2

I have recently installed OpenVPN on my windows 2003 server. Once someone is connected to the server, they do not have internet access.

  • My network is on 192.168.1.1
  • my server is on 192.168.1.110
  • I am using the dd-wrt firmware
  • I have enabled port 1194 for 192.168.1.110 on the router
  • Routing and Remote Access is disabled
  • I have 2 Tap-Win32 Adapter V8(s) on my windows 2003 server
  • I have tried setting this line to 192.168.1.1 and also my isp's dns servers push "dhcp-option DNS 192.168.1.1" # Replace the Xs with the IP address of the DNS for your home network (usually your ISP's DNS)

  • I have created an advanced routing Gateway in dd-wrt 

     Destination LAN NET: 192.168.10.0
 Subnet Mask: 255.255.255.252
 Gateway: 192.168.1.110
 Interface: Lan & WLAN

I have followed this website exactly: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/

EDIT: I just tried to connect through the cmd prompt and get the following subnet error - potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]

My server file looks as follows:

local 192.168.1.110 # This is the IP address of the real network interface on the server connected to the router

port 1194 # This is the port OpenVPN is running on - make sure the router is port forwarding this port to the above IP

proto udp # UDP tends to perform better than TCP for VPN

mssfix 1400 # This setting fixed problems I was having with apps like Remote Desktop

push "dhcp-option DNS 192.168.1.1"  # Replace the Xs with the IP address of the DNS for your home network (usually your ISP's DNS)

#push "dhcp-option DNS X.X.X.X"  # A second DNS server if you have one

dev tap

#dev-node MyTAP  #If you renamed your TAP interface or have more than one TAP interface then remove the # at the beginning and change "MyTAP" to its name

ca "ca.crt"  

cert "server.crt"

key "server.key"  # This file should be kept secret

dh "dh1024.pem"

server 192.168.10.0 255.255.255.128  # This assigns the virtual IP address and subent to the server's OpenVPN connection.  Make sure the Routing Table entry matches this.

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1"  # This will force the clients to use the home network's internet connection

keepalive 10 120

cipher BF-CBC        # Blowfish (default) encryption

comp-lzo

max-clients 100 # Assign the maximum number of clients here

persist-key

persist-tun

status openvpn-status.log

verb 1 # This sets how detailed the log file will be.  0 causes problems and higher numbers can give you more detail for troubleshooting

My client1 file is as follows:

client

dev tap

#dev-node MyTAP  #If you renamed your TAP interface or have more than one TAP interface then remove the # at the beginning and change "MyTAP" to its name

proto udp

remote my-dyna-dns.com 1194  #You will need to enter you dyndns account or static IP address here. The number following it is the port you set in the server's config

route 192.168.1.0 255.255.255.0 vpn_gateway 3  #This it the IP address scheme and subnet of your normal network your server is on.  Your router would usually be 192.168.1.1

resolv-retry infinite

nobind

persist-key

persist-tun

ca "ca.crt"

cert "client1.crt" # Change the next two lines to match the files in the keys directory.  This should be be different for each client.

key "client1.key"  # This file should be kept secret

ns-cert-type server

cipher BF-CBC        # Blowfish (default) encrytion

comp-lzo

verb 1

Thanks in advance!

David Pashley
  • 23,497
  • 2
  • 46
  • 73

5 Answers5

3

It looks to me like the server is pushing the "redirect-gateway" option down to the client. This causes the client to use the VPN as its default gateway. Comment out the line in the server config 'push "redirect-gateway def1"'.

Woah there-- just saw your edit. You client can't be using the same IP addresses as the LAN it's connecting to. That's not going to work. One end or the other needs to use different IP addresses.

Edit:

Assuming routing is configured properly on your Windows Server 2003 machine (per the www.itsatechworld.com page you referenced), you should be able to PING the Windows Server 2003 machine and Windows Vista machine by their LAN IPs via the VPN. If you can, then you've got routing right on the Windows Server 2003 and DD-WRT machines and you can proceed. If not, then you need to start tracking down why either (1) PING traffic coming off the OpenVPN tunnel isn't getting to the destination, or (b) why PING replies from the destination host aren't coming back. You may end up putting something like Wireshark on your Windows Vista machine to see if the PING requests are even getting there (since PING can't tell you if your request is being received and the reply is just being lost).

Once you've got IP connectivity across the VPN working fine. I'd recommend installing the DNS and WINS services on your Windows Server 2003 VPN server computer and configuring the server computer and the Windows Vista home computer to use that machine for WINS and DNS. You can either add your ISP's DNS as a "forwarded" on the Windows Server 2003 machine, or leave the stock "root hints" configured to allow it to resolve Internet names. In your OpenVPN server configuration, add the following line right after the 'push "dhcp-option DNS 192.168.1.1" line:

push "dhcp-option WINS 192.168.1.1"

This is going to get the remote clients taking to the WINS and DNS servers on your Windows Server 2003 machine, and should get you both DNS and NetBIOS name resolution.

If you're not using an Active Directory domain at home, you'll probably want to setup a standard forward lookup zone on the Windows Server 2003 DNS server for your Windows Server 2003 and Windows Vista machines to register into. You'll want to grant clients permission to dynamically update records (albeit insecurely) when you create this zone. You should add the option "DNS domain name" (option 15) to your DHCP scope at home so that your client computers there pick up the right DNS domain name suffix. (If you're using DD-WRT for DNS then I can't tell you how to do that. I'm an OpenWRT guy, and I manage my WRT54G from the command line. I'd recommend running DHCP from the Windows Server 2003 machine anyway, but I just like that DHCP server more.)

If you are using an Active Directory domain you'll already have a forward lookup zone created in DNS. Since your remote VPN clients aren't members of your domain, though, they won't be able to register in DNS under the stock security settings that Windows Server sets on the DNS zone (at least, if you let it create the zone during DCPROMO). It's insecure, but if you want to allow them to register you could either (a - less secure) chang the permission on the zone to allow insecure registrations, or (b - more secure but still insecure) create A and PTR records for them and modify the permission on each of those records to allow anyone to update them.

It sounds like this is a home networking thing, and it's really a good learning opportunity for a lot of things-- IP routing, VPNs, name resolution. Perhaps you're looking for it to "just work" and not as a learning opportunity, in which case I can only offer my apologies and say that these things just aren't "turnkey" yet.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Evan thanks for the comment. I realize that they can not share the same IP address range, but I thought the VPN server was set up for 192.168.10.* My home machine is currently 192.168.1.149. What should I do with my router and or home computer? –  Jun 05 '09 at 02:33
  • One end or the other needs to be using a different IP address range. Let me be sure I understand-- the server is out somewhere on the Internet and you're trying to connect to it from your home? Or is the server there in your home with you and your other computer and somebody out on the Internet (who happens to be using 192.168.1.0/24 on their computers) is trying to connect? – Evan Anderson Jun 05 '09 at 02:35
  • I have 2 computers on my network. I have the server vpn running on windows 2003 and I was trying to test it out by having my vista machine connect to the vpn. I had a friend try to connect to the vpn, and he experienced the lack of internet also. –  Jun 05 '09 at 02:42
  • I'm off to bed, unfortunately. I'll check up on this in about 8 hours. In the meantime, consider re-addressing one end or the other to something other that 192.168.1.0/24. (The 192.168.10.0/24 network you mentioned is assigning the virtual IP addresses on the tunnel. The machines on either end of the tunnel need to have unique IPs... you're one big happy network when you're connected together like that.) – Evan Anderson Jun 05 '09 at 02:42
  • Yeah-- just saw that comment. The "Redirect-gateway" was your friend's problem, though if he's using 192.168.1.0/24 on his network that's going to create problems, too. You're not going to be able to connect to the VPN from your home computer on the LAN with the server w/o seeing that routing conflict message. – Evan Anderson Jun 05 '09 at 02:43
  • Evan, thanks for all the help! I will give this a shot when I get home today. Yes I would like to learn and not just have it 'work' I should mention that I thought the internet was working because I used logmein to my work computer and was able to ping the server. However when my friend tried, he was able to ping the server but could not get on the internet. He noticed that he didnt have a gateway set. When he set his gateway to the 192.168.10.1, he could get on the internet but then he couldnt ping my server. –  Jun 05 '09 at 12:15
1

Evan's comment is right on, except that I would urge you to consider enabling the "redire-gateway" and configuring the server to accept all internet-bound traffic, at least if you do any content filtering. If you don't, your laptops become (even more of) a vulnerability to your network.

Split-tunnel VPN is generally considered insecure since it essentially offers attackers who compromise the laptop a short-circuit to the juicy center of your network.

Matt Simmons
  • 20,396
  • 10
  • 68
  • 116
  • I'm iffy on whether I think split tunneling is "insecure" or not. All the malware on their PC can talk to my network when they're on the VPN regardless of whether the tunnel is split or not. I'd be less concerned about split tunneling and more concerned about putting on good firewall rules to limit what VPN-connected clients can talk to. (Then again, I see a lot of VPNs used strictly to sync Outlook and do RDP, so it's pretty easy to put rules on that traffic.) – Evan Anderson Jun 05 '09 at 02:33
  • Matt, I disabled the redirect-gateway and that seemed to do the trick. I just connected to my work computer through logmein and successfully connected to my network and was able to still be on the internet. However, when I ping my server I get the desired ip of 192.168.10.1, but I my vista machine is not showing up. How do I make all the computers on my network appear when I am connected to the VPN and not just the server computer? –  Jun 05 '09 at 03:06
  • Ryan: I'm back on this now. When you say "my vista machine is not showing up" can you explain what you mean by "showing up"? It sounds like you're looking for "My Network Places"-type functionality, and that gets into a raft of issues that go beyond basic IP communication (NetBIOS name resolution, being the main one). I'll do an edit on my comment and write a little more there. – Evan Anderson Jun 05 '09 at 11:49
1

You will want to make sure that your windows OpenVPN server has routing services installed.

This was mentioned before but you are strongly urged to change your LAN network address to something other than 192.168.1.X. Most Linksys, etc... come out of the box with that network so remote hosts are not going to be able to get to hosts inside your network. I see that your VPN network is set to 192.168.10.X, which is good. Now set your LAN to something like 192.168.5.X. It will work better, trust me.

You could turn redirect-gateway on then, but I wouldn't suggest it as it will eat up your bandwidth. If you have IDS/IPS devices or something like on your network, then it may be beneficial.

I would set verb higher than 1... I keep it on 4 to see what's going on.

Hope that helps!

1

Just so this is documented for linux also. I found this here

  1. Import your VPN config file in NetworkManager
  2. Edit the VPN connection
  3. Go to IP Settings tab (IP4Settings)
  4. Click on Routes
  5. Check "Use this connection only for resources on its network"
  6. Restart the connection.
jackbravo
  • 146
  • 4
0

Sorry for grave-digging this, but after two hours fighting to restore the Internet access of Windows machine that's connected to Ubuntu OpenVPN server, just found what's working for me (hope for others too):

[Windows 8.1 x64 and Ubuntu Server 20.04]

  1. On the Windows machine first go to Network and Sharing Center, right-click on you main NIC (in my case a WiFi usb) then Properties -> Internet Protocol Version 4 -> Properties -> Advanced -> Uncheck Automatic metric -> set Interface metric to small number like 10 -> OK -> OK -> OK
  2. Now drink some water and jump on the Linux box -> write in the terminal nano /etc/openvpn/server/server.conf -> add this line push "route-metric 1000" (1000 or similar number) -> save the file with Ctrl+X then Y -> fire systemctl restart openvpn-server@server.service to restart OpenVPN server and probably you'll have Internet access again on the Windows machine

Now I have a fully working two different setups:

Windows machine with Internet access and connected to Linux machine through OpenVPN Windows machine with Internet access and connected to Vbox'd Linux machine through OpenVPN

1000Gbps
  • 121
  • 1
  • 6