Solved

OpenVPN configuration on a Windows 2003 server

Posted on 2008-10-20
6
8,885 Views
Last Modified: 2010-04-21
Hi,

I have a Windows 2003 server which I am trying to configure OpenVPN to run on, and then to have all data from my client routed over the server.

The requirement is due to working in a number of countries which have ISP restrictions that block some of the sites and servers that I work on. Previously I have used the built in Remote Access and Routing on Windows to setup a PPTP VPN and this worked fine but I am now using a Mac laptop and the Mac OS seems to have issues staying connected to PPTP VPNs for more than a few minutes.

So now I am trying to use OpenVPN to accomplish the same thing but having no luck, I have generated the ca.crt, the server certificate and client certificates. The TAP interfaces are present in the list of network connections.

I have disabled the previously configured VPN using the Remote Access and Routing.

I have enabled IP routing in the Windows Registry by setting the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter = dword:00000001

Here is the server .ovpn file:
(substituted some of the ip address with w.x.y.z)
##############################
port 1194
proto udp
dev tap
tls-server
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh dh1024.pem
mode server
ifconfig 10.22.8.1 255.255.255.0
ifconfig-pool 10.22.8.10 10.22.8.15 255.255.255.0
push "route-gateway 10.22.8.1"
push "dhcp-option DNS w.x.y.z"
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3
##############################

Here is the client .ovpn file:
(substituted some of the ip address with w.x.y.z)
##############################
remote w.x.y.z
proto udp
client
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\Tony.crt"
key "C:\\Program Files\\OpenVPN\\config\\Tony.key"
ns-cert-type server
cipher BF-CBC  
tun-mtu 1500
fragment 1300
mssfix 1450
route-method exe
route-delay 2
##############################


Can anyone suggest some configurations that would work? As I mentioned it needs to be able to route all http, ftp, skype, and RDP across it.

Many thanks!!
Tony
0
Comment
Question by:tonygoodchild
  • 3
  • 3
6 Comments
 
LVL 2

Accepted Solution

by:
m_adamczyk earned 500 total points
ID: 22808417
Looks like you have some specialized settings and a couple mis-configs. Start off with basic settings and then work your way into tighter security. The sample server.ovpn and client.ovpn files installed with OpenVPN are good starting points.

Settings for OpenVPN servers and clients should have similar settings - they work like a handshake so you need to have certain elements the same or complimentary to each other.

A few immediately apparent glitches:
"tls-server" is specified in the server config but no "tls-client" in client config.
"comp-lzo" specifies LZO compression in the server config, but no "comp-lzo" exists in client config to match it.
Under "push "dhcp-option DNS w.x.y.z"" I think you need the INTERNAL address of the DNS server instead of the public w.x.y.z address - not 100% though.

"cipher BF-CBC" exists in client config but not in server config
If you're using "ns-cert-type server" are you CERTAIN you used the BUILD-KEY-SERVER command when creating the server cert?

Why are you using MTU control options in your client config? (line starting tun-mtu 1500 and following)

Using your configs, try these modifications:
##############################
port 1194
proto udp
dev tap
;tls-server  #no need just yet
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh dh1024.pem
mode server
ifconfig 10.22.8.1 255.255.255.0
ifconfig-pool 10.22.8.10 10.22.8.15 255.255.255.0
push "route-gateway 10.22.8.1"
push "dhcp-option DNS w.x.y.z" #Use DNS servers internal IP instead of w.x.y.z
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
;status openvpn-status.log
verb 3
##############################

Here is the client .ovpn file:
(substituted some of the ip address with w.x.y.z)
##############################
remote w.x.y.z
proto udp
client
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\Tony.crt"
key "C:\\Program Files\\OpenVPN\\config\\Tony.key"
;ns-cert-type server  #Disable for now
;cipher BF-CBC  #disable for now
# Is there a reason
### Implement settings below later
;tun-mtu 1500
;fragment 1300
;mssfix 1450
;route-method exe
;route-delay 2
##############################

Now, when starting OpenVPN, do NOT run them as a daemon; try to run them from a command prompt so you can see the output immediately instead of digging through log files. Start at the server:
openvpn --config server.ovpn
See if it returns any errors. If it executes fine and just waits for a connection (no cursor), initiate OpenVPN on the client
openvpn --config client.ovpn
It should try to connect and give you some messages along the way. If a message "CONNECTION RESET BY PEER" comes up, there's something mismatched between the client and server config files.

Once you have a connection established, you can reintro some of your settings and retry the connection.

Good luck and report back to take the next step.
0
 
LVL 2

Expert Comment

by:m_adamczyk
ID: 22808430
Oops. Use
;comp-lzo
in server.ovpn instead of
comp-lzo

We want to disable compression until you're initially running.
0
 

Author Comment

by:tonygoodchild
ID: 22809701

Hi,
thanks for the information so far, I copied and pasted your server configuration from above and restarted it as you described and I got the following error:

Options error: --mode server requires --tls-server

btw the version I am using is 2.0.9
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:tonygoodchild
ID: 22813371
Hi,
I just added the tls-server line and it seems to run fine now. To test it I've just sat and watched the BBC iPlayer (restricted to the UK) from a hotel room in Tokyo for a half hour :-)

Many thanks!!!
0
 

Author Closing Comment

by:tonygoodchild
ID: 31507748
Thanks a lot :-)
0
 
LVL 2

Expert Comment

by:m_adamczyk
ID: 22947510
Alright! Congrats!

If you want to tighten up your setup in the future, consider buying the eBook listed at OpenVPN.net. It goes into more detail about each option available in OpenVPN. There's still a little more info I wish it would have, but I can usually find an explanation somewhere in the forums or elsewhere online.

Again, congrats on the success!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cannot connect to openvpn server 9 73
DHCP server 6 61
VPN Access to Network 4 30
CISCO Router 1 29
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question