Configuring OpenVPN on a Windows box

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Configuring OpenVPN on a Windows box

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#130924 2-Oct-2013 19:36

Hello folks

Managed to get OpenVPN server up and running here, and the client connecting fine. Now I need some help with a couple of things to get it going on a more permanent basis...

1.Currently assigned IP is in the range 10.8.0.x. My LAN is 192.168.2.x

What route commands/config changes I need so that my client can see the 192.168.2.x segment?
Alternatively (and probably best) is there something I can do so that the client IP is assigned by the DHCP in my LAN instead?

2.I want to get all my network traffic going through the VPN connection once it's established, including Internet.

What route commands/config changes I need so tha my client can access the Internet through this VPN?

On my server config I have


server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.2.1"
;;; commented out in original config:
;;; server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;;; server-bridge

The client doesn't have any option related to network really.

Next steps?

1 | 2

4962 posts

Uber Geek
Inactive user

#906651 2-Oct-2013 20:19

To access your LAN from the VPN this should do the trick....

push "route 192.168.2.0 255.255.255.0"

The line you have with 'redirect-gateway' is what should make the client send it's internet traffic though the VPN.

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#906655 2-Oct-2013 20:22

Ok, testing soon... Stay tuned!

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#906660 2-Oct-2013 20:27

Hmmm.

I see my laptop got this:

IPv4 Route Table 
 
Active Routes: 
Network Destination        Netmask          Gateway       Interface  Metric 
          0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.110     10 
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.241     25 
          0.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     30 
         10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     30 
         10.8.0.4  255.255.255.252         On-link          10.8.0.6    286 
         10.8.0.6  255.255.255.255         On-link          10.8.0.6    286 
         10.8.0.7  255.255.255.255         On-link          10.8.0.6    286 
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306 
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306 
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306 
        128.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     30 
      192.168.1.0    255.255.255.0         On-link     192.168.1.241    281 
      192.168.1.1  255.255.255.255      192.168.1.1    192.168.1.241     25 
    192.168.1.241  255.255.255.255         On-link     192.168.1.241    281 
    192.168.1.255  255.255.255.255         On-link     192.168.1.241    281 
      192.168.2.0    255.255.255.0         On-link     192.168.2.110    266 
      192.168.2.0    255.255.255.0         10.8.0.5         10.8.0.6     30

But my router at 192.168.2.1 is not responding, neither the Internet access is working. Tested over a 3G connection...

Hmmmm. Strange:

Ethernet adapter Local Area Connection:

 Connection-specific DNS Suffix . : 
 Description . . . . . . . . . . . : TAP-Windows Adapter V9
 Physical Address. . . . . . . . . : 00-FF-83-92-8C-9D
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
 Link-local IPv6 Address . . . . . : fe80::d5ab:3074:7734:5546%49(Preferred) 
 IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred) 
 Subnet Mask . . . . . . . . . . . : 255.255.255.252
 Lease Obtained. . . . . . . . . . : Wednesday, 2 October 2013 8:30:20 p.m.
 Lease Expires . . . . . . . . . . : Thursday, 2 October 2014 8:30:20 p.m.
 Default Gateway . . . . . . . . . : 
 DHCP Server . . . . . . . . . . . : 10.8.0.5
 DHCPv6 IAID . . . . . . . . . . . : 822148995
 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-D9-94-B8-B4-99-BA-F7-65-A4
 DNS Servers . . . . . . . . . . . : 192.168.2.1
 NetBIOS over Tcpip. . . . . . . . : Enabled

chevrolux

4962 posts

Uber Geek
Inactive user

#906703 2-Oct-2013 21:04

I personally use pfsense which generate the config file for me.
Have just tried the internet redirection thing (i only use my VPN for remotely accessing my network. Don't want to send all traffic through it) and it seems all good.

Checked my config and I notice the redirect line reads

push "redirect-gateway def1"

Give that minor change a go maybe?

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#906737 2-Oct-2013 21:51

Thanks, but not working with that either...

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#906879 3-Oct-2013 08:50

I wonder if these need to be changed as well?

 
# Configure server mode for ethernet bridging. 
# You must first use your OS's bridging capability 
# to bridge the TAP interface with the ethernet 
# NIC interface.  Then you must manually set the 
# IP/netmask on the bridge interface, here we 
# assume 10.8.0.4/255.255.255.0.  Finally we 
# must set aside an IP range in this subnet 
# (start=10.8.0.50 end=10.8.0.100) to allocate 
# to connecting clients.  Leave this line commented 
# out unless you are ethernet bridging. 
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 
 
# Configure server mode for ethernet bridging 
# using a DHCP-proxy, where clients talk 
# to the OpenVPN server-side DHCP server 
# to receive their IP address allocation 
# and DNS server addresses.  You must first use 
# your OS's bridging capability to bridge the TAP 
# interface with the ethernet NIC interface. 
# Note: this mode only works on clients (such as 
# Windows), where the client-side TAP adapter is 
# bound to a DHCP client. 
;server-bridge

marpada

476 posts

Ultimate Geek

#906898 3-Oct-2013 09:13

freitasm
1.Currently assigned IP is in the range 10.8.0.x. My LAN is 192.168.2.x

What route commands/config changes I need so that my client can see the 192.168.2.x segment?

On Linux servers you usually enable IP forwarding (ie routing) between the internal network and virtual interface or set up NAT. No clue how to do it on Windows though.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#906899 3-Oct-2013 09:15

I guess is the bridging thing in the config file. I will give that a go later tonight, unless someone comes with some other ideas.

SumnerBoy

2074 posts

Uber Geek

ID Verified

Lifetime subscriber

#1365599 13-Aug-2015 14:31

Hey @freitasm - did you ever manage to get this working? I have a very similar setup/problem - in that once connected I can ping the LAN address of my openvpn host, but nothing else on my LAN.

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1365613 13-Aug-2015 14:40

No, at the end I just created a VPN over SSL using built-in Windows Routing Access, seeing my clients are all Windows machines.

I would like to have OpenVPN working on Windows but didn't have the time or network knowledge to fix this.

SumnerBoy

2074 posts

Uber Geek

ID Verified

Lifetime subscriber

#1365614 13-Aug-2015 14:43

Bugger - back to Google searching then. BTW - I am running the OpenVPN server on a Debian server, and connecting with Windows/Android clients (in case anyone reading this can offer tips/suggestions).

Thanks @freitasm.

jamesrt

1612 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1365888 13-Aug-2015 21:22

I've had some success with OpenVPN windows clients talking to OpenVPN Linux servers; what are you trying to achieve?

SumnerBoy

2074 posts

Uber Geek

ID Verified

Lifetime subscriber

#1365903 13-Aug-2015 21:31

Hey James - just so happened to be sitting in front of my PC trying to figure this out as we speak!

So I am running openVPN in a Debian container (on Proxmox). I have the standard config, i.e. VPN address space is 10.8.0.0. The openVPN host LAN address is 192.168.1.100. The gateway on my LAN (the router) is 192.168.1.1. When I connect to openVPN from an external client I get assigned 10.8.0.6 and I can ping 10.8.0.1 and 192.168.1.100 and 192.168.1.1, but nothing else on my LAN.

I would like to be able to access all other hosts on my LAN when connected to the VPN.

I did notice a load of routes got created on my Windows client pointing to 10.8.0.5 as the gateway - not sure what this is but was wondering if it is the VPN assigned address for my router/gateway? I can't ping 10.8.0.5 but I guess that is due to the router having no routes setup for that address? Is this the problem - how can I tell my client to forward all packets for 192.168.1.0 to my openVPN host (10.8.0.1) instead of this unknown 10.8.0.5?

My server openVPN config file contains;

server 10.8.0.0 255.255.255.0

push "route 192.168.1.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DOMAIN home"

push "dhcp-option DNS 192.168.1.100"

I can't seem to work out (or find online) how to setup the necessary routes and to be honest, networking is definitely not my strong suit!

Any tips or advice would be greatly appreciated.

Cheers,
Ben

SumnerBoy

2074 posts

Uber Geek

ID Verified

Lifetime subscriber

#1365904 13-Aug-2015 21:31

SumnerBoy

2074 posts

Uber Geek

ID Verified

Lifetime subscriber

#1365910 13-Aug-2015 21:51

I have also tried adding the following to my LAN router;

route 10.8.0.0 mask 255.255.255.0 gw 192.168.1.100

in the hope this would route any internal traffic in my LAN on the 10.8.0.0 network back to the openVPN server. But it doesn't seem to have made any difference.

I am sure there is one step I am missing here...

1 | 2