[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Openvpn and win2003 as a internet gateway?

  • Subject: Re: [Openvpn-users] Openvpn and win2003 as a internet gateway?
  • From: Peter Barwich <pbarwich@xxxxxxxxxxx>
  • Date: Sun, 08 Jul 2007 15:39:01 +0100

As far as I know there is no firewall on the server.

I have not setuped such a thing.

The basic firewall is not turned on in ”routing and remote access”




management localhost 7505

push "echo ----------- VPN kobling ----------- "

port 1195

proto udp

dev tun

ca ca.crt

cert balder.crt

key balder.key  # This file should be kept secret

dh dh2048.pem


ifconfig-pool-persist ipp.txt

;client-config-dir ccd

push "redirect-gateway def1"

push "dhcp-option DNS"

push "dhcp-option WINS"

keepalive 10 120

tls-auth ta.key 0 # This file is secret


max-clients 100



status openvpn-status.log

verb 3






dev tun

proto udp

remote my-server-2 1194

resolv-retry infinite




ca ca.crt

cert test.crt

key test.key

ns-cert-type server

tls-auth ta.key 1


verb 3


are there anyone here that successfully setuped a win2003 as internet gateway with openvpn?





Fra: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] På vegne av Paul Wright
Sendt: 7. juli 2007 22:52
Til: Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Emne: Re: [Openvpn-users] Openvpn and win2003 as a internet gateway?


The connection is made successfully… but traffic seems to be dropped on the win2003 server.

MULTI: bad source address from client [], packet dropped


I'm guessing that a firewall rule is dropping the packet because it is sourced from an RFC1918 address.  What can you tell us about the configuration on the Win2003 server?


By the way

Adding this to the server config

client-config-dir ccd

and this to the client text file in ccd dir



makes the errors in the log dissapear, but still no dice!

I'd be inclined to simplify things a bit: -

Firstly don't push the gateway until you have a reliable connection. Delete "push "redirect-gateway def1""

Secondly don't try and assign IPs to your vpn by WINS until you have sorted out a connection. OVPN will assign the vpn addresses. There are, I believe, ways to allow WINS to assign IPs in the servers own LAN subnet, but there are some difficulties with tun adaptors in that you need to use /30 subnets. Is that why you use] to keep it well away from LAN addresses?

And thirdly I'm not sure you need your ccd file directive (
iroute This is supposed to be telling the server where the clients LAN subnet is, but it is the same subnet as the VPN which will be a problem. Have a look at http://openvpn.net/howto.html#scope, which implies that this is needed if you want machines on the client LAN to have access to the server LAN. Again, keep it simple to begin with

There was a lot of discussion on point 2 and /30 subnets in this mailing list. Review at http://news.gmane.org/gmane.network.openvpn.user.