 us=764963 Initialization Sequence Completed
The OpenVPN server does assign 10.250.150.5 to the client which is reflected in the logs and despite the lack of any obvious errors, the client is unable to ping anything on the 10.250.150.0 subnet.
In using Ethereal and capturing the activity on the bridged interface on the client, I see the keep alives going back and forth from the server and I also see broadcast packets coming from a couple members of the LAN.
I simply can not figure out what I've got configured wrong. If more complete log files would help or if there are any questions, please ask!
I greatly appreciate your help!
I'm trying to establish a VPN server within our LAN that has the capability for 4 or 5 remote offices to connect to and be a part of our LAN.
The server component of OpenVPN is installed on a Windows Server 2003 machine and has two NIC's. One for the external interface and one for the internal (LAN) interface.
This server is behind a firewall which has UDP port 1194 open specifically for it.
For this purpose I'll define the external IP for the server as 66.66.66.66 and the internal IP as 10.250.150.54
I've chosen the bridging method so that broadcasts can traverse the VPN connection.
I have created a bridged network connection on the server between the Tap32 adapter and the LAN interface. The bridge interface now has the server's LAN IP, netmask, gateway, and DNS server addresses.
Here is the server OpenVPN config file:
local 66.66.66.66
port 1194
proto udp
dev tap
dev-node VPNServer # The Tap32 adapter is named "VPNServer"
ca "C:\\Program Files\\OpenVPN\\config\\ca
cert "C:\\Program Files\\OpenVPN\\config\\se
key "C:\\Program Files\\OpenVPN\\config\\se
dh "C:\\Program Files\\OpenVPN\\config\\dh
ifconfig-pool-persist ipp.txt
server-bridge 10.250.150.54 255.255.255.0 10.250.150.5 10.250.150.15
keepalive 10 120
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 9
management localhost 7505
and here is the client config file:
client
dev-tap
dev-node VPNClient # The name of the Tap32 adapter on the client is "VPNClient"
proto udp
remote 66.66.66.66 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca
cert "C:\\Program Files\\OpenVPN\\config\\se
key "C:\\Program Files\\OpenVPN\\config\\se
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
Here is the end of the log where the server finishes starting up:
Tue Mar 21 23:26:45 2006 us=974943 MTU DYNAMIC mtu=1500, flags=3, 1450 -> 1450
Tue Mar 21 23:26:45 2006 us=974987 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Mar 21 23:26:45 2006 us=975051 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 21 23:26:45 2006 us=975086 UDPv4 link local (bound): 66.66.66.66:1194
Tue Mar 21 23:26:45 2006 us=975107 UDPv4 link remote: [undef]
Tue Mar 21 23:26:45 2006 us=975136 MULTI: multi_init called, r=256 v=256
Tue Mar 21 23:26:45 2006 us=975210 IFCONFIG POOL: base=10.250.150.5 size=11
Tue Mar 21 23:26:45 2006 us=975274 IFCONFIG POOL LIST
Tue Mar 21 23:26:45 2006 us=975294 client,10.250.150.5
Tue Mar 21 23:26:45 2006 us=975326 WE_INIT maxevents=4 flags=0x00000002
Tue Mar 21 23:26:45 2006 us=975350 WE_INIT maxevents=4 capacity=8
Tue Mar 21 23:26:45 2006 us=975396 Initialization Sequence Completed
And here is most of the log file for when the client connects:
Tue Mar 21 23:27:01 2006 us=98937 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Tue Mar 21 23:27:01 2006 us=99249 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Mar 21 23:27:01 2006 us=106185 LZO compression initialized Tue Mar 21 23:27:01 2006 us=106516 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 21 23:27:01 2006 us=121028 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Mar 21 23:27:01 2006 us=121164 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 21 23:27:01 2006 us=121194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 21 23:27:01 2006 us=121267 Local Options hash (VER=V4): 'b498be7c' Tue Mar 21 23:27:01 2006 us=152776 Expected Remote Options hash (VER=V4): '26e19fc0'
Tue Mar 21 23:27:01 2006 us=152923 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 21 23:27:01 2006 us=152957 UDPv4 link local: [undef] Tue Mar 21 23:27:01 2006 us=152969 UDPv4 link remote: 66.66.66.66:1194 Tue Mar 21 23:27:01 2006 us=274080 TLS: Initial packet from 66.66.66.66:1194, sid=507a5992 c577bf93
Tue Mar 21 23:27:01 2006 us=617605 VERIFY OK: depth=1, <<cert info>>
Tue Mar 21 23:27:01 2006 us=618121 VERIFY OK: nsCertType=SERVER Tue Mar 21 23:27:01 2006 us=618133 VERIFY OK: depth=0, <<cert info>>
Tue Mar 21 23:27:02 2006 us=190863 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 21 23:27:02 2006 us=190929 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 21 23:27:02 2006 us=190960 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 21 23:27:02 2006 us=190990 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 21 23:27:02 2006 us=197993 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Mar 21 23:27:02 2006 us=198109 [server] Peer Connection Initiated with 66.66.66.66:1194
Tue Mar 21 23:27:02 2006 us=643808 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Mar 21 23:27:02 2006 us=702319 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.250.150.54,ping 10,ping-restart 120,ifconfig 10.250.150.5 255.255.255.0'
Tue Mar 21 23:27:02 2006 us=702411 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 21 23:27:02 2006 us=702432 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 21 23:27:02 2006 us=702450 OPTIONS IMPORT: route options modified Tue Mar 21 23:27:02 2006 us=705129 TAP-WIN32 device [VPNCLient] opened: \\.\Global\{948612EB-CC1F-
Tue Mar 21 23:27:02 2006 us=705201 TAP-Win32 Driver Version 8.1 Tue Mar 21 23:27:02 2006 us=705228 TAP-Win32 MTU=1500 Tue Mar 21 23:27:02 2006 us=705269 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.250.150.5/255.255.255.0
Tue Mar 21 23:27:02 2006 us=752169 NOTE: could not get adapter index for \DEVICE\TCPIP_{948612EB-CC
Tue Mar 21 23:27:02 2006 us=764910 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Tue Mar 21 23:27:02 2006 us=764963 Initialization Sequence Completed
The OpenVPN server does assign 10.250.150.5 to the client which is reflected in the logs and despite the lack of any obvious errors, the client is unable to ping anything on the 10.250.150.0 subnet.
In using Ethereal and capturing the activity on the bridged interface on the client, I see the keep alives going back and forth from the server and I also see broadcast packets coming from a couple members of the LAN.
I simply can not figure out what I've got configured wrong. If more complete log files would help or if there are any questions, please ask!
I greatly appreciate your help!
ASKER
C:\WINDOWS\system32>ipconf
Windows IP Configuration
Host Name . . . . . . . . . . . . : COMPLIANCEREM
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd3.co.comcast.net.
Ethernet adapter Network Bridge (Network Bridge):
Connection-specific DNS Suffix . : hsd3.co.comcast.net.
Description . . . . . . . . . . . : MAC Bridge Miniport
Physical Address. . . . . . . . . : 02-C0-9F-C9-B3-92
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.10.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
Lease Obtained. . . . . . . . . . : Wednesday, March 22, 2006
7:36:48 AM
Lease Expires . . . . . . . . . . : Thursday, March 23, 2006 7:36:48
AM
C:\WINDOWS\system32>netsta
Route Table ==========================
Interface List
0x1 ..........................
Minip
ort ==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.101 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.101 192.168.10.101 20
192.168.10.101 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.101 192.168.10.101 20
224.0.0.0 240.0.0.0 192.168.10.101 192.168.10.101 20
255.255.255.255 255.255.255.255 192.168.10.101 192.168.10.101 1
Default Gateway: 192.168.10.1
==========================
Persistent Routes:
None
C:\WINDOWS\system32>
Windows IP Configuration
Host Name . . . . . . . . . . . . : COMPLIANCEREM
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd3.co.comcast.net.
Ethernet adapter Network Bridge (Network Bridge):
Connection-specific DNS Suffix . : hsd3.co.comcast.net.
Description . . . . . . . . . . . : MAC Bridge Miniport
Physical Address. . . . . . . . . : 02-C0-9F-C9-B3-92
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.10.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
Lease Obtained. . . . . . . . . . : Wednesday, March 22, 2006
7:36:48 AM
Lease Expires . . . . . . . . . . : Thursday, March 23, 2006 7:36:48
AM
C:\WINDOWS\system32>netsta
Route Table ==========================
Interface List
0x1 ..........................
Minip
ort ==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.101 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.101 192.168.10.101 20
192.168.10.101 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.101 192.168.10.101 20
224.0.0.0 240.0.0.0 192.168.10.101 192.168.10.101 20
255.255.255.255 255.255.255.255 192.168.10.101 192.168.10.101 1
Default Gateway: 192.168.10.1
==========================
Persistent Routes:
None
C:\WINDOWS\system32>
Do the clients need to be assigned a subnet separate from the server?
ASKER
We need the clients to be able to run a thin client application that accesses this particular Windows server. The thin client operates on TCP 1888.
If that can be accomplished with the clients being assigned a separate subnet or with the clients being assigned a 10.250.150 IP, I'm fine with either way. Which one would be best?
If that can be accomplished with the clients being assigned a separate subnet or with the clients being assigned a 10.250.150 IP, I'm fine with either way. Which one would be best?
I just know that VPN's have problems or don't work at all when the clients are on the same subnet as the local network. I don't have any experience with your software, though.
ASKER
Changing the OpenVPN config file for the server from:
server-bridge 10.250.150.54 255.255.255.0 10.250.150.5 10.250.150.15
to:
server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
Yields the same limited connectivity. When I run Ethereal on the client, Ethereal still captures lots of broadcast traffic coming from the 10.250.250.0 LAN but the client still can not ping anything on that LAN. Basically, its the same problem regardless of what subnet the server uses to hand out IP's to clients.
server-bridge 10.250.150.54 255.255.255.0 10.250.150.5 10.250.150.15
to:
server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
Yields the same limited connectivity. When I run Ethereal on the client, Ethereal still captures lots of broadcast traffic coming from the 10.250.250.0 LAN but the client still can not ping anything on that LAN. Basically, its the same problem regardless of what subnet the server uses to hand out IP's to clients.
Is the first parameter of the server-bridge "10.8.0.4" the IP assigned to the server? If so, is it possible to change the parameters to something like: server-bridge 10.250.150.54 255.255.255.0 10.250.151.50 10.250.151.100 ?
I'm sorry - since you are using bridging instead of routing, the clients will be on the same subnet as the remote local network.
ASKER
No problem, I appreciate you trying to help!
The only other things I can think of are: VPN IP conflicts with your lan DHCP pool; you must bridge the adapters on the clients as well as server; the example configs I've seen have the same value for "verb" on the server and clients.
ASKER
I do have the adapters on the client bridged and matching the verb config element does not help, unfortunately.
It really seems like there is just no route for 10.250.150.0 IP traffic coming from the client to hit the LAN and vice versa with IP traffic coming from the LAN to the client (with the exception of broadcast packets).
I dont know what to do about it though. I dont understand why the client wont use the VPN tunnel to look for members of the LAN and also why not even the server can ping the address it assigns to the client (10.250.150.5).
It really seems like there is just no route for 10.250.150.0 IP traffic coming from the client to hit the LAN and vice versa with IP traffic coming from the LAN to the client (with the exception of broadcast packets).
I dont know what to do about it though. I dont understand why the client wont use the VPN tunnel to look for members of the LAN and also why not even the server can ping the address it assigns to the client (10.250.150.5).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please run on client:
ipconfig /all
netstat -rn