OpenVPN Windows 2003 Configuration
I have 1 dedicated server located in the UK with a static IP running windows server 2003. I have installed OpenVPN onto this machine with the following server.ovpn:
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
On my client machine (windows xp) I have also installed OpenVPN and set the client.ovpn as follows:
remote aaa.bbb.ccc.ddd
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
On the server I select CONNECT from the tray icon for OpenVPN...and it connects but the TAP-32 adapter is in a constant state of "Aquiring a network address"
On the client I select CONNECT as above, and it all connects and I get an IP on 10.8.0.2
When I open internet explorer/firefox on the client machine I am not getting the VPN ip... I am getting my local ISP ip...
Why is the TAP adapter on the server not getting an IP???? And is this the reason my client is not getting the right IP etc??? Where have I gone wrong?
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
On my client machine (windows xp) I have also installed OpenVPN and set the client.ovpn as follows:
remote aaa.bbb.ccc.ddd
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
On the server I select CONNECT from the tray icon for OpenVPN...and it connects but the TAP-32 adapter is in a constant state of "Aquiring a network address"
On the client I select CONNECT as above, and it all connects and I get an IP on 10.8.0.2
When I open internet explorer/firefox on the client machine I am not getting the VPN ip... I am getting my local ISP ip...
Why is the TAP adapter on the server not getting an IP???? And is this the reason my client is not getting the right IP etc??? Where have I gone wrong?
ASKER
I just followed this tutorial... and when I finally connect the client side and the server i get the following info in the status:
CLIENT Side Status:
Sun Oct 25 16:42:01 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Sun Oct 25 16:42:01 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sun Oct 25 16:42:01 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Oct 25 16:42:01 2009 LZO compression initialized
Sun Oct 25 16:42:01 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Oct 25 16:42:01 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Oct 25 16:42:01 2009 Local Options hash (VER=V4): '41690919'
Sun Oct 25 16:42:01 2009 Expected Remote Options hash (VER=V4): '530fdded'
Sun Oct 25 16:42:01 2009 UDPv4 link local: [undef]
Sun Oct 25 16:42:01 2009 UDPv4 link remote: x.y.197.208:1194
Sun Oct 25 16:42:02 2009 TLS: Initial packet from x.y.197.208:1194, sid=d9b48c9c 39a6eab1
Sun Oct 25 16:42:04 2009 VERIFY OK: depth=1, /C=UK/ST=GB/L=London/O=Hea
Sun Oct 25 16:42:04 2009 VERIFY OK: depth=0, /C=UK/ST=GB/O=Headoffice/O
Sun Oct 25 16:42:09 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 25 16:42:09 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 25 16:42:09 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 25 16:42:09 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 25 16:42:09 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Oct 25 16:42:09 2009 [designtalent.co.uk] Peer Connection Initiated with x.y.197.208:1194
Sun Oct 25 16:42:10 2009 SENT CONTROL [designtalent.co.uk]: 'PUSH_REQUEST' (status=1)
Sun Oct 25 16:42:11 2009 PUSH: Received control message: 'PUSH_REPLY,route x.y.197.208 255.255.255.0,dhcp-option WINS x.y.197.208,dhcp-option DNS x.y.197.208,dhcp-option DOMAIN designtalent.co.uk,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sun Oct 25 16:42:11 2009 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 25 16:42:11 2009 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 25 16:42:11 2009 OPTIONS IMPORT: route options modified
Sun Oct 25 16:42:11 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Oct 25 16:42:11 2009 TAP-WIN32 device [Local Area Connection 5] opened: \\.\Global\{81DCD665-C6C0-
Sun Oct 25 16:42:11 2009 TAP-Win32 Driver Version 8.4
Sun Oct 25 16:42:11 2009 TAP-Win32 MTU=1500
Sun Oct 25 16:42:11 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {81DCD665-C6C0-4532-9CF9-4
Sun Oct 25 16:42:11 2009 Successful ARP Flush on interface [131076] {81DCD665-C6C0-4532-9CF9-4
Sun Oct 25 16:42:11 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Oct 25 16:42:11 2009 Route: Waiting for TUN/TAP interface to come up...
Sun Oct 25 16:42:12 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Oct 25 16:42:12 2009 Route: Waiting for TUN/TAP interface to come up...
Sun Oct 25 16:42:13 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sun Oct 25 16:42:13 2009 Route: Waiting for TUN/TAP interface to come up...
Sun Oct 25 16:42:14 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sun Oct 25 16:42:14 2009 route ADD x.y.197.208 MASK 255.255.255.0 10.8.0.5
Sun Oct 25 16:42:14 2009 Warning: address x.y.197.208 is not a network address in relation to netmask 255.255.255.0
Sun Oct 25 16:42:14 2009 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [if_index=131076]
Sun Oct 25 16:42:14 2009 Route addition via IPAPI failed
Sun Oct 25 16:42:14 2009 route ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sun Oct 25 16:42:14 2009 Route addition via IPAPI succeeded
Sun Oct 25 16:42:14 2009 Initialization Sequence Completed
SERVER Side Status:
Sun Oct 25 08:41:45 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Sun Oct 25 08:41:45 2009 Diffie-Hellman initialized with 1024 bit key
Sun Oct 25 08:41:45 2009 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Oct 25 08:41:45 2009 TAP-WIN32 device [OpenVPN 1] opened: \\.\Global\{8EB630DC-A374-
Sun Oct 25 08:41:45 2009 TAP-Win32 Driver Version 8.4
Sun Oct 25 08:41:45 2009 TAP-Win32 MTU=1500
Sun Oct 25 08:41:45 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {8EB630DC-A374-476C-8BAD-8
Sun Oct 25 08:41:45 2009 Sleeping for 10 seconds...
Sun Oct 25 08:41:55 2009 Successful ARP Flush on interface [393218] {8EB630DC-A374-476C-8BAD-8
Sun Oct 25 08:41:55 2009 route ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
Sun Oct 25 08:41:55 2009 Warning: route gateway is not reachable on any active network adapters: 10.8.0.2
Sun Oct 25 08:41:55 2009 Route addition via IPAPI failed
Sun Oct 25 08:41:55 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Oct 25 08:41:55 2009 UDPv4 link local (bound): [undef]:1194
Sun Oct 25 08:41:55 2009 UDPv4 link remote: [undef]
Sun Oct 25 08:41:55 2009 MULTI: multi_init called, r=256 v=256
Sun Oct 25 08:41:55 2009 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Oct 25 08:41:55 2009 IFCONFIG POOL LIST
Sun Oct 25 08:41:55 2009 fred,10.8.0.4
Sun Oct 25 08:41:55 2009 Initialization Sequence Completed
Sun Oct 25 08:42:33 2009 MULTI: multi_create_instance called
Sun Oct 25 08:42:33 2009 a.b.74.113:2288 Re-using SSL/TLS context
Sun Oct 25 08:42:33 2009 a.b.74.113:2288 LZO compression initialized
Sun Oct 25 08:42:33 2009 a.b.74.113:2288 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Oct 25 08:42:33 2009 a.b.74.113:2288 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Oct 25 08:42:33 2009 a.b.74.113:2288 Local Options hash (VER=V4): '530fdded'
Sun Oct 25 08:42:33 2009 a.b.74.113:2288 Expected Remote Options hash (VER=V4): '41690919'
Sun Oct 25 08:42:33 2009 a.b.74.113:2288 TLS: Initial packet from a.b.74.113:2288, sid=b45fa6fc 31d0a3e4
Sun Oct 25 08:42:39 2009 a.b.74.113:2288 VERIFY OK: depth=1, /C=UK/ST=GB/L=London/O=Hea
Sun Oct 25 08:42:39 2009 a.b.74.113:2288 VERIFY OK: depth=0, /C=UK/ST=GB/O=Headoffice/C
Sun Oct 25 08:42:40 2009 a.b.74.113:2288 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 25 08:42:40 2009 a.b.74.113:2288 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 25 08:42:40 2009 a.b.74.113:2288 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 25 08:42:40 2009 a.b.74.113:2288 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 25 08:42:41 2009 a.b.74.113:2288 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Oct 25 08:42:41 2009 a.b.74.113:2288 [fred] Peer Connection Initiated with a.b.74.113:2288
Sun Oct 25 08:42:41 2009 fred/a.b.74.113:2288 MULTI: Learn: 10.8.0.6 -> fred/a.b.74.113:2288
Sun Oct 25 08:42:41 2009 fred/a.b.74.113:2288 MULTI: primary virtual IP for fred/a.b.74.113:2288: 10.8.0.6
Sun Oct 25 08:42:42 2009 fred/a.b.74.113:2288 PUSH: Received control message: 'PUSH_REQUEST'
Sun Oct 25 08:42:42 2009 fred/a.b.74.113:2288 SENT CONTROL [fred]: 'PUSH_REPLY,route x.y.197.208 255.255.255.0,dhcp-option WINS x.y.197.208,dhcp-option DNS x.y.197.208,dhcp-option DOMAIN designtalent.co.uk,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
I have the following SERVER.ovpn
####START OF Server.ovpn####
port 1194
proto udp
dev tun
ca ca.crt
cert widget.crt
key widget.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route x.y.197.208 255.255.255.0"
push "dhcp-option WINS x.y.197.208"
push "dhcp-option DNS x.y.197.208"
push "dhcp-option DOMAIN designtalent.co.uk"
keepalive 10 120
comp-lzo
max-clients 2
persist-key
persist-tun
status openvpn-status.log
verb 3
####END OF Server.ovpn####
I have the following CLIENT.ovpn
####START OF Client.ovpn####
client
proto udp
dev tun
remote [MY SERVER STATIC IP] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert fred.crt
key fred.key
comp-lzo
verb 3
####END OF Client.ovpn####
Can you help?
Hello
you push some wrong route to your client.
Try to replace push "route x.y.197.208 255.255.255.0"
with
push "route 192.168.0.0 255.255.255.0",
Where "192.168.0.0" will be replaced with you server internal network address.
Dan
you push some wrong route to your client.
Try to replace push "route x.y.197.208 255.255.255.0"
with
push "route 192.168.0.0 255.255.255.0",
Where "192.168.0.0" will be replaced with you server internal network address.
Dan
ASKER
x.y.197.208 is my static IP and internal address as I dont have DHCP or Routing and Remote Access setup.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You do not have any LAN on the other side, and hence no private IP? The route is invalid in any case, and rejected. You can access your server with the OpenVPN address 10.8.0.5. If the public IP route would work, OpenVPN would be broken immediately, as the encrypted traffic would be tried to be sent again thru OpenVPN, a never ending story ...
I do not get what you mean with "When I open internet explorer/firefox on the client machine I am not getting the VPN ip... I am getting my local ISP ip... "
On your first setup, it was a point-to-point setup. This requires that both sides are up. IP addresses are put in your TAP virtual NIC only if the connection is established, or you set it manually there. Hence the "Aquiring a network address", but that is not causing issues with the OpenVPN connection (while it might confuse DNS or WINS registration ...).
I do not get what you mean with "When I open internet explorer/firefox on the client machine I am not getting the VPN ip... I am getting my local ISP ip... "
On your first setup, it was a point-to-point setup. This requires that both sides are up. IP addresses are put in your TAP virtual NIC only if the connection is established, or you set it manually there. Hence the "Aquiring a network address", but that is not causing issues with the OpenVPN connection (while it might confuse DNS or WINS registration ...).
Here you have a good tutorial for OpenVPN. try to look inthere:
http://www.runpcrun.com/howtoopenvpn
Dan