Jump to content



Photo

VPN something XP can do that 7 can't.

vpn xp windows

  • Please log in to reply
42 replies to this topic

#31 OP +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 26 April 2014 - 16:33


So how are you setting the default gateway on the vpn client to the vpn servers ICS interfaces IP?

Well this is the thing it just works in XP with no need to play with the route table.




#32 OP +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 26 April 2014 - 17:20

Here is a route print for the XP VPN server setup which the ICS LAN IP is 192.168.137.9 and the client (LAN @192.168.137.1) connects this and gets internet over the VPN.

 

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      82.36.206.1   82.36.206.233       20
      82.36.206.0    255.255.254.0    82.36.206.233   82.36.206.233       20
    82.36.206.233  255.255.255.255        127.0.0.1       127.0.0.1       20
   82.255.255.255  255.255.255.255    82.36.206.233   82.36.206.233       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.137.0    255.255.255.0    192.168.137.9   192.168.137.9       20
    192.168.137.1  255.255.255.255    192.168.137.9   192.168.137.9       20
    192.168.137.3  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.137.4  255.255.255.255    192.168.137.3   192.168.137.3       1
    192.168.137.9  255.255.255.255        127.0.0.1       127.0.0.1       20
  192.168.137.255  255.255.255.255    192.168.137.9   192.168.137.9       20
        224.0.0.0        240.0.0.0    82.36.206.233   82.36.206.233       20
        224.0.0.0        240.0.0.0    192.168.137.9   192.168.137.9       20
  255.255.255.255  255.255.255.255    82.36.206.233   82.36.206.233       1
  255.255.255.255  255.255.255.255    192.168.137.9   192.168.137.9       1
Default Gateway:       82.36.206.1
===========================================================================
Persistent Routes:
  None



#33 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 27 April 2014 - 18:02

If its OpenVPN On some Windows 7/8 systems, internet traffic is not properly routed through the VPN. In such a case the client.ovpn file must be edited, adding these lines at the end:
 
route-method exe
route-delay
route-metric 512
route 0.0.0.0 0.0.0.0


#34 OP +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 27 April 2014 - 19:20

 

If its OpenVPN...

 

Its not but thanks. This is all about windows doing the VPN server were something XP can do that 7 can't.



#35 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 100
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 April 2014 - 11:42

Its not that windows 7 can't -- it is more XP routes traffic that it shouldn't actually.  That traffic is not sent to the gateway IP of XP is it?  So seems XP sends the traffic through its nat to the gateway, while not sure what the windows 7 routing table does with it - I would guess it sends it out your wan interface without natting it first.

 

Get a router and your done.



#36 OP +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 28 April 2014 - 13:54

Its not that windows 7 can't -- it is more XP routes traffic that it shouldn't actually.

Thats just over seeing what was possible to not be possible which we know is and not agreeing with me that this is something XP can do that 7 can't and why has M$ now messed this up that may be due to the TCP stack or removed support for it to only be in server OS's.



#37 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 100
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 April 2014 - 15:48

Not sure what you think they removed?

Packet goes down the vpn tunnel - it has a destination IP on it, lets say 8.8.8.8 In the routing table of the vpn server. What interface does the vpn server throw the packet out of. Does it send it through the nat or not?

If w7 looks at its routing table and sends it out the interface as its default route

in what you posted in your xp box
Default Gateway: 82.36.xx.xx

Why would it be sourced after the NAT.. I would fire up a sniffer on both the xp box and the w7 box and try and see what is going on. My "guess" is that XP sends the traffic through the ICS nat, so it works. While w7 just sends the traffic out your wan (82.36.x.x) interface without natting it.

Either way, your wanting a desktop OS to provide the feature set of a VPN router/firewall - while it does have the ability to allow inbound VPN. Its more designed to access the vpn box itself, or connectivity to devices on that vpn's local network.. Not route that traffic out some wan/internet connection.

Again - what exactly are you trying to accomplish here. I would not suggest XP or W7 or any sort of desktop OS for what it seems like your wanting to do. If you want to leverage them - putting a $20 router between your network and internet would allow for this. Or better yet have the edge router/firewall handle these sorts of connections. Ir route this traffic through my openvpn connection all the time.

Tracing route to 209.141.xx.xx over a maximum of 30 hops

1 123 ms 118 ms 124 ms 10.0.200.1
2 147 ms 135 ms 154 ms 24.13.xx.xx
3 155 ms 142 ms 144 ms 68.85.131.153
4 136 ms 143 ms 140 ms 68.87.230.53

So you see in the above trace - this is through my vpn connection to my home box from work.. It goes down the tunnel.. Then per my routing and nat rules on my firewalls it is sent out the appropriate connection to get to the destination.

nattable.png

So my vpn client gets an IP on the 10.0.200 network

Ethernet adapter vpn:

Connection-specific DNS Suffix . : local.lan
IPv4 Address. . . . . . . . . . . : 10.0.200.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :

Now I have not pushed a default route down this tunnel, but I have pushed a route from the vpn connection for this specific address. Which I can see in the vpn clients routing table.

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.56.41.1 10.56.41.225 10
10.0.200.1 255.255.255.255 10.0.200.5 10.0.200.6 30
10.0.200.4 255.255.255.252 On-link 10.0.200.6 286
10.0.200.6 255.255.255.255 On-link 10.0.200.6 286
10.0.200.7 255.255.255.255 On-link 10.0.200.6 286
<snipped>
209.141.xx.xx 255.255.255.255 10.0.200.5 10.0.200.6 30
<snipped>

This is an extension of my routers networks.. So the vpn client gets an IP on segment connected too the firewall/router - the router then routes/nats the traffic as told to do.

I can find no way to work with the setup in a desktop OS for these sorts of features - maybe there is something you can do in the registry. But this OS is not really designed for this sort of thing. While the server versions of windows have ability to do more advanced routing/natting/etc/

So while XP might of routed the traffic to your benefit, not sure I would say it was correct or that w7 removed something - you could look at it that w7 is doing it correctly ;) But without some deeper insight into details of ICS setup. Which I have never bothered to investigate to be honest because its pretty much useless feature set, if you ask me left over from the days before cheap soho nat routers ;) Why you might used dialup to access the internet and needed a way to have other home machines leverage this connection, etc.

If you explain exactly what your wanting to do - happy to work out the best practice/cheapest way to accomplish it.

#38 OP +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 28 April 2014 - 16:28

Not sure what you think they removed?
 

Think you do if you had set it up your end you would understand instead of guessing.

 

While w7 just sends the traffic out your wan (82.36.x.x) interface without natting it.

Runed Wireshark its not doing that when ICS is enabled.



#39 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 100
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 April 2014 - 16:37

I have set it up on my end.. And it works as you described in XP, but does not in W7.. From what I can tell XP should of never done what it does in the first place. There is NO setting that I can find that says in the vpn to allow traffic out my wan interface from the vpn client. What there is a setting that says allow traffic to my local network.

incomingvpn.png

It works just fine in W7 if windows 7 is behind a NAT router and does not have to nat the traffic. I will fire up a sniffer on box my xp vm and my w7 vm and watch watch the source on the IP is..

What your wanting it to do is allow it access to your internet connection, not the "local" and you want the desktop to NAT this for you as well. Why should it do that - XP shouldn't really do it either, its a security issue if you ask me!

#40 OP +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 28 April 2014 - 16:56

I have set it up on my end.. And it works as you described in XP, but does not in W7.. From what I can tell XP should of never done what it does in the first place.

Why because 7 is newer then XP? XP does what it does because it meant too would you disagree if Windows Server 2008 R2 is able to do the same setup and work just like XP?



#41 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 100
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 April 2014 - 17:02

2008 is server version and has full routing support, etc.

http://technet.micro...8(v=ws.10).aspx
Install and Enable the Routing and Remote Access Service

The Routing and Remote Access service in the Windows Server® 2008 family provides:

Virtual private network (VPN) remote access and dial-up services.

Multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and network address translation (NAT) routing services.

---
I can do some sniffing when I get home - doing so remotely would require me to use 2 different vms, etc. And bit a pain to setup.. Curious do you have the IP helper service running on w7? I have it off -- will turn it back on when I get a chance to test this.

Still don't really understand that point of this conversation.. If XP does what you want - then continue to use it. Or do it correctly with a simple router ;)

#42 OP +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 28 April 2014 - 17:12

2008 is server version and has full routing support, etc.
 

So does XP it seems being that it able to do what you think it shouldn’t. Thats my take on this whole thing.

 

I will fire up a sniffer on box my xp vm and my w7 vm and watch watch the source on the IP is..

If ICS is enabled it does not do this and I need ICS enabled.

 

What your wanting it to do is allow it access to your internet connection, not the "local" and you want the desktop to NAT this for you as well. Why should it do that - XP shouldn't really do it either, its a security issue if you ask me!

I do find it odd why you would jump to that conclusion in any case.



#43 OP +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 07 May 2014 - 15:11

Found one workaround for 7 but only tested working in L2TP/IPSec over NATT (UDP) and ESP (protocol 50) (not tested ESP) dose not work for PPTP.

 

In the VPN server setup for the from and to IPs put in one IP down from your WAN IP in the from box and in the To box put the WAN IP.

 

This only works without ICS which on the connecting client gets the VPN IP of your WAN IP which goes over the VPN and sources out the WAN interface and MAC as if you was at the server end making the connections with that WAN IP.