RE: [Openvpn-users] Re: Need help with OpenVPN configuration on a Windows 2003 Server

["Shane Kemp" <sm_kemp@xxxxxxxxxxx>]

Thanks so much for your indepth explanation.  I actually had figured that
out ( no really! ) and have the routes setup on my router.  (I mean, adding
the route to the firewall/router as I described WAS correct, was it not --
sure its not a linux box, and I have to use some lame web interface, but the
basics are the same: destination/mask = the vpn subnet, gateway = ip address
of openvpn server )

I know that my routes are setup on ther server lan because I can ping the
VPN interface from other computers on the server side lan. ( I can tracert
too, and see the packet go to the gateway, and then to the openvpn
interface)  I can tell there is something wrong on the openvpn server box
because nothing gets from its local interface (NIC) to the openvpn
interface.

I am nearly 100% positive that the reason my setup does not work is because
I am running on Windows Server 2003, and I need to enable routing under
"remote access and routing".  I had used the registry hack to enable IP
Forwarding, but I have figured out that w/out enabling the routing on the
server, the packets are not passed between the 2 interfaces.   After
spending all day yesterday searching the forums, I finally found this tidbit
in the sourceforge forum.

I am not local to the machine where the VPN server lives, so I didn't dare
enable that feature w/out being at the console (incase the network settings
change and I lose my connection).  I will be able to test that today and
confirm.

Anyway, I just wanted to thank you again for your excellent lesson in
routing, however for us Windoze users, the problems seem to lie elsewhere!

Shane


-----Original Message-----
From: BlaaT 0001 [mailto:blaat0001@xxxxxxxxx]
Sent: Wednesday, February 15, 2006 9:11 AM
To: Shane Kemp; openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] Re: Need help with OpenVPN configuration on
a Windows 2003 Server


Hello Shane,

I would like to shed some light on the snip from the OpenVPN docs:

***********************************************
Next, you must set up a route on the server-side LAN gateway to route the
VPN
client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if
the
OpenVPN server and the LAN gateway are different machines).
***********************************************

I understand you're not quite sure about what this means exactly. I'll
try to explain it.

First I'll scetch us a simple OpenVPN setup for use with Road Warriors
(Laptop users for instance) connecting to an Office LAN.

Office LAN: 192.168.1.0 netmask 255.255.255.0 (192.168.1.0/24)
Office LAN Default Gateway: 192.168.1.254 (A Linux Router for instance)
OpenVPN network: 10.8.0.0 netmask 255.255.255.0 (10.8.0.0/24)

OpenVPN Server IP's: Office LAN side: 192.168.1.1
                                 OpenVPN side: 10.8.0.1

Road Warrior OpenVPN IP: 10.8.0.6

If the Road Warrior is connected to the Office LAN it would look like this:

Road Warrior (10.8.0.6) <-> OpenVPN Server (10.8.0.1) <-> Office LAN
(192.168.1.0/24)


In this simple setup, the OpenVPN server is NOT the default gateway
for the Office LAN. The OpenVPN server and the Office default gateway
are two seperate machines. This means a computer on the Office LAN
will send any traffic for any network other than the Office LAN
(192.168.1.0/24) to the default gateway (192.168.1.254) and NOT the
OpenVPN server (192.168.1.1).

A result of this is that any traffic going FROM OpenVPN Road Warriors
in the OpenVPN network 10.8.0.0/24 TO the Office LAN 192.168.1.0/24
will probably not be answered corectly by the computers on the Office
LAN.

This is what happens when a Road Warrior sends out an ICMP ping to
ComputerA (192.168.1.26) on the Office LAN.

The ICMP ping packet will travel from the Road Warrior through the
OpenVPN server to the Office LAN computerA at 192.168.1.26. The source
address of the ICMP packet will be the IP address of the Road Warrior,
10.8.0.6. ComputerA will notice that 10.8.0.6 is not an IP address
within his network range 192.168.1.0/24. Therefor ComputerA will send
his reply on the ICMP ping from the Road Warrior to the Office default
gateway (192.168.1.254). The Office default gateway will receive the
ICMP reply of ComputerA with a destination address of 10.8.0.6.

The Office gateway will have no idea that it should forward this
packet to the OpenVPN server for further processing. Therefor the
Office gateway will simply forward the ICMP reply to the Internet
where the packet will be discarded. The Road Warrior ping will not be
answered. Actually it is answered, but the answer simply never gets
back to the Road Warrior.

How do we solve this?
We tell the Office Default Gateway at 192.168.1.254 to route all
traffic for the Openvpn network (10.8.0.0 netmask 255.255.255.0) to
the OpenVPN server and NOT to the Internet. If the Office default
gateway is a Linux machine for instance (in this example it is) we
would add a static route using the command:

route add -net 10.8.0.0/24 gw 192.168.1.1

This command tells a Linux machine to send all traffic for network
10.8.0.0/24 to the host with the IP address of 192.168.1.1

It is a common misconception that computers on LAN automatically
answer back to the machine the traffic came from, but this is NOT the
case. Unless configured otherwise using static or dynamic routes,
computers will always send their traffic to the default gateway if
it's not traffic for the LAN they are directly connected to.

Going back the snip from the OpenVPN docs:

***********************************************
Next, you must set up a route on the server-side LAN gateway to route the
VPN
client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if
the
OpenVPN server and the LAN gateway are different machines).
***********************************************

If the OpenVPN server = Default gateway of a LAN than there's no
problem. Computers on the LAN will send their replies to OpenVPN
clients to the default gateway and the default gateway is the OpenVPN
server and it will forward the traffic to the OpenVPN Road Warriors.

It's really not all that hard to understand, really it's just some
basic knowledge of how the Internet Protocol (IP) works.

I hope this clears things up a bit for you.

Cheers,

BlaaT




On 2/14/06, Shane Kemp <sm_kemp@xxxxxxxxxxx> wrote:
> Murod Khasanov <hmurad <at> mail.st.uz> writes:
>
> >
> > Randy Price wrote:
> >
> > > I have installed OpenVPN on a Windows 2003 server and I am able to
> > > successfully connect to OpenVPN using a client. After the connection
> > > is established I am unable to access the resources that I am pushing
> > > the routes to in my config. I try pinging the devices and receive a
> > > request timed out. I have looked at the docs and have enabled IP
> > > forwarding on the server. My client machine has an address of
> > > 192.168.x.x and is NAT'ed through my router and once I am connected to
> > > the VPN server using i notice that the pings fail in the log with a
> > > bad source address from client error and it references my 192 address
> > > instead of the 10.8.0.3 <http://10.8.0.3> address my connection has
> > > established. I wanted to set this up for a "Road Warrior" type of VPN
> > > and saw where you could add the iroute command for routes back to the
> > > network but didn't know if that is what I needed to do or not. I
> > > didn't want this to cause an issue when I was in a hotel and had a
> > > different source IP address. Can someone help explain to me the best
> > > way to set this up?
> >
> > I was not able to do this eather , I am a newbe so correct me if I am
> > wrong  I do not know why  but when I configured my server openvpn and
> > tryed to connect to it with a client openvpn the server set route to
> > 10.X.X.2 for the client but in client mashine when I want to see tun0
> > device it says that client mashine have 10.x.x.6 ip adress when I ping
> > this from server pings go well but when I ping 10.x.x.2 that should be
> > on client  as the route on server says I am not able it says  ping
> > timeout from the client I do ping  10.x.x.1 that should be on server and
> > 10.x.x.6 well and my client can see the subnet behind server because
> > server pushes the route to correct 10.x.x.1 as gateway to the client but
> > client pushes his subnet routed to 10.x.x.2 as gateway and this one
> > server cannot see as I sayd before because client`s tun0 gets configured
> > for 10.x.x.6 and server has routes only to 10.x.x.2
> > I was able to configure it as static-office and static-home and in the
> > office.up and home.up I used subsequent routes for the server and client
> > side subnets and it works well because tun0 on server is as it should
> > 10.x.x.1 and tun0 on client is 10.x.x.2 and $5  in offise.up and home.up
> > points to correct existing ip`s.
> >   I am wondering how could I configure server.conf and client.conf to
> > use existing assighned ip`s in $5 when I do home up or when I push
> > subnet from client to server because when I push routes to server it
> > inisializes well but can not see subnet and cannot add routes to non
> > existing from its point of wiew 10.x.x.6 it says network unreachable.I
> > tryed all options with iroute and route as it explained in the man page
> > but server when its up establishes routes to client as 10.x.x.2 when on
> > real I see on client that there is not such ip on tun0 only  10.x.x.6
> > you shoud check out  what ip`s are assighned to your tun0 on client  and
> > if you are not trying to connect many clients to one server use static
> > type of config files and client and server will get default 10.x.x.1 and
> > 10.x.x.2 ip`s they work exxelent point to point and subnet to subnet .
> >  But above all you should use correct firewall and forwarding rules on
> > both mashines.
> >
> > Best regards,
> > Murod Khasanov
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> >
>
> I too am having the exact same issue.  I have read a million posts about
this
> and have not seen the answer.  The problem comes down to interpreting this
line
> in the openvpn docs:
>
> Next, you must set up a route on the server-side LAN gateway to route the
VPN
> client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary
if the
> OpenVPN server and the LAN gateway are different machines).
>
> I decided that this meant going the router on the server side and adding a
> static route.  I tried:
>
> destination 10.8.0.1
> mask: 255.255.255.252
> gateway: 10.10.1.3 ( the local ip address of my vpn server machine )
> mtu: 2
> private: no
>
> That seemed to have no affect.  I also tried 10.8.0.0 but that didn't seem
to
> matter either.
>
> Perhaps there is a route add command that needs to be run on the server as
well?
>   I have seen mention of this, but no working examples for a windows based
server.
>
> Please post if you know the solution!
>
> Thanks.
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users