OpenVPN Configuration Problems

Thank you for taking a look at this:

I'm trying to establish a VPN server within our LAN that has the capability for 4 or 5 remote offices to connect to and be a part of our LAN.

The server component of OpenVPN is installed on a Windows Server 2003 machine and has two NIC's. One for the external interface and one for the internal (LAN) interface.

This server is behind a firewall which has UDP port 1194 open specifically for it.

For this purpose I'll define the external IP for the server as 66.66.66.66 and the internal IP as 10.250.150.54

I've chosen the bridging method so that broadcasts can traverse the VPN connection.

I have created a bridged network connection on the server between the Tap32 adapter and the LAN interface. The bridge interface now has the server's LAN IP, netmask, gateway, and DNS server addresses.

Here is the server OpenVPN config file:

local 66.66.66.66
port 1194
proto udp
dev tap
dev-node VPNServer # The Tap32 adapter is named "VPNServer"
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
ifconfig-pool-persist ipp.txt
server-bridge 10.250.150.54 255.255.255.0 10.250.150.5 10.250.150.15
keepalive 10 120
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 9
management localhost 7505


and here is the client config file:

client
dev-tap
dev-node VPNClient # The name of the Tap32 adapter on the client is "VPNClient"
proto udp
remote 66.66.66.66 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4


Here is the end of the log where the server finishes starting up:

Tue Mar 21 23:26:45 2006 us=974943 MTU DYNAMIC mtu=1500, flags=3, 1450 -> 1450
Tue Mar 21 23:26:45 2006 us=974987 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Mar 21 23:26:45 2006 us=975051 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 21 23:26:45 2006 us=975086 UDPv4 link local (bound): 66.66.66.66:1194
Tue Mar 21 23:26:45 2006 us=975107 UDPv4 link remote: [undef]
Tue Mar 21 23:26:45 2006 us=975136 MULTI: multi_init called, r=256 v=256
Tue Mar 21 23:26:45 2006 us=975210 IFCONFIG POOL: base=10.250.150.5 size=11
Tue Mar 21 23:26:45 2006 us=975274 IFCONFIG POOL LIST
Tue Mar 21 23:26:45 2006 us=975294 client,10.250.150.5
Tue Mar 21 23:26:45 2006 us=975326 WE_INIT maxevents=4 flags=0x00000002
Tue Mar 21 23:26:45 2006 us=975350 WE_INIT maxevents=4 capacity=8
Tue Mar 21 23:26:45 2006 us=975396 Initialization Sequence Completed


And here is most of the log file for when the client connects:

Tue Mar 21 23:27:01 2006 us=98937 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov  2 2005
Tue Mar 21 23:27:01 2006 us=99249 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Mar 21 23:27:01 2006 us=106185 LZO compression initialized Tue Mar 21 23:27:01 2006 us=106516 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 21 23:27:01 2006 us=121028 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Mar 21 23:27:01 2006 us=121164 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 21 23:27:01 2006 us=121194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 21 23:27:01 2006 us=121267 Local Options hash (VER=V4): 'b498be7c' Tue Mar 21 23:27:01 2006 us=152776 Expected Remote Options hash (VER=V4): '26e19fc0'
Tue Mar 21 23:27:01 2006 us=152923 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 21 23:27:01 2006 us=152957 UDPv4 link local: [undef] Tue Mar 21 23:27:01 2006 us=152969 UDPv4 link remote: 66.66.66.66:1194 Tue Mar 21 23:27:01 2006 us=274080 TLS: Initial packet from 66.66.66.66:1194, sid=507a5992 c577bf93
Tue Mar 21 23:27:01 2006 us=617605 VERIFY OK: depth=1, <<cert info>>
Tue Mar 21 23:27:01 2006 us=618121 VERIFY OK: nsCertType=SERVER Tue Mar 21 23:27:01 2006 us=618133 VERIFY OK: depth=0, <<cert info>>
Tue Mar 21 23:27:02 2006 us=190863 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 21 23:27:02 2006 us=190929 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 21 23:27:02 2006 us=190960 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 21 23:27:02 2006 us=190990 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 21 23:27:02 2006 us=197993 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Mar 21 23:27:02 2006 us=198109 [server] Peer Connection Initiated with 66.66.66.66:1194
Tue Mar 21 23:27:02 2006 us=643808 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Mar 21 23:27:02 2006 us=702319 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.250.150.54,ping 10,ping-restart 120,ifconfig 10.250.150.5 255.255.255.0'
Tue Mar 21 23:27:02 2006 us=702411 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 21 23:27:02 2006 us=702432 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 21 23:27:02 2006 us=702450 OPTIONS IMPORT: route options modified Tue Mar 21 23:27:02 2006 us=705129 TAP-WIN32 device [VPNCLient] opened: \\.\Global\{948612EB-CC1F-4308-9BFA-B7D69DC4FCD8}.tap
Tue Mar 21 23:27:02 2006 us=705201 TAP-Win32 Driver Version 8.1 Tue Mar 21 23:27:02 2006 us=705228 TAP-Win32 MTU=1500 Tue Mar 21 23:27:02 2006 us=705269 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.250.150.5/255.255.255.0 on interface {948612EB-CC1F-4308-9BFA-B7D69DC4FCD8} [DHCP-serv: 10.250.150.0, lease-time: 31536000]
Tue Mar 21 23:27:02 2006 us=752169 NOTE: could not get adapter index for \DEVICE\TCPIP_{948612EB-CC1F-4308-9BFA-B7D69DC4FCD8}, status=55 : The specified network resource or device is no longer available.
Tue Mar 21 23:27:02 2006 us=764910 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Tue Mar 21 23:27:02 2006 us=764963 Initialization Sequence Completed




The OpenVPN server does assign 10.250.150.5 to the client which is reflected in the logs and despite the lack of any obvious errors, the client is unable to ping anything on the 10.250.150.0 subnet.

In using Ethereal and capturing the activity on the bridged interface on the client, I see the keep alives going back and forth from the server and I also see broadcast packets coming from a couple members of the LAN.

I simply can not figure out what I've got configured wrong. If more complete log files would help or if there are any questions, please ask!

I greatly appreciate your help!
madabdul82Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Artysystem administratorCommented:
Seems that network route on client machine is not setup correctly after VPN has been established.

Please run on client:
ipconfig /all
netstat -rn


madabdul82Author Commented:
C:\WINDOWS\system32>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : COMPLIANCEREM
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : hsd3.co.comcast.net.

Ethernet adapter Network Bridge (Network Bridge):

        Connection-specific DNS Suffix  . : hsd3.co.comcast.net.
        Description . . . . . . . . . . . : MAC Bridge Miniport
        Physical Address. . . . . . . . . : 02-C0-9F-C9-B3-92
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.10.101
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.1
        DHCP Server . . . . . . . . . . . : 192.168.10.1
        DNS Servers . . . . . . . . . . . : 192.168.10.1
        Lease Obtained. . . . . . . . . . : Wednesday, March 22, 2006
7:36:48 AM

        Lease Expires . . . . . . . . . . : Thursday, March 23, 2006 7:36:48
AM

C:\WINDOWS\system32>netstat -rn

Route Table ===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface 0x50002 ...02 c0 9f c9 b3 92 ...... MAC Bridge Miniport - Packet Scheduler
Minip
ort ===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1  192.168.10.101       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.10.0    255.255.255.0   192.168.10.101  192.168.10.101       20
   192.168.10.101  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255   192.168.10.101  192.168.10.101       20
        224.0.0.0        240.0.0.0   192.168.10.101  192.168.10.101       20
  255.255.255.255  255.255.255.255   192.168.10.101  192.168.10.101       1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  None

C:\WINDOWS\system32>
m1crochipCommented:
Do the clients need to be assigned a subnet separate from the server?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

madabdul82Author Commented:
We need the clients to be able to run a thin client application that accesses this particular Windows server. The thin client operates on TCP 1888.

If that can be accomplished with the clients being assigned a separate subnet or with the clients being assigned a 10.250.150 IP, I'm fine with either way. Which one would be best?

m1crochipCommented:
I just know that VPN's have problems or don't work at all when the clients are on the same subnet as the local network.  I don't have any experience with your software, though.
madabdul82Author Commented:
Changing the OpenVPN config file for the server from:

server-bridge 10.250.150.54 255.255.255.0 10.250.150.5 10.250.150.15

to:

server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

Yields the same limited connectivity. When I run Ethereal on the client, Ethereal still captures lots of broadcast traffic coming from the 10.250.250.0 LAN but the client still can not ping anything on that LAN. Basically, its the same problem regardless of what subnet the server uses to hand out IP's to clients.
m1crochipCommented:
Is the first parameter of the server-bridge "10.8.0.4" the IP assigned to the server?  If so, is it possible to change the parameters to something like: server-bridge 10.250.150.54 255.255.255.0 10.250.151.50 10.250.151.100 ?
m1crochipCommented:
I'm sorry - since you are using bridging instead of routing, the clients will be on the same subnet as the remote local network.
madabdul82Author Commented:
No problem, I appreciate you trying to help!
m1crochipCommented:
The only other things I can think of are: VPN IP conflicts with your lan DHCP pool; you must bridge the adapters on the clients as well as server; the example configs I've seen have the same value for "verb" on the server and clients.
madabdul82Author Commented:
I do have the adapters on the client bridged and matching the verb config element does not help, unfortunately.

It really seems like there is just no route for 10.250.150.0 IP traffic coming from the client to hit the LAN and vice versa with IP traffic coming from the LAN to the client (with the exception of broadcast packets).

I dont know what to do about it though. I dont understand why the client wont use the VPN tunnel to look for members of the LAN and also why not even the server can ping the address it assigns to the client (10.250.150.5).
kalifiCommented:
Hi madabdul82,

The good news is that I've done this setup with OpenVPN, but on Linux.
I'm sure that there is no big difference.

OK let's start with the configuration of the server

### START server configuration ###
port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.250.150.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
### END server configuration ###

I've used "dev tun" and it works.
"server 10.8.0.0 255.255.255.0" - your VPN server and clients will be part of network - 10.8.0.0/24
"push "route 10.250.150.0 255.255.255.0"" - your sunbet 10.250.150.0/24 will be visible to the VPN clients
"client-to-client" - the clients can see each other.
In this case the IP of the server would be the real IP of the machine.

Now the client:

### START client configuration ###
client
dev tun
proto udp
remote 66.66.66.66 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
comp-lzo
verb 3
### END client configuration ###

So with thies two configuration files you would be able to ping form the connected client any PC in 10.250.150.0/24 subnet.

Try this and tell me the result.

If your clients also have subnets and you want from one subnet's PC to ping/reach other subnet PC trought the VPN just tell me.

Hope that helps (and sorry about my bad english)!

Miro

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.