Solved

OpenVPN configuration on a Windows 2003 server

Posted on 2008-10-20
6
8,805 Views
Last Modified: 2010-04-21
Hi,

I have a Windows 2003 server which I am trying to configure OpenVPN to run on, and then to have all data from my client routed over the server.

The requirement is due to working in a number of countries which have ISP restrictions that block some of the sites and servers that I work on. Previously I have used the built in Remote Access and Routing on Windows to setup a PPTP VPN and this worked fine but I am now using a Mac laptop and the Mac OS seems to have issues staying connected to PPTP VPNs for more than a few minutes.

So now I am trying to use OpenVPN to accomplish the same thing but having no luck, I have generated the ca.crt, the server certificate and client certificates. The TAP interfaces are present in the list of network connections.

I have disabled the previously configured VPN using the Remote Access and Routing.

I have enabled IP routing in the Windows Registry by setting the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter = dword:00000001

Here is the server .ovpn file:
(substituted some of the ip address with w.x.y.z)
##############################
port 1194
proto udp
dev tap
tls-server
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh dh1024.pem
mode server
ifconfig 10.22.8.1 255.255.255.0
ifconfig-pool 10.22.8.10 10.22.8.15 255.255.255.0
push "route-gateway 10.22.8.1"
push "dhcp-option DNS w.x.y.z"
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3
##############################

Here is the client .ovpn file:
(substituted some of the ip address with w.x.y.z)
##############################
remote w.x.y.z
proto udp
client
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\Tony.crt"
key "C:\\Program Files\\OpenVPN\\config\\Tony.key"
ns-cert-type server
cipher BF-CBC  
tun-mtu 1500
fragment 1300
mssfix 1450
route-method exe
route-delay 2
##############################


Can anyone suggest some configurations that would work? As I mentioned it needs to be able to route all http, ftp, skype, and RDP across it.

Many thanks!!
Tony
0
Comment
Question by:tonygoodchild
  • 3
  • 3
6 Comments
 
LVL 2

Accepted Solution

by:
m_adamczyk earned 500 total points
ID: 22808417
Looks like you have some specialized settings and a couple mis-configs. Start off with basic settings and then work your way into tighter security. The sample server.ovpn and client.ovpn files installed with OpenVPN are good starting points.

Settings for OpenVPN servers and clients should have similar settings - they work like a handshake so you need to have certain elements the same or complimentary to each other.

A few immediately apparent glitches:
"tls-server" is specified in the server config but no "tls-client" in client config.
"comp-lzo" specifies LZO compression in the server config, but no "comp-lzo" exists in client config to match it.
Under "push "dhcp-option DNS w.x.y.z"" I think you need the INTERNAL address of the DNS server instead of the public w.x.y.z address - not 100% though.

"cipher BF-CBC" exists in client config but not in server config
If you're using "ns-cert-type server" are you CERTAIN you used the BUILD-KEY-SERVER command when creating the server cert?

Why are you using MTU control options in your client config? (line starting tun-mtu 1500 and following)

Using your configs, try these modifications:
##############################
port 1194
proto udp
dev tap
;tls-server  #no need just yet
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh dh1024.pem
mode server
ifconfig 10.22.8.1 255.255.255.0
ifconfig-pool 10.22.8.10 10.22.8.15 255.255.255.0
push "route-gateway 10.22.8.1"
push "dhcp-option DNS w.x.y.z" #Use DNS servers internal IP instead of w.x.y.z
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
;status openvpn-status.log
verb 3
##############################

Here is the client .ovpn file:
(substituted some of the ip address with w.x.y.z)
##############################
remote w.x.y.z
proto udp
client
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\Tony.crt"
key "C:\\Program Files\\OpenVPN\\config\\Tony.key"
;ns-cert-type server  #Disable for now
;cipher BF-CBC  #disable for now
# Is there a reason
### Implement settings below later
;tun-mtu 1500
;fragment 1300
;mssfix 1450
;route-method exe
;route-delay 2
##############################

Now, when starting OpenVPN, do NOT run them as a daemon; try to run them from a command prompt so you can see the output immediately instead of digging through log files. Start at the server:
openvpn --config server.ovpn
See if it returns any errors. If it executes fine and just waits for a connection (no cursor), initiate OpenVPN on the client
openvpn --config client.ovpn
It should try to connect and give you some messages along the way. If a message "CONNECTION RESET BY PEER" comes up, there's something mismatched between the client and server config files.

Once you have a connection established, you can reintro some of your settings and retry the connection.

Good luck and report back to take the next step.
0
 
LVL 2

Expert Comment

by:m_adamczyk
ID: 22808430
Oops. Use
;comp-lzo
in server.ovpn instead of
comp-lzo

We want to disable compression until you're initially running.
0
 

Author Comment

by:tonygoodchild
ID: 22809701

Hi,
thanks for the information so far, I copied and pasted your server configuration from above and restarted it as you described and I got the following error:

Options error: --mode server requires --tls-server

btw the version I am using is 2.0.9
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:tonygoodchild
ID: 22813371
Hi,
I just added the tls-server line and it seems to run fine now. To test it I've just sat and watched the BBC iPlayer (restricted to the UK) from a hotel room in Tokyo for a half hour :-)

Many thanks!!!
0
 

Author Closing Comment

by:tonygoodchild
ID: 31507748
Thanks a lot :-)
0
 
LVL 2

Expert Comment

by:m_adamczyk
ID: 22947510
Alright! Congrats!

If you want to tighten up your setup in the future, consider buying the eBook listed at OpenVPN.net. It goes into more detail about each option available in OpenVPN. There's still a little more info I wish it would have, but I can usually find an explanation somewhere in the forums or elsewhere online.

Again, congrats on the success!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Learn about cloud computing and its benefits for small business owners.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now