Sign in to follow this  
Followers 0
The Dark Knight

Home VPN using OpenVPN AS connectivity issues....HELP!

31 posts in this topic

Hi guys

 

I want to be able to use my home internet connection while on the move for browsing as well as file access. I have downloaded and installed the VMWare appliance version of OpenVPN AS. Running it in VMWare Player on Windows Server 2012. I have created an account on DynDNS and got myself a domain to use with the VPN. Have also opened the required TCP and UDP ports on the built-in Windows Firewall and on my router.

 

However no matter what options I try, the client connectivity test ALWAYS fails! Really stuck here, don't know what to do!

Share this post


Link to post
Share on other sites

And where are you testing from??

And vmplayer - what connection does your vm have to your physical network? Bridge or are you natting, I do believe nat is the default, which would be problematic in getting to work.

Share this post


Link to post
Share on other sites

Testing from within the OpenVPN Admin panel. VMWare Player set to Bridge mode.

Share this post


Link to post
Share on other sites

So your on the same network as your server.. Hitting your pubic IP (dns name) that is on the outside of your router just to be forwarded back inside?

This is called loopback forwarding or Nat reflection and is rarely a good test.. And quite often not even supported by most soho routers.

You need to test from OUTSIDE your network!!!

So your running this test?

post-14624-0-76681900-1373806933.png

Share this post


Link to post
Share on other sites

Ok, how do I do that? I have 2 internet connections at home from separate ISP's. So just tried pinging the public IP of the connection which has the server, request timed out.

 

Edit: Yup, that's the test I've been trying.

Share this post


Link to post
Share on other sites

Well ping is not same as the port forwards you created -- did you enable ping?? Again many routers default to this being off.

See my edit - this is the test your trying, and what does it show for your ip, your public your internal?

What ports are you running on? You sure your not behind a double nat already, ports are not blocked by your ISP? See the above test - this is what your running right? I edited my last post.

If you PM me your IP I would be happy to see if the ports are showing open or not, and ping, etc..

Share this post


Link to post
Share on other sites

Ok, where do I check whether ping is enabled or not? I have a Linksys WRT54G router running a fork of DD-WRT called Tomato if that helps.

 

Yeah, That's the test I've been trying with.

 

Using default ports, TCP 443 and UDP 1194. How do I check whether I have a double NAT ro not?

 

Sure, sent PM with IP.

Share this post


Link to post
Share on other sites

So on your tomato what does it show for your WAN/INTERNET IP - if its private 10.x.x.x, 192.168.x.x or 172.16-31.x.x then your behind a NAT.

Here is where you enable ping in tomato

post-14624-0-77706800-1373807488.png

Share this post


Link to post
Share on other sites

Just checked, showing public IP. Enabled ICMP ping option also, able to ping now from the other ISP.

Share this post


Link to post
Share on other sites

ok I show this

Ok let me try again with your ping -- but I show this

Nmap scan report for 27.snipped

Host is up.

All 1000 scanned ports on 27.snipped are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.51 seconds

budman@ubuntu:~$

edit:

So I show you pinging now - but 443 is not open! Nor do I show any other ports open! Your forward is not right is what I would guess, or your ISP blocks the ports.

budman@ubuntu:~$ ping 27.snipped

PING 27.snipped (27.snipped) 56(84) bytes of data.

64 bytes from 27.snipped: icmp_req=1 ttl=43 time=284 ms

64 bytes from 27.snipped: icmp_req=2 ttl=43 time=285 ms

Share this post


Link to post
Share on other sites

Ok, what does that mean, my ISP is blocking/filtering everything?

Share this post


Link to post
Share on other sites

Ok, this is how I have opened the ports, is it correct? Have also opened in Windows Firewall on the server.

 

post-58111-0-42209800-1373808310.jpg

Share this post


Link to post
Share on other sites

You can not forward a port to more than 1 address - you have .100 and .110 there

So your saying web gui at 42893 should be open and RD is what? Let me scan for those ports.. They are WAY high up and would not have tested for those most likely in default scan.

I don't show them up either

Host is up.

PORT STATE SERVICE

42893/tcp filtered unknown

PORT STATE SERVICE

41962/tcp filtered unknown

edit:

Hey turn off ping -- I want to verify it was not working before, etc. My ping probe did not work, but when I just pinged your address I get a reply - but turn if off and my pings should stop.

Also - you don't have any other routers behind what you sent in your PM showing your wan IP.. You don't have any other devices between your tomato box and your devices running vms.. lets do a real simple test.. On your workstation do a netstat -an, so for example

see how I am listening to 3389, remote desktop

C:\Windows\System32>netstat -an

Active Connections

Proto Local Address Foreign Address State

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING

Forward that on you router - and make sure you turn off your windows firewall and I will check for that.. If we can not get that to show good, then we got something else blocking us or wrong.

Don't leave it on long - just for test, PM post in thread when you have it forwarded and will do quick test.

edit: ok looks like your ping stopped.. You can turn it back on.

Share this post


Link to post
Share on other sites

Those are old ones, I don't even use it any more. WebUI was a config panel for something, uTorrent I think. RD is Remote Desktop. I opened those years ago and actually forgot about them.

 

Oh ok, didn't know it has to be for one address only. So which one do I choose here? 100 is Server 2012, and 110 is OpenVPN.


I deleted that WebUI port a few minutes back as I realised I wasn't using it any more. Added back again. If you don't mind, can you check that port once more?

 

Edit: Ok, ping is off now.

Share this post


Link to post
Share on other sites

hey!!!

Host is up (0.29s latency).

PORT STATE SERVICE

443/tcp open https

why would you forward 443 to your server, you need to forward it to the IP of your VM running openvpn

edit: Looks like your up now

post-14624-0-03613900-1373809584.png

Share this post


Link to post
Share on other sites

Little confused with your last set of instructions. Ran command on server 2012. Showed a big list. PM sent.

Share this post


Link to post
Share on other sites

well yeah it would show a LONG list, every port its listening on - just wanted to verify it was listening on standard remote desktop port... See my last post, I hit your openvpn interface

If you send me creds can test for you.

Share this post


Link to post
Share on other sites

Oh ok.

 

Sure, sent via PM.

 

I also was able to connect and download the Connect client!! :D

Share this post


Link to post
Share on other sites

CONNECTED SUCCESSFULLY!!!! :D

 

Thanks a LOT BudMan for all your help!!  :)  (Y)

Share this post


Link to post
Share on other sites

NO dude its not working yet! I was just on your admin page, and sure you can get to the admin page

But want to point out some things

post-14624-0-70998700-1373810525.png

Your UDP is different that default, which is fine - but per what you sent me you were forwarding you are not forwarding that port.

Also you don't want your admin running on the same port as your service. So for example my admin runs on 943 and clients connect to 443 and 1194

Also yours running old version, I am on 1.8.4 yours is 1.6.1??

edit: Hmm shows your connected, but your test failed

5.5.8.2 708.81KB 6.20MB Sun Jul 14 19:30:06 2013

And did you set that vpn address.. Why would you have used 5.x.x.x ??

Share this post


Link to post
Share on other sites

Oh ok, but I am able to access the Admin panel just fine! Also connected successfully from the other internet plan.

 

Weird, the test feature STILL shows failures! :(

 

Ok, will change the Admin access details.

 

Yeah, it is 1.6.1. The download page for the appliance said there are some issues with providing the latest version out of the box. Any other way to update it?

 

5.5 range was the default, I didn't put that in.

Share this post


Link to post
Share on other sites

So why are you running 1.6.1, I just looked and 1.8.5 is what I show for vmware player current version.

edit: That was easy

Active Configuration

Access Server version: 1.8.5

I don't like using old versions of things ;)

Share this post


Link to post
Share on other sites

No idea. I just downloaded it and set it up, had 1.6.1 right from the start.

 

Edit: This is what is on their page....

 

Upgrading the Access Server Software on an AS to Version 1.8.5

The current virtual appliance is version 1.6.1

In order to upgrade from OpenVPN Access Server 1.6.1 to 1.8.5 you will need to do the following:

1. Download the Appliance at the top of this page and configure it. 

2. WARNING: DUE TO THE NEW RELEASE OF 1.8.5 IT IS NOT POSSIBLE TO UPGRADE TO 1.8.5 YET, WE ARE WORKING ON RELEASE A NEW VIRTUAL APPLIANCE.

Share this post


Link to post
Share on other sites

So you are also using the VMWare appliance of OpenVPN? How come yours is 1.8.5 then? Any way I can update mine?

 

Haha, yeah, I also use the very latest in everything. Beta and even alpha versions where avaiable! :)

Share this post


Link to post
Share on other sites

Well I am running it on ubuntu, so simple wget to get the new package and then just dpkg -i to upgrade it..

5 was your default really?? That seems odd, that is a valid netblock on the internet and should not be used for a tunnel network, etc. Hamachi use to the do the same thing - which was wrong from the get go!! You don't just grab valid netblocks and use them for your own ;) Technically you can, but its bad practice and can lead to issues -- for example if there was something actually on the 5.x.x.x network you might want to actually access ;)

So your tests still failing huh?? But you connected to it via your other isp connection and its working?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.