cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OpenVPN

FIXED
mssystems
Aspiring Pro
Posts: 290
Thanks: 45
Fixes: 1
Registered: ‎10-08-2007

Re: OpenVPN

‎01-11-2016 2:04 PM

Try this.  Comment out the lines, as shown and add the ifconfig-pool directive.

; ifconfig-pool-persist ipp.txt

; persist-tun

ifconfig-pool 10.8.0.33 10.8.0.46 255.255.255.0

 

Connect your client and check it get's an IP from the pool, with a 255.255.255.0 netmask, then try pinging the server gateway 10.8.0.1

 

Message 16 of 82
(2,914 Views)
Reply
chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: OpenVPN

‎01-11-2016 2:20 PM - edited ‎01-11-2016 2:22 PM

whatever that has done has made the server service to start on the windows 10 system
the openvpn server couldn't connect.

 

i have reverted and the service now starts and connects as previous.

Message 17 of 82
(2,905 Views)
Reply
0 Thanks
mssystems
Aspiring Pro
Posts: 290
Thanks: 45
Fixes: 1
Registered: ‎10-08-2007

Re: OpenVPN

‎01-11-2016 3:33 PM

Oh hell, you made me read my notes.

Essentially the problem you have is Open VPN is defaulting to the old "net30" topology which was supposed to be deprecated with Open VPN 2.3.   Net30 was required by Windows clients, back in the early days - like for Windows NT 3.1

Have a  look on your Open VPN server for a folder named "ccd" which is short for Client Configuration Directory. The Linux path is usually /etc/openvpn/ccd  Not a clue where it is on Windows.  Anyhow, inside you should find a file corresponding to the CN name on the client's certificate - Often, "client1" Post the contents, as the directives may override the server directive. 

You should also be able to find a file called ipp.txt which contains persistent IP mappings, which are written dynamically the first time a client connects.  Until you have the tunnel working, it's an idea to delete or rename ipp.txt, each time you restart the server.

Message 18 of 82
(2,885 Views)
Reply
chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: OpenVPN

‎01-11-2016 3:50 PM

i don't seem to have a folder anywhere called "ccd" nor a file called "ipp.txt"
Message 19 of 82
(2,879 Views)
Reply
0 Thanks
mssystems
Aspiring Pro
Posts: 290
Thanks: 45
Fixes: 1
Registered: ‎10-08-2007

Re: OpenVPN

‎02-11-2016 8:16 AM

Oh hell.  Now I installed OpenVPN on a Windows 10 VM

 

You can have the server create an ipp.txt file by specifying a path

ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\config\\ipp.txt"

You can adjust the log level to something more useful for debugging, by altering the verb and mute directives

verb 5
mute 20

 

I think I might have found your issue, in the sample configuration files.  It looks like Windows  defaults to net30 unless you specify the topology directive in the server config - The topology directive is deprecated on Linux and does not even get a mention on the man page.

topology subnet

 

Still waiting for my Android tablet to charge up but in the meantime, give the topology directive a go.

 

Message 20 of 82
(2,867 Views)
Reply
chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: OpenVPN

‎02-11-2016 10:03 AM

ok so what am i changing in the server.ovpn file?
am i adding - ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\config\\ipp.txt" ?
am i also adding verb 5 and mute 20 to the ovpn file?

what topology directive am i setting? again is this added to the server.ovpn file?
Message 21 of 82
(2,857 Views)
Reply
0 Thanks
Anonymous
Not applicable

Re: OpenVPN

‎02-11-2016 10:15 AM - edited ‎02-11-2016 10:18 AM

From my understanding it is all of them with a topology directive of : subnet.

Also a quick question, when you are testing this from your mobile phone I assume you're not using your wireless connection but your phone's 3/4G connection?

Message 22 of 82
(2,850 Views)
Reply
chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: OpenVPN

‎02-11-2016 10:29 AM

yes using mobile connection.
ok i'm a bit confused about the topology and what to actually add to the server config file.
Message 23 of 82
(2,843 Views)
Reply
0 Thanks
Anonymous
Not applicable

Re: OpenVPN

‎02-11-2016 10:45 AM - edited ‎02-11-2016 10:47 AM

Hi @chenks76, does this help:

port 1194
proto udp
dev tun
topology subnet
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\config\\ipp.txt"
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status C:\\UserName\\OpenVPN\\Log\\openvpn-status.log
verb 5
mute 20

Remember to write the status log (3rd line from bottom) to a directory with the correct permissions. You may want to create a Log subdir in the OpenVPN hierarchy.

Corrected typo.

Message 24 of 82
(2,834 Views)
Reply
chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: OpenVPN

‎02-11-2016 10:47 AM

see the push "route 192.168.1.0 255.255.255.0" line
should the 192.168.1.0 IP be pointing to something specific or just the base IP range.
Message 25 of 82
(2,830 Views)
Reply
0 Thanks
Anonymous
Not applicable

Re: OpenVPN

‎02-11-2016 11:18 AM

Well to me that's an instruction to push requests to devices in this IP range so the base range makes sense to me as anything else would restrict the binding. This range is of course the same address range as your machines have. So I"m assuming here that the second interface on your OpenVPN server has an IP in this range.

Message 26 of 82
(2,819 Views)
Reply
chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: OpenVPN

‎02-11-2016 11:21 AM

yes all local network devices are in 192.168.1.x range (router is 192.168.1.254, windows 10 system is 192.168.1.50).
Message 27 of 82
(2,813 Views)
Reply
0 Thanks
chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: OpenVPN

‎02-11-2016 3:11 PM

OK tried as suggested there, and still can't ping a local device on the network.
tried pinging 192.168.1.53 and got no response.
also tried 192.168.1.50 (which is the local IP of the windows 10 system and no response either).
Message 28 of 82
(2,792 Views)
Reply
0 Thanks
Anonymous
Not applicable

Re: OpenVPN

‎02-11-2016 3:24 PM

OK @chenks76 does the new  log file tell you anything?

And you do have two physical network cards in the machine that's running OpenVPN with one bound to the server IP in the config and the other in the 192.168.1.XXX range?

What is the physical structure of this install?

Message 29 of 82
(2,783 Views)
Reply
mssystems
Aspiring Pro
Posts: 290
Thanks: 45
Fixes: 1
Registered: ‎10-08-2007

Re: OpenVPN

Fix

‎02-11-2016 3:27 PM - edited ‎02-11-2016 3:59 PM

All working now. 

Bit of a marathon of piecing together incomplete and outdated documentation

 

Windows 10 Open VPN Server configuration

Private Network (LAN)

Subnet: 192.168.1.0
Mask: 255.255.255.0
Router IP (default gateway) : 192.168.1.254

Open VPN Server : 192.168.1.50

 

---server.ovpn---
# Open VPN (2.3.12) server.config

port 1194
proto udp
dev tun
comp-lzo

ca "c:\\program files\\openvpn\\config\ca.crt"
cert "c:\\program files\\openvpn\\config\server.crt"
key "c:\\program files\\openvpn\\config\server.key"
dh "c:\\program files\\openvpn\\config\dh1024.pem"  # not recommended. generate dh2048 for production

topology subnet
keepalive 10 120
persist-key
persist-tun

status open-vpn-status.log
client-config-dir ccd
ifcongfig-pool-persist ipp.txt

server 10.8.0.0 255.255.255.0  # the tunnel subnet
push "route 192.168.1.0 255.255.255.0"  # your local subnet
; push "dhcp-option DNS 192.168.1.254"   # uncomment to push private DNS sever, if you have one

# logging
; log "c:\\program files\\openvpn\log\\server.log
verb 5
mute 20
---end server.ovpn---

 

---client1.ovpn---
#Open VPN (2.3.12) unified configuration file
client
dev tun
proto udp
port 1194
remote myopnvpnserver.ddns.net    #Public (WAN) IP or FQDN of router

comp-lzo
persist-tun
persist-key
keepalive 10 120
verb 1
<ca>
# contents of ca.crt from server
</ca>
<cert>
# contents of client1.crt from server
</cert>
<key>
# contents of client1.key from server
</key>

---end client1.ovpn----

 

Additionally,

+ Add a rule to the Windows firewall on the OpenVPN server to,
allow all traffic from the subnet 10.8.0.0 mask = 255.255.255.0

+ Add a port forward to the router
UDP 1194 -> 192.168.1.50

 

To reach other devices on the 192.168.1.0 subnet you will need to

+ Add a static route to the router,
interface = LAN, destination = 10.8.0.0,  mask = 255.255.255.0, gateway = 192.168.1.50
+ Enable IP forwarding on the Windows Open VPN server
There is a registry hack but the easiest way is to enable the Routing and Remote Access service.


Alternatively, get yourself a Linux box, it's much easier Cheesy

 

Message 30 of 82
(2,775 Views)
Reply