Solved

OpenVPN configuration

Posted on 2011-02-12
9
785 Views
Last Modified: 2012-05-11
Hi All,

I am setting up an OpenVPN multi-client / 1 server scenario for our remote workers to be able to dial in and connect to our local network. I am initially trying to get just 1 client working but having a few poblems. Client1 connects to server ok and is assigned an IP address but I can't ping the server or any IP addresses on the server-side LAN and no data seems to be moving backwards and forwards. I also can't ping from any server-side machine or the OpenVPN server itself to Client1.

The setup is as follows

Server
    Windows Server 2008
    Local LAN IP: 192.168.0.41       255.255.255.0
    TAP-Win32 Adapter: 192.168.0.1     255.255.255.252

Client1
    Windows Vista SP2
    Local LAN IP: 192.168.1       255.255.255.0
    TAP-Win32 Adapter:  192.168.0.6        255.255.255.252

 
When I try and ping 192.168.0.1 from Client1 I get no reply. I also cannot ping any other machine on the Server-side LAN. I am wanting to give clients access to all machines inside the server-side LAN.

Server Config File
port 1194
proto udp
dev tun

ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"

server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client

keepalive 10 120
comp-lzo

persist-key
persist-tun

status openvpn-status.log
verb 3


Client Config File
client
dev tun
proto udp
remote 87.224.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\client1.crt"
key "C:\\Program Files\\OpenVPN\\client1.key"
comp-lzo
verb 3

Server Log File

Sat Feb 12 11:51:01 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Sat Feb 12 11:51:01 2011 Diffie-Hellman initialized with 1024 bit key
Sat Feb 12 11:51:01 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Feb 12 11:51:01 2011 TAP-WIN32 device [Local Area Connection 5] opened: \\.\Global\{F1F62C6A-12C5-4CD3-8CF6-DC1E0D79DD71}.tap
Sat Feb 12 11:51:01 2011 TAP-Win32 Driver Version 8.4
Sat Feb 12 11:51:01 2011 TAP-Win32 MTU=1500
Sat Feb 12 11:51:01 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.0.1/255.255.255.252 on interface {F1F62C6A-12C5-4CD3-8CF6-DC1E0D79DD71} [DHCP-serv: 192.168.0.2, lease-time: 31536000]
Sat Feb 12 11:51:01 2011 Sleeping for 10 seconds...
Sat Feb 12 11:51:11 2011 Successful ARP Flush on interface [15] {F1F62C6A-12C5-4CD3-8CF6-DC1E0D79DD71}
Sat Feb 12 11:51:11 2011 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.2
Sat Feb 12 11:51:11 2011 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=15]
Sat Feb 12 11:51:11 2011 Route addition via IPAPI failed
Sat Feb 12 11:51:11 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Feb 12 11:51:11 2011 UDPv4 link local (bound): [undef]:1194
Sat Feb 12 11:51:11 2011 UDPv4 link remote: [undef]
Sat Feb 12 11:51:11 2011 MULTI: multi_init called, r=256 v=256
Sat Feb 12 11:51:11 2011 IFCONFIG POOL: base=192.168.0.4 size=62
Sat Feb 12 11:51:11 2011 IFCONFIG POOL LIST
Sat Feb 12 11:51:11 2011 client1,192.168.0.4
Sat Feb 12 11:51:11 2011 Initialization Sequence Completed
Sat Feb 12 11:51:21 2011 MULTI: multi_create_instance called
Sat Feb 12 11:51:21 2011 92.7.194.121:27874 Re-using SSL/TLS context
Sat Feb 12 11:51:21 2011 92.7.194.121:27874 LZO compression initialized
Sat Feb 12 11:51:21 2011 92.7.194.121:27874 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Feb 12 11:51:21 2011 92.7.194.121:27874 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Feb 12 11:51:21 2011 92.7.194.121:27874 Local Options hash (VER=V4): '530fdded'
Sat Feb 12 11:51:21 2011 92.7.194.121:27874 Expected Remote Options hash (VER=V4): '41690919'
Sat Feb 12 11:51:21 2011 92.7.194.121:27874 TLS: Initial packet from 92.7.194.121:27874, sid=6c75f968 15bf7058
Sat Feb 12 11:51:22 2011 92.7.194.121:27874 VERIFY OK: depth=1, /C=UK/ST=MIDDLESEX/L=Hayes/O=MaintenanceDirect/OU=MD/CN=xx.mdxxx.com/emailAddress=xxx@xxxrect.com
Sat Feb 12 11:51:22 2011 92.7.194.121:27874 VERIFY OK: depth=0, /C=UK/ST=MIDDLESEX/O=Mat/CN=client1/emailAddress=xx@xx-direct.com
Sat Feb 12 11:51:22 2011 92.7.194.121:27874 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Feb 12 11:51:22 2011 92.7.194.121:27874 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb 12 11:51:22 2011 92.7.194.121:27874 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Feb 12 11:51:22 2011 92.7.194.121:27874 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb 12 11:51:22 2011 92.7.194.121:27874 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Feb 12 11:51:22 2011 92.7.194.121:27874 [client1] Peer Connection Initiated with 92.7.194.121:27874
Sat Feb 12 11:51:22 2011 client1/92.7.194.121:27874 MULTI: Learn: 192.168.0.6 -> client1/92.7.194.121:27874
Sat Feb 12 11:51:22 2011 client1/92.7.194.121:27874 MULTI: primary virtual IP for client1/92.7.194.121:27874: 192.168.0.6
Sat Feb 12 11:51:24 2011 client1/92.7.194.121:27874 PUSH: Received control message: 'PUSH_REQUEST'
Sat Feb 12 11:51:24 2011 client1/92.7.194.121:27874 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 192.168.0.6 192.168.0.5' (status=1)


Client Log File
Sat Feb 12 11:51:20 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Sat Feb 12 11:51:20 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Feb 12 11:51:20 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Feb 12 11:51:20 2011 LZO compression initialized
Sat Feb 12 11:51:20 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Feb 12 11:51:20 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Feb 12 11:51:20 2011 Local Options hash (VER=V4): '41690919'
Sat Feb 12 11:51:20 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Feb 12 11:51:20 2011 UDPv4 link local: [undef]
Sat Feb 12 11:51:20 2011 UDPv4 link remote: 87.224.xx.xx:1194
Sat Feb 12 11:51:20 2011 TLS: Initial packet from 87.224.xx.xx:1194, sid=0570bba2 30255200
Sat Feb 12 11:51:21 2011 VERIFY OK: depth=1, /C=UK/ST=MIDDLESEX/L=Hayes/O=Mect/OU=Mct/CN=xx.x.com/emailAddress=xxx@xxx.com
Sat Feb 12 11:51:21 2011 VERIFY OK: depth=0, /C=UK/ST=MIDDLESEX/O=Mt/CN=server/emailAddress=xx@xx.com
Sat Feb 12 11:51:21 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Feb 12 11:51:21 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb 12 11:51:21 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Feb 12 11:51:21 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb 12 11:51:21 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Feb 12 11:51:21 2011 [server] Peer Connection Initiated with 87.224.xx.xx:1194
Sat Feb 12 11:51:22 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Feb 12 11:51:22 2011 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 192.168.0.6 192.168.0.5'
Sat Feb 12 11:51:22 2011 OPTIONS IMPORT: timers and/or timeouts modified
Sat Feb 12 11:51:22 2011 OPTIONS IMPORT: --ifconfig/up options modified
Sat Feb 12 11:51:22 2011 OPTIONS IMPORT: route options modified
Sat Feb 12 11:51:22 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{30AB9BD4-F1A0-4C69-A205-1DB86A277F73}.tap
Sat Feb 12 11:51:22 2011 TAP-Win32 Driver Version 8.4
Sat Feb 12 11:51:22 2011 TAP-Win32 MTU=1500
Sat Feb 12 11:51:22 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.0.6/255.255.255.252 on interface {30AB9BD4-F1A0-4C69-A205-1DB86A277F73} [DHCP-serv: 192.168.0.5, lease-time: 31536000]
Sat Feb 12 11:51:22 2011 Successful ARP Flush on interface [18] {30AB9BD4-F1A0-4C69-A205-1DB86A277F73}
Sat Feb 12 11:51:23 2011 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Sat Feb 12 11:51:23 2011 Route: Waiting for TUN/TAP interface to come up...
Sat Feb 12 11:51:24 2011 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Sat Feb 12 11:51:24 2011 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.5
Sat Feb 12 11:51:24 2011 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=18]
Sat Feb 12 11:51:24 2011 Route addition via IPAPI failed
Sat Feb 12 11:51:24 2011 Initialization Sequence Completed
0
Comment
Question by:MDIRECT
  • 5
  • 2
9 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
You need to use a different network subnet for OpenVPN, since you are using the routing approach here. For example, you can choose 192.168..254.0/24 as OpenVPN network.
However, that requires that either your W2008 server is your LAN default gateway, or the default gateway has set up a route back to 192.168.0.41 for 192.168.254.0/24 (or whatever network you use).

WIth recent OpenVPN releases you should be able to use the bridge configuration, which allows for using addresses of the local subnet for OpenVPN, but I got that never to work when I tried with earlier ones.
0
 

Author Comment

by:MDIRECT
Comment Utility
Hi Qlemo,

Thanks for your reply. I am not sure which configuration is going to be best for us as I am very green on routing and bridging issues.

We have about 20 machines on our server-side LAN, they all have their default gateway set to 192.168.0.60 which is our Netgear DG-834G broadband modem/router. Changing all these machines so that their default gateway was the OpenVPN server box (192.168.0.41) I can imagine would cause us all sorts of problems as they'd all loose internet connectivity for a start wouldn't they ? We have mail servers and Terminal Server Gateway machines all happily sitting on the server LAN so I'm not keen on upsetting anything much to so with this side of things, however if you're saying that I can leave the default gateway unchanced on the LAN-Side machines and set up a static route on our Netgear DG-834G router does that sound like the easiest thing to do ?

Reading through the HOWTO on Ethernet Bridging it does seem to add a lot of complexity at the client side, most of our remote workers are half way round the world from us so I'm keen to keep client configurations as simple as possible.

Whats your thoughts on the best way forward ?
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
Definitively you should NOT change your default gateway. Instead just implement the static route on the Netgear. If you just do that, and make sure no firewall setting in your LAN prohibits access to important machines, I would not change more than the OpenVPN subnet (and the static route on Netgear to support that network).
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:MDIRECT
Comment Utility
Hi,

OK I have reconfigured the server file as follows...

server 192.168.254.0 255.255.255.0

I am trying to add a static route to our Netgear DG-834G router but am coming up with the following error "The IP Address of Gateway setting is different DUT segment." (see screenshot)

Have I set the server config file up correctly with 192.168.254.0  and subnet 255.255.255.0 and if so how to I define the static route within the DG-834G router ?
   Setting Up Static Route
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Oopps, have been too quick with deleting here ...
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
Comment Utility
Sorry, seem to have lost track of this question somehow ...
You need to set up
Destination IP Address   192.168.254.0
IP Subnet Mask           255.255.255.0
Gateway IP Address       192.168.0.41

Open in new window

You interchanged Remote Network and Gateway. A gateway has always to be on the same subnet as the routing device.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now