OpenVPN Server: Can connect from iphone, not from Windows7

[Pommes]

Hi,
i have a Asuswrt Router running OpenVPN Server. I can connect from my iphone and then access the webinterface of the router by typing its IP into the webbrowser of the iphone:192.168.6.1.
When i connect via Windows 7 OpenVPN Gui it does connect, but i can not access the routers webinterface, can not even ping the router 192.168.6.1 from the windows machine, even though the windows and the iphone are on the same network.
Anybody can give me a hint?
Thanks

 

[L&LD]

Are you running the OpenVPN gui in a restricted account? Try running with 'run as administrator'.

 

[Pommes]

Are you running the OpenVPN gui in a restricted account? Try running with 'run as administrator'.

I am running as administrator and it shows green connected

 

[L&LD]

Did you log off from the iPhone first? Are you using the correct/latest .ovpn file? Is the computer showing being connected as a Private or a Public network?

Are you using WiFi to connect? And if so, is this a restricted 'guest' account (with no access to intranet)?

What router (and firmware), btw?

Which mode is the OpenVPN configured for (TUN or TAP)?

 

[Pommes]

Did you log off from the iPhone first? Are you using the correct/latest .ovpn file? Is the computer showing being connected as a Private or a Public network?

Are you using WiFi to connect? And if so, is this a restricted 'guest' account (with no access to intranet)?

What router (and firmware), btw?

Which mode is the OpenVPN configured for (TUN or TAP)?

I logged off from iphone, i use the same ovpn.config The computer is on Lan , the iphone on wifi, but i tried on an LTE Hotspot, both on wifi, too. Router is the asus rt-ac87 latest merlin firmware.(unfortunately i changed the port to 443 on the openvpn server and in the config, now i am not able to open the webinterface on neither iphone nor win7. Will change it back to 1194, once i am at home later tonight) .

 

[L&LD]

Router is the asus rt-ac87 latest merlin firmware.(unfortunately i changed the port to 443 on the openvpn server and in the config, now i am not able to open the webinterface on neither iphone nor win7. Will change it back to 1194, once i am at home later tonight) .

This is a good reason to use both OpenVPN Servers (one that 'works' and isn't touched and one for 'testing' different configuration options for).

You didn't mention if the WiFi was a restricted guest network or not?

 

[Pommes]

This is a good reason to use both OpenVPN Servers (one that 'works' and isn't touched and one for 'testing' different configuration options for).

You didn't mention if the WiFi was a restricted guest network or not?

Thanks, yes i ithink i will configure the 2nd server just to test, but first i need to know how to run the vpn firstthe wifi is unrestricted and the iphone on wifi was able to access the webinterface. Is there any setting in windows maybe to actually use the vpn connection? Thanks a lot

 

[martinr]

..... Is there any setting in windows maybe to actually use the vpn connection? Thanks a lot

Not that I can recall. I have a similar setup: the ability to use either my iPhone or my laptop to connect remotely to either of my servers (one on 1194, the other on 443). I use PKI (Certs and keys) as well as a different passphrase for each device. Perhaps setup the second server simply with a password and, once that's working on the laptop, then introduce greater levels of security (certs, keys and passphrase) if that's how you have the other one set up? It'll be something silly that's got overlooked.

Can you get a screengrab or log from the laptop showing details of its failure to connect?

 

[Pommes]

Not that I can recall. I have a similar setup: the ability to use either my iPhone or my laptop to connect remotely to either of my servers (one on 1194, the other on 443). I use PKI (Certs and keys) as well as a different passphrase for each device. Perhaps setup the second server simply with a password and, once that's working on the laptop, then introduce greater levels of security (certs, keys and passphrase) if that's how you have the other one set up? It'll be something silly that's got overlooked.

Can you get a screengrab or log from the laptop showing details of its failure to connect?

This is the log of the VPN Gui, i have used a simple user and password, and as you see the VPN gui connects, but i can not ping my router 192.168.6.1...
It worked on my iphone before i switched the port to 443


Fri Jul 08 21:02:21 2016 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Fri Jul 08 21:02:21 2016 Windows version 6.1 (Windows 7) 64bit
Fri Jul 08 21:02:21 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Enter Management Password:
Fri Jul 08 21:02:32 2016 UDPv4 link local: [undef]
Fri Jul 08 21:02:32 2016 UDPv4 link remote: [AF_INET](my publuc ip):443
Fri Jul 08 21:02:32 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jul 08 21:02:32 2016 [RT-AC87U] Peer Connection Initiated with [AF_INET](my publuc ip):443
Fri Jul 08 21:02:35 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jul 08 21:02:35 2016 open_tun, tt->ipv6=0
Fri Jul 08 21:02:35 2016 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{49288B28-A154-426A-82E9-AE8CF648D08C}.tap
Fri Jul 08 21:02:35 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
Fri Jul 08 21:02:35 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {49288B28-A154-426A-82E9-AE8CF648D08C} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Fri Jul 08 21:02:35 2016 Successful ARP Flush on interface [25] {49288B28-A154-426A-82E9-AE8CF648D08C}
Fri Jul 08 21:02:40 2016 Initialization Sequence Completed

 

[Pommes]

So i am at home and i configured two open vpn servers, one port 1194 the other 443, both connect on my iPhone on LTE(4g) but only on 1194 i can access the web interface of my router...i used my iPhone as hotspot and with tunnelblick on mac it is the same: web interface of router only on 1194 vpn. i do not understand...

 

[L&LD]

So i am at home and i configured two open vpn servers, one port 1194 the other 443, both connect on my iPhone on LTE(4g) but only on 1194 i can access the web interface of my router...i used my iPhone as hotspot and with tunnelblick on mac it is the same: web interface of router only on 1194 vpn. i do not understand...

Port 443 is a reserved port. Use 1195, for example, instead.

 

[Pommes]

Port 443 is a reserved port. Use 1195, for example, instead.

Thanks, that makes sense...still: i can connect from iphone and Macbook on 1194, not from windows, so i think it must be some setting in windows itself. Now on port 1194 it does not even connect to the vpn, the gui shows yellow, on 443 i can connect, the gui is green color, but i can not access the routers webinterface...what the hell is wrong?
Sat Jul 09 09:30:02 2016 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Sat Jul 09 09:30:02 2016 Windows version 6.1 (Windows 7) 64bit
Sat Jul 09 09:30:02 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Sat Jul 09 09:30:14 2016 UDPv4 link local: [undef]
Sat Jul 09 09:30:14 2016 UDPv4 link remote: [AF_INET](my public ip):1194
Sat Jul 09 09:31:14 2016 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Jul 09 09:31:14 2016 SIGUSR1[soft,ping-restart] received, process restarting
Sat Jul 09 09:31:17 2016 UDPv4 link local: [undef]
Sat Jul 09 09:31:17 2016 UDPv4 link remote: [AF_INET](my public ip):1194
Sat Jul 09 09:32:17 2016 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Jul 09 09:32:17 2016 SIGUSR1[soft,ping-restart] received, process restarting
Sat Jul 09 09:32:20 2016 UDPv4 link local: [undef]
Sat Jul 09 09:32:20 2016 UDPv4 link remote: [AF_INET](my public ip):1194

 

[martinr]

.....but i can not access the routers webinterface...what the hell is wrong?

Something I realise I've assumed and not explixitly checked with you: did you export the identical .ovpn file to the laptop and iPhone?

Is it possible that in the .ovpn file that the laptop got, the "Push LAN to clients" setting had not been set to Yes?

 

[Pommes]

Something I realise I've assumed and not explixitly checked with you: did you export the identical .ovpn file to the laptop and iPhone?

Is it possible that in the .ovpn file that the laptop got, the "Push LAN to clients" setting had not been set to Yes?

it is the exactly same config on all devices, push LAN to clients activated...weird, isn´t it?
when connecting to 443 from laptop, there seems to be a 2nd network, windows tap. when connecting to 1194 there is no 2nd network...

 

[martinr]

it is the exactly same config on all devices, push LAN to clients activated...weird, isn´t it?
when connecting to 443 from laptop, there seems to be a 2nd network, windows tap. when connecting to 1194 there is no 2nd network...

That second tap network - it has a different network address to the tun one you're trying to?

 

[Pommes]

That second tap network - it has a different network address to the tun one you're trying to?

The Lan 1 is 10.12.1.221, the tap is 10.16.0.2, 10.16 is also the ip of the vpn in the router.
i am connected to port 443 again, because the tap only shows up when connecting via 443 from windows machine

 

[Pommes]

Port 443 is a reserved port. Use 1195, for example, instead.

1195 is the same as 1194, no connection from windows machine...

 

[Pommes]

on port 443 i am connected to the vpn. i can ping 10.16.0.1 which i think is the vpn ip on the router, but i can not ping 192.168.6.1 which is the router ip

 

[Pommes]

Problem solved:
I googled a couple hours and found a post which suggested to add a line at the end of the ovpn config : push "route 192.168.6.0 255.255.255.0"
I did that and now i am connected to my routers webinterface on port 443, all other ports do not establish a connection...
Thanks to all of you!

 

[martinr]

Good to hear it's sorted, but it doesn't explain why I was able to set mine up on my Windows laptop without the slightest problem and can switch between the servers on 1194 and 443. I'll possibly double check that really is the case and then maybe post my .ovpn file for you to compare.