• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9327
  • Last Modified:

OpenVPN configuration on a Windows 2003 server

Hi,

I have a Windows 2003 server which I am trying to configure OpenVPN to run on, and then to have all data from my client routed over the server.

The requirement is due to working in a number of countries which have ISP restrictions that block some of the sites and servers that I work on. Previously I have used the built in Remote Access and Routing on Windows to setup a PPTP VPN and this worked fine but I am now using a Mac laptop and the Mac OS seems to have issues staying connected to PPTP VPNs for more than a few minutes.

So now I am trying to use OpenVPN to accomplish the same thing but having no luck, I have generated the ca.crt, the server certificate and client certificates. The TAP interfaces are present in the list of network connections.

I have disabled the previously configured VPN using the Remote Access and Routing.

I have enabled IP routing in the Windows Registry by setting the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter = dword:00000001

Here is the server .ovpn file:
(substituted some of the ip address with w.x.y.z)
##############################
port 1194
proto udp
dev tap
tls-server
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh dh1024.pem
mode server
ifconfig 10.22.8.1 255.255.255.0
ifconfig-pool 10.22.8.10 10.22.8.15 255.255.255.0
push "route-gateway 10.22.8.1"
push "dhcp-option DNS w.x.y.z"
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3
##############################

Here is the client .ovpn file:
(substituted some of the ip address with w.x.y.z)
##############################
remote w.x.y.z
proto udp
client
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\Tony.crt"
key "C:\\Program Files\\OpenVPN\\config\\Tony.key"
ns-cert-type server
cipher BF-CBC  
tun-mtu 1500
fragment 1300
mssfix 1450
route-method exe
route-delay 2
##############################


Can anyone suggest some configurations that would work? As I mentioned it needs to be able to route all http, ftp, skype, and RDP across it.

Many thanks!!
Tony
0
tonygoodchild
Asked:
tonygoodchild
  • 3
  • 3
1 Solution
 
m_adamczykCommented:
Looks like you have some specialized settings and a couple mis-configs. Start off with basic settings and then work your way into tighter security. The sample server.ovpn and client.ovpn files installed with OpenVPN are good starting points.

Settings for OpenVPN servers and clients should have similar settings - they work like a handshake so you need to have certain elements the same or complimentary to each other.

A few immediately apparent glitches:
"tls-server" is specified in the server config but no "tls-client" in client config.
"comp-lzo" specifies LZO compression in the server config, but no "comp-lzo" exists in client config to match it.
Under "push "dhcp-option DNS w.x.y.z"" I think you need the INTERNAL address of the DNS server instead of the public w.x.y.z address - not 100% though.

"cipher BF-CBC" exists in client config but not in server config
If you're using "ns-cert-type server" are you CERTAIN you used the BUILD-KEY-SERVER command when creating the server cert?

Why are you using MTU control options in your client config? (line starting tun-mtu 1500 and following)

Using your configs, try these modifications:
##############################
port 1194
proto udp
dev tap
;tls-server  #no need just yet
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh dh1024.pem
mode server
ifconfig 10.22.8.1 255.255.255.0
ifconfig-pool 10.22.8.10 10.22.8.15 255.255.255.0
push "route-gateway 10.22.8.1"
push "dhcp-option DNS w.x.y.z" #Use DNS servers internal IP instead of w.x.y.z
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
;status openvpn-status.log
verb 3
##############################

Here is the client .ovpn file:
(substituted some of the ip address with w.x.y.z)
##############################
remote w.x.y.z
proto udp
client
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\Tony.crt"
key "C:\\Program Files\\OpenVPN\\config\\Tony.key"
;ns-cert-type server  #Disable for now
;cipher BF-CBC  #disable for now
# Is there a reason
### Implement settings below later
;tun-mtu 1500
;fragment 1300
;mssfix 1450
;route-method exe
;route-delay 2
##############################

Now, when starting OpenVPN, do NOT run them as a daemon; try to run them from a command prompt so you can see the output immediately instead of digging through log files. Start at the server:
openvpn --config server.ovpn
See if it returns any errors. If it executes fine and just waits for a connection (no cursor), initiate OpenVPN on the client
openvpn --config client.ovpn
It should try to connect and give you some messages along the way. If a message "CONNECTION RESET BY PEER" comes up, there's something mismatched between the client and server config files.

Once you have a connection established, you can reintro some of your settings and retry the connection.

Good luck and report back to take the next step.
0
 
m_adamczykCommented:
Oops. Use
;comp-lzo
in server.ovpn instead of
comp-lzo

We want to disable compression until you're initially running.
0
 
tonygoodchildAuthor Commented:

Hi,
thanks for the information so far, I copied and pasted your server configuration from above and restarted it as you described and I got the following error:

Options error: --mode server requires --tls-server

btw the version I am using is 2.0.9
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
tonygoodchildAuthor Commented:
Hi,
I just added the tls-server line and it seems to run fine now. To test it I've just sat and watched the BBC iPlayer (restricted to the UK) from a hotel room in Tokyo for a half hour :-)

Many thanks!!!
0
 
tonygoodchildAuthor Commented:
Thanks a lot :-)
0
 
m_adamczykCommented:
Alright! Congrats!

If you want to tighten up your setup in the future, consider buying the eBook listed at OpenVPN.net. It goes into more detail about each option available in OpenVPN. There's still a little more info I wish it would have, but I can usually find an explanation somewhere in the forums or elsewhere online.

Again, congrats on the success!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now