OpenVPN can't ping office computers from home

Frosty555
Frosty555 used Ask the Experts™
on
I'm trying to setup OpenVPN to have a vpn connection to my office network, and I'm running into some trouble. Hopefully somebody can help me.

I've configured a basic OpenVPN server on the office network by following tutorials. I can connect to it from home and I get an IP address. But once connected, I can't ping or access any of the office computers.

Here's the setup:

Office has linksys WRT54G wireless router, assigning IPs in the range 192.168.32.xxx
Office VPN Server:  192.168.32.200
Office VPN server is assigning IPs for clients in the range 192.168.10.xxx

Home network has linksys RV082 wired router, assigning IPs in the range of 192.168.64.xxx
Home IP addresses:    192.168.64.xxx
Home computer connects to vpn with address 192.168.10.2
SERVER.OVPN CONFIG FILE
========================================
 
local 192.168.32.200 # This is the IP address of the real network interface on the server connected to the router
port 1194 # This is the port OpenVPN is running on - make sure the router is port forwarding this port to the above IP
proto tcp   # udp didn't work for some reason. tcp worked.
mssfix 1400 # This setting fixes problems with apps like Remote Desktop
push "dhcp-option DNS 192.168.32.200"  # Replace the Xs with the IP address of the DNS for your home network (usually your ISP's DNS)
dev tap
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"  
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"  # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
 
server 192.168.10.0 255.255.255.0  # This assigns the virtual IP address and subent to the server's OpenVPN connection.  Make sure the Routing Table entry matches this.
 
ifconfig-pool-persist ipp.txt
# push "redirect-gateway def1"  # This will force the clients to use the home network's internet connection
keepalive 10 120
cipher BF-CBC        # Blowfish (default) encryption
comp-lzo
max-clients 100 # Assign the maximum number of clients here
persist-key
persist-tun
status openvpn-status.log
verb 1 # This sets how detailed the log file will be.  0 causes problems and higher numbers can give you more detail for troubleshooting
 
 
CLIENT.OVPN CONFIG FILE
==========================================
client
dev tap
proto tcp
remote blahblah.dyndns.org 1194  #You will need to enter you dyndns account or static IP address here. The number following it is the port you set in the server's config
route 192.168.32.0 255.255.255.0 vpn_gateway 3  #This it the IP address scheme and subnet of your normal network your server is on.  Your router would usually be 192.168.1.1
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt" # Change the next two lines to match the files in the keys directory.  This should be be different for each client.
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"  # This file should be kept secret
 
ns-cert-type server
cipher BF-CBC        # Blowfish (default) encrytion
comp-lzo
verb 1

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
I am not very familar with open vpn, but the reasons for not being able to reach internal lan hosts behind a vpn device are the following:

make sure the router is NAT-T (nat-traversal) enabled-  UDP port 500 must be open to allow this
crypto access that lists that specify interesting traffic-what hosts or networks are encrypted to traverse the IPSec tunnel
Nat-exempt lists specifying what traffic is exempt from NAT (the basic reason is due to the ESP or AH header checksums in the IPSec packets have difficulty with NAT)
Also make sure the ip addresses assigned to the vpn clients have a route to the internal lan- a static route statement will suffice

The theory is the same regardless of vpn implementation

Commented:
correction to above :  udp port 4500 for NAT-T

sorry
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Bignewf,
OpenVPN is a SSL VPN using 1194/udp as standard (here 1194/tcp). Nothing IPSec related is appliable.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
thanks for the tip, sorry
Commented:
check settings on p.28 Admin manual 4.2.3. See if either NAT or advanced routing is enabled

make sure the subnets behind the open vpn server are listed: 192.168.32.0 (subnet mask listed in CIDR   i.e /24)

make sure the setting  "should clients be allow to access network services on the vpn gateway address is checked yes"
according to the manual, if advanced routing is selected, then the clients must have a static route configured on their pc -- as a test you might try the advanced routing option. Configure your user account to get a static ip from the vpn server, and add a static route to the internal lan on your pc






Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
I assume you can ping the OpenVPN server with its OpenVPN address (192.168.10.1).

Well, several issues arise.

First, you have used dev tap, which implies you use Bridging (vs. Routing). Bridging should use a IP subnetwork of the office network to make things easier. With Bridging all Ethernet traffic is transfered in both directions, including broadcasts and non-IP.

Usual configuration is using Routing. That needs following changes:
  1. In both OpenVPN config files: dev tun
  2. Enabling of routing on OpenVPN server, e.g. by changing the registry (XP):
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter=DWord:1
    For Server machines, you can change the same with the Routing and Remote Access Management Console.
  3. In any case you need to run the Routing and Remte Access service to get the routing working.
  4. Since other LAN clients do not know how to answer to traffic from OpenVPN addresses, either each client needs an according route defined; or, much better, the default gateway needs to know the route.
BTW, it is better to let the server push routes to the clients when connecting. That simplifies client config files. That is done by adding
push "route 192.168.32.0 255.255.255.0"
to the server config file.


Author

Commented:
Qlemo, yes I can ping the vpn server's ip address of 192.168.10.1. I can also remote desktop into my server via this IP address as well (hooray!)

Is routing and remote access *really* necessary to get this working? I have that service disabled on my server, it was causing problems. It's part of the reason I'm using OpenVPN instead of just normal PPTP.

I wasn't aware of the difference between TAP and TUN. I'm looking to have multiple clients connected to the one vpn server, each one being a user somewhere, probably using a laptop. So client configuration really has to be minimal (no static routes, port forwarding etc.).

If it'll work for me to use TAP (bridging) and use the subnet of my office, I'm happy to do that. I just don't know how. I have tried changing the IP range on the vpn server from 192.168.10.xxx to 192.168.32.xxx, but my VPN server comes in as 192.168.32.1, and right now that's my router :P. I'd need to make sure the IPs allocated by OpenVPN are outside that assigned by my DHCP server. Is this possible?
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
With bridging, you define a IP pool, not a network. Replace server ... by server-bridge, and do the NIC bridging (see http://www.openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html, and search for server-bridge). With that configuration, even DHCP is available.

RRAS does not necessarily mean PPTP - as long as you allow only for routing, no dial-out or dial-in adapter allocation for demand-dial interfaces is done.
Commented:
With routing and remote access, comes windows firewall. Windows firewall prevents ICMP traffic, (Ping). I do believe Windows firewall will be one of the issues when trying to ping clients.

Windows firewall is enabled by default as long as RRAS is enabled.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Windows Firewall is enabled by default - true. But it does not relate to RRAS, one runs without the other (at least with XP and W2003, haven't checked for Vista and above yet).

Author

Commented:
I couldn't get it working because RRAS doesn't work on my server, but indeed further research showed that this is the correct way to make it work. I guess I have to go reinstall now.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial