?
Solved

OpenVPN Configuration Problems

Posted on 2006-03-21
12
Medium Priority
?
1,708 Views
Last Modified: 2008-07-27
Thank you for taking a look at this:

I'm trying to establish a VPN server within our LAN that has the capability for 4 or 5 remote offices to connect to and be a part of our LAN.

The server component of OpenVPN is installed on a Windows Server 2003 machine and has two NIC's. One for the external interface and one for the internal (LAN) interface.

This server is behind a firewall which has UDP port 1194 open specifically for it.

For this purpose I'll define the external IP for the server as 66.66.66.66 and the internal IP as 10.250.150.54

I've chosen the bridging method so that broadcasts can traverse the VPN connection.

I have created a bridged network connection on the server between the Tap32 adapter and the LAN interface. The bridge interface now has the server's LAN IP, netmask, gateway, and DNS server addresses.

Here is the server OpenVPN config file:

local 66.66.66.66
port 1194
proto udp
dev tap
dev-node VPNServer # The Tap32 adapter is named "VPNServer"
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
ifconfig-pool-persist ipp.txt
server-bridge 10.250.150.54 255.255.255.0 10.250.150.5 10.250.150.15
keepalive 10 120
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 9
management localhost 7505


and here is the client config file:

client
dev-tap
dev-node VPNClient # The name of the Tap32 adapter on the client is "VPNClient"
proto udp
remote 66.66.66.66 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4


Here is the end of the log where the server finishes starting up:

Tue Mar 21 23:26:45 2006 us=974943 MTU DYNAMIC mtu=1500, flags=3, 1450 -> 1450
Tue Mar 21 23:26:45 2006 us=974987 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Mar 21 23:26:45 2006 us=975051 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 21 23:26:45 2006 us=975086 UDPv4 link local (bound): 66.66.66.66:1194
Tue Mar 21 23:26:45 2006 us=975107 UDPv4 link remote: [undef]
Tue Mar 21 23:26:45 2006 us=975136 MULTI: multi_init called, r=256 v=256
Tue Mar 21 23:26:45 2006 us=975210 IFCONFIG POOL: base=10.250.150.5 size=11
Tue Mar 21 23:26:45 2006 us=975274 IFCONFIG POOL LIST
Tue Mar 21 23:26:45 2006 us=975294 client,10.250.150.5
Tue Mar 21 23:26:45 2006 us=975326 WE_INIT maxevents=4 flags=0x00000002
Tue Mar 21 23:26:45 2006 us=975350 WE_INIT maxevents=4 capacity=8
Tue Mar 21 23:26:45 2006 us=975396 Initialization Sequence Completed


And here is most of the log file for when the client connects:

Tue Mar 21 23:27:01 2006 us=98937 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov  2 2005
Tue Mar 21 23:27:01 2006 us=99249 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Mar 21 23:27:01 2006 us=106185 LZO compression initialized Tue Mar 21 23:27:01 2006 us=106516 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 21 23:27:01 2006 us=121028 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Mar 21 23:27:01 2006 us=121164 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Mar 21 23:27:01 2006 us=121194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Mar 21 23:27:01 2006 us=121267 Local Options hash (VER=V4): 'b498be7c' Tue Mar 21 23:27:01 2006 us=152776 Expected Remote Options hash (VER=V4): '26e19fc0'
Tue Mar 21 23:27:01 2006 us=152923 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 21 23:27:01 2006 us=152957 UDPv4 link local: [undef] Tue Mar 21 23:27:01 2006 us=152969 UDPv4 link remote: 66.66.66.66:1194 Tue Mar 21 23:27:01 2006 us=274080 TLS: Initial packet from 66.66.66.66:1194, sid=507a5992 c577bf93
Tue Mar 21 23:27:01 2006 us=617605 VERIFY OK: depth=1, <<cert info>>
Tue Mar 21 23:27:01 2006 us=618121 VERIFY OK: nsCertType=SERVER Tue Mar 21 23:27:01 2006 us=618133 VERIFY OK: depth=0, <<cert info>>
Tue Mar 21 23:27:02 2006 us=190863 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 21 23:27:02 2006 us=190929 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 21 23:27:02 2006 us=190960 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 21 23:27:02 2006 us=190990 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 21 23:27:02 2006 us=197993 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Mar 21 23:27:02 2006 us=198109 [server] Peer Connection Initiated with 66.66.66.66:1194
Tue Mar 21 23:27:02 2006 us=643808 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Mar 21 23:27:02 2006 us=702319 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.250.150.54,ping 10,ping-restart 120,ifconfig 10.250.150.5 255.255.255.0'
Tue Mar 21 23:27:02 2006 us=702411 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 21 23:27:02 2006 us=702432 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 21 23:27:02 2006 us=702450 OPTIONS IMPORT: route options modified Tue Mar 21 23:27:02 2006 us=705129 TAP-WIN32 device [VPNCLient] opened: \\.\Global\{948612EB-CC1F-4308-9BFA-B7D69DC4FCD8}.tap
Tue Mar 21 23:27:02 2006 us=705201 TAP-Win32 Driver Version 8.1 Tue Mar 21 23:27:02 2006 us=705228 TAP-Win32 MTU=1500 Tue Mar 21 23:27:02 2006 us=705269 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.250.150.5/255.255.255.0 on interface {948612EB-CC1F-4308-9BFA-B7D69DC4FCD8} [DHCP-serv: 10.250.150.0, lease-time: 31536000]
Tue Mar 21 23:27:02 2006 us=752169 NOTE: could not get adapter index for \DEVICE\TCPIP_{948612EB-CC1F-4308-9BFA-B7D69DC4FCD8}, status=55 : The specified network resource or device is no longer available.
Tue Mar 21 23:27:02 2006 us=764910 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Tue Mar 21 23:27:02 2006 us=764963 Initialization Sequence Completed




The OpenVPN server does assign 10.250.150.5 to the client which is reflected in the logs and despite the lack of any obvious errors, the client is unable to ping anything on the 10.250.150.0 subnet.

In using Ethereal and capturing the activity on the bridged interface on the client, I see the keep alives going back and forth from the server and I also see broadcast packets coming from a couple members of the LAN.

I simply can not figure out what I've got configured wrong. If more complete log files would help or if there are any questions, please ask!

I greatly appreciate your help!
0
Comment
Question by:madabdul82
12 Comments
 
LVL 27

Expert Comment

by:Nopius
ID: 16255127
Seems that network route on client machine is not setup correctly after VPN has been established.

Please run on client:
ipconfig /all
netstat -rn


0
 

Author Comment

by:madabdul82
ID: 16257883
C:\WINDOWS\system32>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : COMPLIANCEREM
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : hsd3.co.comcast.net.

Ethernet adapter Network Bridge (Network Bridge):

        Connection-specific DNS Suffix  . : hsd3.co.comcast.net.
        Description . . . . . . . . . . . : MAC Bridge Miniport
        Physical Address. . . . . . . . . : 02-C0-9F-C9-B3-92
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.10.101
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.1
        DHCP Server . . . . . . . . . . . : 192.168.10.1
        DNS Servers . . . . . . . . . . . : 192.168.10.1
        Lease Obtained. . . . . . . . . . : Wednesday, March 22, 2006
7:36:48 AM

        Lease Expires . . . . . . . . . . : Thursday, March 23, 2006 7:36:48
AM

C:\WINDOWS\system32>netstat -rn

Route Table ===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface 0x50002 ...02 c0 9f c9 b3 92 ...... MAC Bridge Miniport - Packet Scheduler
Minip
ort ===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1  192.168.10.101       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.10.0    255.255.255.0   192.168.10.101  192.168.10.101       20
   192.168.10.101  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255   192.168.10.101  192.168.10.101       20
        224.0.0.0        240.0.0.0   192.168.10.101  192.168.10.101       20
  255.255.255.255  255.255.255.255   192.168.10.101  192.168.10.101       1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  None

C:\WINDOWS\system32>
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16258832
Do the clients need to be assigned a subnet separate from the server?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:madabdul82
ID: 16258979
We need the clients to be able to run a thin client application that accesses this particular Windows server. The thin client operates on TCP 1888.

If that can be accomplished with the clients being assigned a separate subnet or with the clients being assigned a 10.250.150 IP, I'm fine with either way. Which one would be best?

0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16259215
I just know that VPN's have problems or don't work at all when the clients are on the same subnet as the local network.  I don't have any experience with your software, though.
0
 

Author Comment

by:madabdul82
ID: 16259665
Changing the OpenVPN config file for the server from:

server-bridge 10.250.150.54 255.255.255.0 10.250.150.5 10.250.150.15

to:

server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

Yields the same limited connectivity. When I run Ethereal on the client, Ethereal still captures lots of broadcast traffic coming from the 10.250.250.0 LAN but the client still can not ping anything on that LAN. Basically, its the same problem regardless of what subnet the server uses to hand out IP's to clients.
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16260036
Is the first parameter of the server-bridge "10.8.0.4" the IP assigned to the server?  If so, is it possible to change the parameters to something like: server-bridge 10.250.150.54 255.255.255.0 10.250.151.50 10.250.151.100 ?
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16260088
I'm sorry - since you are using bridging instead of routing, the clients will be on the same subnet as the remote local network.
0
 

Author Comment

by:madabdul82
ID: 16260190
No problem, I appreciate you trying to help!
0
 
LVL 3

Expert Comment

by:m1crochip
ID: 16260487
The only other things I can think of are: VPN IP conflicts with your lan DHCP pool; you must bridge the adapters on the clients as well as server; the example configs I've seen have the same value for "verb" on the server and clients.
0
 

Author Comment

by:madabdul82
ID: 16260607
I do have the adapters on the client bridged and matching the verb config element does not help, unfortunately.

It really seems like there is just no route for 10.250.150.0 IP traffic coming from the client to hit the LAN and vice versa with IP traffic coming from the LAN to the client (with the exception of broadcast packets).

I dont know what to do about it though. I dont understand why the client wont use the VPN tunnel to look for members of the LAN and also why not even the server can ping the address it assigns to the client (10.250.150.5).
0
 
LVL 1

Accepted Solution

by:
kalifi earned 2000 total points
ID: 16296659
Hi madabdul82,

The good news is that I've done this setup with OpenVPN, but on Linux.
I'm sure that there is no big difference.

OK let's start with the configuration of the server

### START server configuration ###
port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.250.150.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
### END server configuration ###

I've used "dev tun" and it works.
"server 10.8.0.0 255.255.255.0" - your VPN server and clients will be part of network - 10.8.0.0/24
"push "route 10.250.150.0 255.255.255.0"" - your sunbet 10.250.150.0/24 will be visible to the VPN clients
"client-to-client" - the clients can see each other.
In this case the IP of the server would be the real IP of the machine.

Now the client:

### START client configuration ###
client
dev tun
proto udp
remote 66.66.66.66 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
comp-lzo
verb 3
### END client configuration ###

So with thies two configuration files you would be able to ping form the connected client any PC in 10.250.150.0/24 subnet.

Try this and tell me the result.

If your clients also have subnets and you want from one subnet's PC to ping/reach other subnet PC trought the VPN just tell me.

Hope that helps (and sorry about my bad english)!

Miro
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question