What's new

OpenVPN Server Configuration

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

KonstantinK

Occasional Visitor
Hi,

I have been struggling to configure an OpenVPN server for some days.

Basically what I am trying to achieve is the following - I want to set up a VPN server using OpenVPN and EasyRSA 3.0 on a Windows Server 2016 computer. I would like to access the server remotely i.e. access the server from another network in another city.

Let me explain a bit more in detail what I need the VPN Server for - we have a Network Attached Storage (NAS) at work (it is the Windows Server computer), I would like to be able to access it through the VPN Server. I am planning to install a License Server on our Windows Server computer at work and I would like to connect to the VPN Server from home and still be able to use the license. And off course, I should be able to access the shared folders of the computers at work remotely.

The local network has a default gateway with IP 192.168.88.1 and a subnet mask 255.255.255.0.

Some information about the server and what I have done so far:
  • The server is behind NAT i.e. it is connect via LAN cable after the router.
  • Server port is 1175 and I opened the Inbound Traffic in the firewall on this port
  • I port forwarded port 1175 in my router to the local IP of the server (192.168.88.88)
  • The VPN Server IP is 10.8.0.1
I successfully connect to the server from a client outside of my local network and an IP is assigned to client - 10.8.0.4.

I can successfully ping the server from the client and vice versa. I can also access the shared folders by typing the local IP or the VPN IP in the Windows 10 Network application, the access is successful from server and client side.

But now let us get to the problem, I cannot neither ping another computer (I am trying to access a NAS) in the local network nor access its shared folder using its local IP in the Windows 10 Network application.

Based on the wiki description I added this push route rule to the server configuration

Code:
push "route 192.168.1.0 255.255.255.0"

which should allow the clients to access LAN devices behind the VPN Server.

Here is the wiki page I am talking about: GettingStartedwithOVPN

I am attaching my server and client configurations.

Best Regards
 

Attachments

  • VPNCLIENT.txt
    3.9 KB · Views: 141
  • VPNSERVER.txt
    11 KB · Views: 140
You shouldn't need that push route statement (if I understand you correctly). That would only be required if the 192.168.1.0 subnet was on the server side. I believe you are trying to access the local 192.168.88.0/24 network so that's the route you need to push.

This issue is commonly caused by the firewalls on the machines your are attempting to connect to. As it stands your client's traffic will appear to be coming from 10.8.0.4 which is outside of the local subnet. Most local firewalls will block this unless an exception is made.
 
Last edited:
your client's traffic will appear to be coming from 10.8.0.4 which is outside of the local subnet. Most local firewalls will block this unless an exception is made.

I'm thinking the same thing... bogons and martians (esp martians) are typically blocked on the WAN side rules
 
You shouldn't need that push route statement (if I understand you correctly). That would only be required if the 192.168.1.0 subnet was on the server side. I believe you are trying to access the local 192.168.88.0/24 network so that's the route you need to push.

This issue is commonly caused by the firewalls on the machines your are attempting to connect to. As it stands your client's traffic will appear to be coming from 10.8.0.4 which is outside of the local subnet. Most local firewalls will block this unless an exception is made.
I'm thinking the same thing... bogons and martians (esp martians) are typically blocked on the WAN side rules
Hi,

Thank you for your answers.

Actually, I kind of misled you a bit. Due to the pandemic situation I am simulating the configuration from home by using my home network configuration which is pretty similar to the actual configuration where I want to implement the OpenVPN Server.

I attached a diagram of my home network.

Let me explain now a bit more in details - I did not connect everything to the Switch since it would have been painful to pull cables across the floors of my house, that is why I have this Access Point with integrated switch on my second floor. The OpenVPN Server I installed on my personal laptop, which has a static IP of 192.168.1.7. This is the reason why I have a push route rule to 192.168.1.0/24 subnet.

After reading your post, I thought perhaps I have to do some Firewall setting on my Synology NAS to be able to access it via the VPN. Therefore I decided to wire up my Ubuntu PC to the network via LAN cable. I tried connecting to the VPN Server from a remote client (I am using the hotspot from my phone) and as expected I connected successfully. As I said before I can ping the server from the client and vice versa.

On the Ubuntu PC I made a shared folder with a text file inside. I can access it in the local network. I read on the Internet that by default the Firewall of Ubuntu is disabled. Therefore I thought that I should be able to access the Ubuntu PC via the VPN. I tried to access it by typing its local IP (192.168.1.11 (not static one, I check what it is)) in the Windows Network Application but I could not reach it.

Now I hope it is more clear what I want to achieve.

Best Regards
 

Attachments

  • Home Network Diagram.jpg
    Home Network Diagram.jpg
    34.4 KB · Views: 149
Hi,

I just want to make an update on the topic.

I found a similar problem to mine which is solved with just one line of code added to the client configuration.

Here is the link: Access Computers Inside the LAN

I have added

Code:
route ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.1

#Subnet 192.168.1.0
#Mask 255.255.255.0
#Default Gateway 192.168.1.1

to the client configuration and all the routing started but when everything settles, I get the following:

Code:
TEST ROUTES: 1/2 succeeded len=2 ret=0 a=0 u/d=up
Route: Waiting for TUN/TAP interface to come up...
#### Many times repeating the same message

Warning: route gateway is not reachable on any active network adapters: 192.168.1.1
Route addition via service failed
C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.1
Route addition via service succeeded

Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
MANAGEMENT: >STATE:1617306674,CONNECTED,ERROR,10.8.0.2,MY_PUBLIC_IP,1175,,

I have tried to disable the Firewall on the client computer but still, I cannot ping my Ubuntu PC (192.168.1.11).

I can still access the server shared folder and ping the server.


Best Regards
 
I can't offer much help because I've not tried to setup an OpenVPN server on a home version of Windows. I suspect the problem is a routing issue within Windows itself because you're not running it on Windows Server. This is what that post you linked to is also alluding to.

IMHO the "route ADD" that you added to the client config is wrong (which is why you get the error message) and should be removed. The correct route is already being pushed to the client from the server. The way that "route ADD" was being used in the linked post was to add it to the Windows machine running the OpenVPN server prior to starting the VPN server. I'm guessing the idea behind this is to allow the Windows machine to act like a router and route between its two network interfaces, which in your case would be 192.168.1.7 and 10.8.0.1. Although why this extra route would be necessary is beyond me. Whether this will actually work with your laptop I don't know. I'd guess this would be a lot more straight forward if you were doing this for real on Windows Server.

EDIT: It's just occurred to me that even if the client's traffic is reaching the NAS or Ubuntu PC the return traffic is likely being lost because they don't know how to reach the 10.8.0.0 network. As such that traffic is probably being sent out the LAN's default gateway into oblivion. So a static route would need to be defined either on the NAS/Ubuntu machines or the gateway router (192.168.1.1). The static route would be for 10.8.0.0/255.255.255.0 via 192.168.1.7. I'm just guessing though.
 
Last edited:
I can't offer much help because I've not tried to setup an OpenVPN server on a home version of Windows. I suspect the problem is a routing issue within Windows itself because you're not running it on Windows Server. This is what that post you linked to is also alluding to.

IMHO the "route ADD" that you added to the client config is wrong (which is why you get the error message) and should be removed. The correct route is already being pushed to the client from the server. The way that "route ADD" was being used in the linked post was to add it to the Windows machine running the OpenVPN server prior to starting the VPN server. I'm guessing the idea behind this is to allow the Windows machine to act like a router and route between its two network interfaces, which in your case would be 192.168.1.7 and 10.8.0.1. Whether this will actually work with your laptop I don't know. I'd guess this would be a lot more straight forward if you were doing this for real on Windows Server.
Hi, Thank you very much for your response.

Now it gets a bit more clear for me. I have tried what you suggested - removed the routing line from the client config and on the server side a executed
Code:
route ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.1
in the command prompt windows.

My routing tables are as follows:
Code:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.7     35
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      169.254.0.0      255.255.0.0         On-link   169.254.255.145    291
  169.254.255.145  255.255.255.255         On-link   169.254.255.145    291
  169.254.255.255  255.255.255.255         On-link   169.254.255.145    291
      192.168.1.0    255.255.255.0         On-link       192.168.1.7    291
      192.168.1.0    255.255.255.0      192.168.1.1      192.168.1.7     36
      192.168.1.7  255.255.255.255         On-link       192.168.1.7    291
    192.168.1.255  255.255.255.255         On-link       192.168.1.7    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link   169.254.255.145    291
        224.0.0.0        240.0.0.0         On-link       192.168.1.7    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link   169.254.255.145    291
  255.255.255.255  255.255.255.255         On-link       192.168.1.7    291
===========================================================================
Persistent Routes:
  None

Unfortunately, I cannot access local computers. I also turned off the Firewall on the server computer. From the routing table it can be seen that the route I added is successful.
I am out of ideas what could the issue be now.
It seems that the configuration are pretty much the same as the one in the link.
Could it be that I have to add routing rules in the router/modem itself or the problem is that I have a switch in between the router and the server?
In this link OpenVPN Clients Access To The Server LAN, the guy shows some settings in the DHCP client, but I do not have it on my computer or at least I cannot find it.
What would you advice me to try or should I start from scratch again?

Best Regards
 
OK that link is interesting and seems to be saying the same thing that I was speculating about. It makes more sense because he is using a registry setting on the VPN server machine to enable routing between the interfaces. So the "route ADD" command shouldn't be necessary as it's redundant. He is pushing the static route to the clients though his local Windows DHCP server.
 
See my updated post above.
Hi again and one more time thank you very much for your help.

IT WORKS! I added a static route on my Synology NAS as you suggested and guess what, I can ping the NAS and I can access its directories by typing the local IP in the Windows Network application.

I cannot ping the Ubuntu PC (192.168.1.11) but I guess this is caused by the fact that I did not add a static route on the Ubuntu PC.

My guess is that if I add a static route in my Network Gateway (192.168.1.1), I should be able to access all the LAN devices behind the VPN Server.

Perhaps it is more secured to add the static route only on devices that have to be accessed remotely, though.

I also excluded the TAP-Windows adapter from the Firewall.

ColinTaylor:
OK that link is interesting and seems to be saying the same thing that I was speculating about. It makes more sense because he is using a registry setting on the VPN server machine to enable routing between the interfaces. So the "route ADD" command shouldn't be necessary as it's redundant. He is pushing the static route to the clients though his local Windows DHCP server.
Regarding this comment, I changed the IPEnableRouter registry as the guy from the link suggested a long time ago.

I do not have the DCHP Server MMC wizard since probably it is only available on Windows Server operating systems.

The unnecessary command you mean, the one that I added to the server-side machine? I am not sure if I should remove this route on the server computer, actually it will be removed automatically since it is not persistent route. Next time I start the server computer I will check if I can still ping the NAS. If I cannot, then this route should be present on the server computer.

Best Regards
 
Last edited:
The unnecessary command you mean, the one that I added to the server-side machine? I am not sure if I should remove this route on the server computer, actually it will be removed automatically since it is not persistent route. Next time I start the server computer I will check if I can still ping the NAS. If I cannot, then this route should be present on the server computer.
Yes that's the command I was referring to. If you could remove it and confirm whether it's needed or not that would be useful. In the original post that said it was required they seemed to be under the impression that it would allow the server machine to route between the two networks (or at least that's how I interpreted it). That really doesn't make any sense to me, especially as the new route is just duplicating a route that already exists.
 
Yes that's the command I was referring to. If you could remove it and confirm whether it's needed or not that would be useful. In the original post that said it was required they seemed to be under the impression that it would allow the server machine to route between the two networks (or at least that's how I interpreted it). That really doesn't make any sense to me, especially as the new route is just duplicating a route that already exists.
Hi,

I have tried to connect to the local LAN via the client after restarting the server computer.

It seems that you are correct, I do not need to do the specific route on the server computer as well. I successfully connected to the NAS via the client.

The routing has already been done in the server configuration file and therefore doing the same routing rule twice is redundant.

Code:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.7     35
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      169.254.0.0      255.255.0.0         On-link   169.254.255.145    291
  169.254.255.145  255.255.255.255         On-link   169.254.255.145    291
  169.254.255.255  255.255.255.255         On-link   169.254.255.145    291
      192.168.1.0    255.255.255.0         On-link       192.168.1.7    291
      192.168.1.7  255.255.255.255         On-link       192.168.1.7    291
    192.168.1.255  255.255.255.255         On-link       192.168.1.7    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link       192.168.1.7    291
        224.0.0.0        240.0.0.0         On-link   169.254.255.145    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link       192.168.1.7    291
  255.255.255.255  255.255.255.255         On-link   169.254.255.145    291
===========================================================================
Persistent Routes:
  None
Just for reference, my Route Table. The routing rule
Code:
route ADD 10.8.0.0 MASK 255.255.255.0 192.168.1.7
is not in the Routing Tables.

IP address 192.168.1.7 in my case is the VPN Server computer which acts as a gateway.

Hopefully this might be useful for somebody who wants to make similar configuration.

Best Regards
 
The redundant route I was was referring to was "route ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.1" in post #7.

Just for reference, my Route Table. The routing rule
Code:
route ADD 10.8.0.0 MASK 255.255.255.0 192.168.1.7
is not in the Routing Tables.
Indeed. That route is only on the target machines, or alternatively the default gateway.
 
Last edited:
The redundant route I was was referring to was "route ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.1" in post #7.
Hi,

OK! I misunderstood what you had in mind.

Actually it can be seen that this rule is also removed, since it is not in the routing table. I added it manually before when I was wondering what to do.

But I guess my statement that if you want to access all the devices behind LAN you have to add a static route on your LAN gateway itself, still holds.

And if you want only to access particular device behind the LAN, you have to add a static route on each of them.

Best Regards
 
Hi,

Today I got remote access to the computers at work. I have tried to set up the VPN Server on the Windows Server 2016 computer.

All the settings are the same as the VPN Server I configured on my home computer:
Code:
topology subnet
cilent-to-client
push "route 192.168.1.0 255.255.255.0"
Changing the IP Router registry and allowing Inbound traffic on port 1175 in the Firewall
Code:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter == 1
Unfortunately I did not manage to connect right away. I got the following on the client log
Code:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,private-key-password-failure] received, process restarting
I have done some researching on the Internet and I found that someone instead of UDP used TCP protocol. I changed my setting to TCP both on the server and the client configuration files and it worked flawlessly.

Just for reference, the following line, in the server configuration file, needs to be commented since the command does not work with TCP
Code:
explicit-exit-notify 1
What do you think could be the reason for this error?

And is it fine if I use TCP instead of UDP?

I read some comment on the Internet saying that it is better to use UDP protocol for VPN connections.

Best Regards
 
Does your workplace have a corporate firewall? I would check how that has been setup to allow access to the VPN server? Is the VPN server in a DMZ or is your IT department forwarding the required port to the internal network?
 
Does your workplace have a corporate firewall? I would check how that has been setup to allow access to the VPN server? Is the VPN server in a DMZ or is your IT department forwarding the required port to the internal network?
Hi,

I do not thing that we have a corporate Firewall since our workplace is not in the vicinity of a big town/city (let us say 10-12 km away from the closest city/town). Actually our Internet is brought by an antenna signal. Then after our receiving antenna we have a router/access point. I cannot access this router/accesspoint, it is only the nework guys from the ISP who can. We are negotiating with ISP to lay a fiber optic cable to our company.

I asked the guys from the ISP to make the port forwarding rule for port 1175. They confirmed that the port forwarding was done.

The VPN Server (Windows Server 2016 computer) is behind the DMZ and NAT since it is connected after the router/access point I mentioned above.

Could it be that the ISP guy forwarded the TCP protocol only instead of the UDP?

Best Regards
 
Personally I've found that VPN connections over wireless links can be very troublesome. For UDP (being a stateless protocol) you need a very good connection. For poor quality connections TCP can usually work around those problems.
 
Very likely.
Hi,

I will have to check that when I get back to work.

Overall, do you I can stick up with the TCP protocol or should I try to move to the UDP protocol at all costs?

EDIT: We posted at the same time. I did not see you second comment at the time I was writing this post.

By wireless connection, you mean the antenna input that we have, right?

Best Regards
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top