Recommended Posts

I've set up OpenVPN server on my Windows 10 machine. When I connect my phone to the VPN using OpenVPN Connect, I can't access SMB or even ping any machine on my network, but I can ping my phone over the VPN from Windows.

 

My LAN is 192.168.11.0

VPN subnet is 192.168.12.0

 

I've configured the Windows Firewall rule "File and Printer sharing (SMB in)" scope to include my VPN subnet.

 

Server config:

port 1194
proto tcp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
server 192.168.12.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.11.0 255.255.255.0"
keepalive 10 120
key-direction 0
tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key"
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3

 

Client config:

dev tun
proto tcp
remote mydyndnsdomainhere.net 99999
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
verb 3

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>


key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

 

  • Like 1

So your windows machine is

  On 13/08/2019 at 03:32, unknownsoldierX said:

server 192.168.12.0 255.255.255.0

Expand  

that is not even a valid address.. that is a network.

 

And then you tell the client to get to 192.168.11/24 to come down the tunnel.. What IP are you trying to ping exactly to get to your machine sharing the files?

 

Why would you not just run openvpn on your edge, ie your router?  Did you install the openvpn mls softare, MS version?

 

You forwarded to your machine from outside?  On your router, and your connecting via that IP from your phone, while its not on your wireless network.. Or you connecting while the phone is on the wireless network?

 

The server address would be your machines actual address.. Say 192.168.11.X, your tunnel network could be 192.168.12/24... Client would get say 192.168.12.2, while server is 192.168.12.1 - it would go down the tunnel to get to your machines IP 192.168.11.X

You'll also have an issue accessing other machines, say you had another computer at 192.168.11.50, the packets from your phone would reach that computer, but that computer doesn't have a route to reach 192.168.12.X, so will use the default route, and send the reply to the router. The router also doesn't have a route to that network, so will either drop it, (it's an internal network, and shouldn't be routed over the WAN interface), or forward it to your ISP gateway, where it will be dropped.

 

If you're not going to run OpenVPN on your router, you should at least setup a static route on your router to point the 192.168.12.X subnet at the host on your network where the OpenVPN software is running, so that reply packets from other devices can find their way back to the VPN clients - otherwise the only machine you'll be able to access will be the one running the OpenVPN software.

  On 13/08/2019 at 09:37, BudMan said:

So your windows machine is

that is not even a valid address.. that is a network.

 

And then you tell the client to get to 192.168.11/24 to come down the tunnel.. What IP are you trying to ping exactly to get to your machine sharing the files?

 

Why would you not just run openvpn on your edge, ie your router?  Did you install the openvpn mls softare, MS version?

 

You forwarded to your machine from outside?  On your router, and your connecting via that IP from your phone, while its not on your wireless network.. Or you connecting while the phone is on the wireless network?

 

The server address would be your machines actual address.. Say 192.168.11.X, your tunnel network could be 192.168.12/24... Client would get say 192.168.12.2, while server is 192.168.12.1 - it would go down the tunnel to get to your machines IP 192.168.11.X

Expand  

I am connecting from my phone over LTE. My router is forwarding TCP 1194. It connects succesfully.

 

I don't want to use my router as a OVPN server.

 

Windows 10 machine IP on my LAN is 192.168.11.100

 

To test, I try to ping 192.168.11.100 from my phone thorugh the VPN.

 

The example given in the config for the server, and every other explanation I've found, says to config a network for the VPN. Not an address. Hence:

 

server 192.168.12.0 255.255.255.0

 

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

 

You are right, but where is your local statement for the IP the server is listening on?

 

That should be the 11.100 address... Let me duplicate your setup.. Did you edit the reg key for

"IPEnabledRouter

 

 

 

  On 13/08/2019 at 10:23, BudMan said:

You are right, but where is your local statement for the IP the server is listening on?

 

That should be the 11.100 address... Let me duplicate your setup.. Did you edit the reg key for

"IPEnabledRouter

 

 

 

Expand  

Hmm. I didn't know I had to do that. Would it even work if it wasn't already listening on that IP?

 

I have not edited IPEnabledRouter.

  On 13/08/2019 at 10:09, DaveLegg said:

You'll also have an issue accessing other machines, say you had another computer at 192.168.11.50, the packets from your phone would reach that computer, but that computer doesn't have a route to reach 192.168.12.X, so will use the default route, and send the reply to the router. The router also doesn't have a route to that network, so will either drop it, (it's an internal network, and shouldn't be routed over the WAN interface), or forward it to your ISP gateway, where it will be dropped.

 

If you're not going to run OpenVPN on your router, you should at least setup a static route on your router to point the 192.168.12.X subnet at the host on your network where the OpenVPN software is running, so that reply packets from other devices can find their way back to the VPN clients - otherwise the only machine you'll be able to access will be the one running the OpenVPN software.

Expand  

That makes sense. How would configure that here?

 

 

ovpnstaticroute.png

OK. Some progress.

 

Added IPEnabledRouter to the registry and enabled the routing and remote access service.

 

I've set a static route in my router.

 

Destinaion IP: 192.168.12.0

Subnet Mask: 255.255.255.0

Gateway IP: 192.168.11.100

Metric: 2

 

I can put my phone on LTE, connect to the VPN, and access SMB shares on one of my machines 192.168.11.103. I can even do it using its netbios name!

 

Now the only problem, and the most important, is now I don't know how to access the files or RDP to my Windows 10 machine that is running the VPN server (192.168.11.100).

Edited by unknownsoldierX

You go to 192.168.11.100..

 

Not sure where you got the idea you needed a static route in your router.  That is going to be asymmetrical for sure anyway..  Since you don't want to run openvpn on your router.. You would need to create host routes on other devices on your 11 you wanted to get to pointing to .100 for the 12 network.  Or you would have to source nat.

 

There is a reason vpn to a network are done on the edge, and not some client inside the network.

It works because his router is not actually doing any stateful firewalling, or it would not work or or only work until the state expired.

 

Its a BORKED soft of MacGyver setup with chewing gum and twigs.. There is another term from back in the day _____ Rig..  And its not by any means efficient, you have for sure one side of the conversation that is hairpinned.. And you could also run into the problem from boxes saying depending on their security software hey I sent this traffic to mac (gateway mac).. Why is my answer coming back from this different mac - depending on the direction of the start of the conversation.

 

If he wants to vpn into some downstream box from his edge, then he should source nat the traffic so devices on this network looks like all the traffic is coming from the vpn box IP in that network, this removes the asymmetrical issue.  Or you could host route, yes on each box in the network that will need to talk with vpn clients or be talked to from vpn clients.  Or he should hang his vpn box off a transit network off his router.  That will still have hairpinning.  The optimal solution for vpn into network(s) from outside is the edge device.

 

Another solution would be to bridge (tap vs tun) in openvpn so vpn clients get an IP on the network they are wanting to talk to from the vpn.  This has its own drawback as well, and should really be avoided as well unless you have specific need of L2 traffic over the vpn connection.

Well, with how I have it now, I am able to use RDP on the VPN host machine (192.168.11.100), and I can access shared folders on other machines on my LAN.

 

The only thing I am unable to do is access shares on 192.168.11.100, which would really like to do so I can use a file manager rather than RDP.

 

Any ideas for how I can do that?

It inexplicably stopped working for a while. I couldn't even ping anything over the VPN. Everything was working fine the first day, then the next few days I couldn't get anything to work. I didn't touch the configuration of anything.

 

Today everything is working again.

 

The other weird thing, when I was trying to figure out why I could connect but nothing was working, I would reconnect to the VPN a lot and would sometimes get what looks like a ipv6 address for my home IP. AFAIK I don't have any way of obtaining an ipv6 address. I plugged it into a few ip trace sites and they told me it was not a valid address.

ovpnipv6.png

You understand many phones only get IPv6 address via cell right.. t-mobile is like this for example.. With so many phones, it not possible to give every phone a public IPv4 address.

 

So you are T-mobile ;)

NetRange:       2607:7700:: - 2607:7700:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2607:7700::/32
NetName:        TMO2
Organization:   T-Mobile USA, Inc. (TMOBI)

 

 

  • Like 1
  On 19/08/2019 at 11:01, BudMan said:

You understand many phones only get IPv6 address via cell right.. t-mobile is like this for example.. With so many phones, it not possible to give every phone a public IPv4 address.

 

So you are T-mobile ;)

NetRange:       2607:7700:: - 2607:7700:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2607:7700::/32
NetName:        TMO2
Organization:   T-Mobile USA, Inc. (TMOBI)

 

 

Expand  

Server Public IP is supposed to display the WAN facing IP address of my home router. Most of the time it does. My router has never received a ipv6 address from my ISP, so the OVPN app should never display an ipv6 address. But, for some reason it does. Maybe one out of every four times I connect.

 

I appreciate your help, but you are confusing some things.

What am I confusing - you posted a screenshot showing your server IP as an IPv6 address.. And asking a question on why you were seeing that?? Its because your phone does not have an actual IPv4 address, so t-mobile translates any IPv4 to an IPv6 address.

 

ipv6.thumb.jpg.b647afedb49778c606a8ba7c19b34ead.jpg

 

I know exactly how this stuff works, and use it pretty much every day, support it and design for it to be used.. And have been for going like going on 30 years..  Well before any of this tech was even created.. So when I tell you how your trying to do it with asymmetrical routing and chewing gum and sticks you found on the ground is borked.. That is what you are doing ;) 

 

No ###### your home server doesn't haven IPv6 address.. What does that have to do with the price of tea in china?

 

If you connect to your server from some network where you have an actual IPv4 address and your LTE carrier doesn't have to translate your IPv4 address to IPv6 then that is what you will see.

 

Here I connected over wifi this time, where it only has ipv4 address

 

wifionly.thumb.jpg.857c2b2c473c6c6cc893967c4e61261d.jpg

Well where are you connecting from - if some hotspot via IPv4 then yeah... But many a mobile phone these days phones only get IPv6.. Any IPv4 they want to go to has to get translate to an IPv6 address. think of nat in reverse ;)  That is a real layman term to look at it, if you more details of how its done lookup 464XLAT..

  • 2 weeks later...

T-mobile doesn't give IPv4 - maybe your roaming on another carrier?

 

Are you not in the US?  Maybe international they use both... But here in the US, your t-mobile phone connecting to t-mobile will only ever get IPv6

https://www.internetsociety.org/resources/deploy360/2014/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/

 

Looks like they might have some sort of fallback options, is your handset really OLD?

https://pc.nanog.org/static/published/meetings/NANOG73/1645/20180625_Lagerholm_T-Mobile_S_Journey_To_v1.pdf

 

But doesn't matter as you can connect over ipv6 to your ipv4 server.  when they 1st rolled that out, that was not the case.. But it has worked for years..

This topic is now closed to further replies.
  • Posts

    • Was sort of sceptical about the unload page feature , just tried it and it does actually drop memory usage. 22 tabs open(1.65gb Ram) and after unloading Facebook as a test it dropped to 1.2gb
    • Elon Musk doesn't want you to know Tesla's response to the NHTSA's Robotaxi questions by David Uzondu Recently, Tesla's Robotaxi service began operating in Austin, and almost immediately, the company decided it would prefer you didn't see its homework. Before the launch, the National Highway Traffic Safety Administration (NHTSA) sent Tesla a letter with a deadline of June 19th to answer some questions. Now that Tesla has replied, it has requested that the NHTSA withhold the entire response from the public, classifying it as confidential business information. This isn't too surprising, as the company is notoriously secretive about its performance data, especially in areas like Autopilot and Full Self-Driving. Here are a few paraphrased versions of the questions Tesla faced: How will the system handle bad weather or poor visibility? What happens if the system detects that it cannot drive safely? Does it pull over? Will a human be monitoring the cars remotely or in person? Does the system follow any existing industry standards for autonomous driving? When does Tesla plan to let other people operate their own cars as robotaxis? The feds have good reason to ask. On its first day, Tesla's Robotaxi service was caught on video making some questionable moves, including driving in the wrong lane against traffic, as seen below (full video here). The clip was also shared in our community forums, though you'll need a free membership to access the off-topic section. Here's another showing a Robotaxi dropping passengers in the middle of an intersection. For now, the service runs with a human safety driver (likely a Tesla employee) in the passenger seat. Billionaire Dan O'Dowd, a persistent critic of Tesla's software, felt the company's launch was lackluster, and the videos circulating online demonstrate that the technology is years behind competitors like Waymo, which has operated without in-car supervisors since 2019. For its part, NHTSA acknowledged being aware of the widely reported incidents and is in contact with Tesla to get more information. The agency's statement reminded the public that manufacturers self-certify their vehicles' safety, and NHTSA's role is to investigate and act on safety problems after they are on the road: This situation gets even more interesting when you look at the bigger picture. Musk has already been criticized for his role in the Department of Government Efficiency (DOGE), which has led to job cuts at agencies that oversee his companies, including the Federal Aviation Administration (FAA) for SpaceX, the Food and Drug Administration (FDA) for Neuralink, and, of course, NHTSA. This has led some to worry about regulatory capture. As one cynical comment on Electrek's article notes, the official who signed the letter to Tesla, Tanya Topka, Director of NHTSA's Office of Defects Investigation, may have put a target on her back just for trying to hold the company accountable.
    • Have you ever developed a game for Xbox and Windows at the same time? To say that they are not the same operating system and the same DirecTx by chance?? It's obvious that it isn't, right? So what if Xbox uses HyperV? What difference does that make to a game developer? The PS4 is more different than the PS5, different operating systems and different APIs. The games are not backwards compatible However, a game made in Windows can be transferred to Xbox SX in a few weeks with little programming costs because they are the same API and the same Windows
    • Idiot, FH5 sold more on Xbox and Windows than on PS5. You tell lies like that and think no one will check, right? There are a lot of FIFA and CoD hacks on PS4 and PS5 being used every day and Sony doesn't do anything. You can also buy a game's Platinum achievement without having bought the game and Sony doesn't do anything.
  • Recent Achievements

    • First Post
      956400 earned a badge
      First Post
    • Week One Done
      davidfegan earned a badge
      Week One Done
    • First Post
      Ainajohn earned a badge
      First Post
    • Conversation Starter
      sophiaisabella32 earned a badge
      Conversation Starter
    • First Post
      Brett76 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      590
    2. 2
      ATLien_0
      225
    3. 3
      Michael Scrip
      172
    4. 4
      +FloatingFatMan
      148
    5. 5
      Xenon
      133
  • Tell a friend

    Love Neowin? Tell a friend!