OpenVPN Server on Windows Can connect, but can't access anything.

[unknownsoldierX]

I've set up OpenVPN server on my Windows 10 machine. When I connect my phone to the VPN using OpenVPN Connect, I can't access SMB or even ping any machine on my network, but I can ping my phone over the VPN from Windows.

 

My LAN is 192.168.11.0

VPN subnet is 192.168.12.0

 

I've configured the Windows Firewall rule "File and Printer sharing (SMB in)" scope to include my VPN subnet.

 

Server config:

port 1194
proto tcp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
server 192.168.12.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.11.0 255.255.255.0"
keepalive 10 120
key-direction 0
tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key"
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3

 

Client config:

dev tun
proto tcp
remote mydyndnsdomainhere.net 99999
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
verb 3

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>


key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

 

[+BudMan MVC]

So your windows machine is

  On 13/08/2019 at 03:32, unknownsoldierX said:

server 192.168.12.0 255.255.255.0

Expand  

that is not even a valid address.. that is a network.

 

And then you tell the client to get to 192.168.11/24 to come down the tunnel.. What IP are you trying to ping exactly to get to your machine sharing the files?

 

Why would you not just run openvpn on your edge, ie your router?  Did you install the openvpn mls softare, MS version?

 

You forwarded to your machine from outside?  On your router, and your connecting via that IP from your phone, while its not on your wireless network.. Or you connecting while the phone is on the wireless network?

 

The server address would be your machines actual address.. Say 192.168.11.X, your tunnel network could be 192.168.12/24... Client would get say 192.168.12.2, while server is 192.168.12.1 - it would go down the tunnel to get to your machines IP 192.168.11.X

[DaveLegg Developer]

You'll also have an issue accessing other machines, say you had another computer at 192.168.11.50, the packets from your phone would reach that computer, but that computer doesn't have a route to reach 192.168.12.X, so will use the default route, and send the reply to the router. The router also doesn't have a route to that network, so will either drop it, (it's an internal network, and shouldn't be routed over the WAN interface), or forward it to your ISP gateway, where it will be dropped.

 

If you're not going to run OpenVPN on your router, you should at least setup a static route on your router to point the 192.168.12.X subnet at the host on your network where the OpenVPN software is running, so that reply packets from other devices can find their way back to the VPN clients - otherwise the only machine you'll be able to access will be the one running the OpenVPN software.

[unknownsoldierX]

  On 13/08/2019 at 09:37, BudMan said:

So your windows machine is

that is not even a valid address.. that is a network.

 

And then you tell the client to get to 192.168.11/24 to come down the tunnel.. What IP are you trying to ping exactly to get to your machine sharing the files?

 

Why would you not just run openvpn on your edge, ie your router?  Did you install the openvpn mls softare, MS version?

 

You forwarded to your machine from outside?  On your router, and your connecting via that IP from your phone, while its not on your wireless network.. Or you connecting while the phone is on the wireless network?

 

The server address would be your machines actual address.. Say 192.168.11.X, your tunnel network could be 192.168.12/24... Client would get say 192.168.12.2, while server is 192.168.12.1 - it would go down the tunnel to get to your machines IP 192.168.11.X

Expand  

I am connecting from my phone over LTE. My router is forwarding TCP 1194. It connects succesfully.

 

I don't want to use my router as a OVPN server.

 

Windows 10 machine IP on my LAN is 192.168.11.100

 

To test, I try to ping 192.168.11.100 from my phone thorugh the VPN.

 

The example given in the config for the server, and every other explanation I've found, says to config a network for the VPN. Not an address. Hence:

 

server 192.168.12.0 255.255.255.0

 

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

 

[+BudMan MVC]

You are right, but where is your local statement for the IP the server is listening on?

 

That should be the 11.100 address... Let me duplicate your setup.. Did you edit the reg key for

"IPEnabledRouter

 

 

 

[unknownsoldierX]

  On 13/08/2019 at 10:23, BudMan said:

You are right, but where is your local statement for the IP the server is listening on?

 

That should be the 11.100 address... Let me duplicate your setup.. Did you edit the reg key for

"IPEnabledRouter

 

 

 

Expand  

Hmm. I didn't know I had to do that. Would it even work if it wasn't already listening on that IP?

 

I have not edited IPEnabledRouter.

  On 13/08/2019 at 10:09, DaveLegg said:

You'll also have an issue accessing other machines, say you had another computer at 192.168.11.50, the packets from your phone would reach that computer, but that computer doesn't have a route to reach 192.168.12.X, so will use the default route, and send the reply to the router. The router also doesn't have a route to that network, so will either drop it, (it's an internal network, and shouldn't be routed over the WAN interface), or forward it to your ISP gateway, where it will be dropped.

 

If you're not going to run OpenVPN on your router, you should at least setup a static route on your router to point the 192.168.12.X subnet at the host on your network where the OpenVPN software is running, so that reply packets from other devices can find their way back to the VPN clients - otherwise the only machine you'll be able to access will be the one running the OpenVPN software.

Expand  

That makes sense. How would configure that here?

 

 

[unknownsoldierX]

OK. Some progress.

 

Added IPEnabledRouter to the registry and enabled the routing and remote access service.

 

I've set a static route in my router.

 

Destinaion IP: 192.168.12.0

Subnet Mask: 255.255.255.0

Gateway IP: 192.168.11.100

Metric: 2

 

I can put my phone on LTE, connect to the VPN, and access SMB shares on one of my machines 192.168.11.103. I can even do it using its netbios name!

 

Now the only problem, and the most important, is now I don't know how to access the files or RDP to my Windows 10 machine that is running the VPN server (192.168.11.100).

Edited August 14, 2019 by unknownsoldierX

[+BudMan MVC]

You go to 192.168.11.100..

 

Not sure where you got the idea you needed a static route in your router.  That is going to be asymmetrical for sure anyway..  Since you don't want to run openvpn on your router.. You would need to create host routes on other devices on your 11 you wanted to get to pointing to .100 for the 12 network.  Or you would have to source nat.

 

There is a reason vpn to a network are done on the edge, and not some client inside the network.

[DaveLegg Developer]

Asymmetrical routing works though, and saves the headache of having to manually add that route to each device that joins the 11.X network.

[+BudMan MVC]

It works because his router is not actually doing any stateful firewalling, or it would not work or or only work until the state expired.

 

Its a BORKED soft of MacGyver setup with chewing gum and twigs.. There is another term from back in the day _____ Rig..  And its not by any means efficient, you have for sure one side of the conversation that is hairpinned.. And you could also run into the problem from boxes saying depending on their security software hey I sent this traffic to mac (gateway mac).. Why is my answer coming back from this different mac - depending on the direction of the start of the conversation.

 

If he wants to vpn into some downstream box from his edge, then he should source nat the traffic so devices on this network looks like all the traffic is coming from the vpn box IP in that network, this removes the asymmetrical issue.  Or you could host route, yes on each box in the network that will need to talk with vpn clients or be talked to from vpn clients.  Or he should hang his vpn box off a transit network off his router.  That will still have hairpinning.  The optimal solution for vpn into network(s) from outside is the edge device.

 

Another solution would be to bridge (tap vs tun) in openvpn so vpn clients get an IP on the network they are wanting to talk to from the vpn.  This has its own drawback as well, and should really be avoided as well unless you have specific need of L2 traffic over the vpn connection.

[unknownsoldierX]

Well, with how I have it now, I am able to use RDP on the VPN host machine (192.168.11.100), and I can access shared folders on other machines on my LAN.

 

The only thing I am unable to do is access shares on 192.168.11.100, which would really like to do so I can use a file manager rather than RDP.

 

Any ideas for how I can do that?

[+BudMan MVC]

If you can rdp to it, then you can access its shares.. You will need to AUTH, and your firewall settings will have to allow it from the remote IP.

[unknownsoldierX]

It inexplicably stopped working for a while. I couldn't even ping anything over the VPN. Everything was working fine the first day, then the next few days I couldn't get anything to work. I didn't touch the configuration of anything.

 

Today everything is working again.

 

The other weird thing, when I was trying to figure out why I could connect but nothing was working, I would reconnect to the VPN a lot and would sometimes get what looks like a ipv6 address for my home IP. AFAIK I don't have any way of obtaining an ipv6 address. I plugged it into a few ip trace sites and they told me it was not a valid address.

[+BudMan MVC]

You understand many phones only get IPv6 address via cell right.. t-mobile is like this for example.. With so many phones, it not possible to give every phone a public IPv4 address.

 

So you are T-mobile

NetRange:       2607:7700:: - 2607:7700:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2607:7700::/32
NetName:        TMO2
Organization:   T-Mobile USA, Inc. (TMOBI)

 

 

[unknownsoldierX]

  On 19/08/2019 at 11:01, BudMan said:

You understand many phones only get IPv6 address via cell right.. t-mobile is like this for example.. With so many phones, it not possible to give every phone a public IPv4 address.

 

So you are T-mobile

NetRange:       2607:7700:: - 2607:7700:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2607:7700::/32
NetName:        TMO2
Organization:   T-Mobile USA, Inc. (TMOBI)

 

 

Expand  

Server Public IP is supposed to display the WAN facing IP address of my home router. Most of the time it does. My router has never received a ipv6 address from my ISP, so the OVPN app should never display an ipv6 address. But, for some reason it does. Maybe one out of every four times I connect.

 

I appreciate your help, but you are confusing some things.

[+BudMan MVC]

What am I confusing - you posted a screenshot showing your server IP as an IPv6 address.. And asking a question on why you were seeing that?? Its because your phone does not have an actual IPv4 address, so t-mobile translates any IPv4 to an IPv6 address.

 

 

I know exactly how this stuff works, and use it pretty much every day, support it and design for it to be used.. And have been for going like going on 30 years..  Well before any of this tech was even created.. So when I tell you how your trying to do it with asymmetrical routing and chewing gum and sticks you found on the ground is borked.. That is what you are doing  

 

No ###### your home server doesn't haven IPv6 address.. What does that have to do with the price of tea in china?

 

If you connect to your server from some network where you have an actual IPv4 address and your LTE carrier doesn't have to translate your IPv4 address to IPv6 then that is what you will see.

 

Here I connected over wifi this time, where it only has ipv4 address

 

[unknownsoldierX]

It does display my server ip4 address most of the time, though. Weird.

[+BudMan MVC]

Well where are you connecting from - if some hotspot via IPv4 then yeah... But many a mobile phone these days phones only get IPv6.. Any IPv4 they want to go to has to get translate to an IPv6 address. think of nat in reverse   That is a real layman term to look at it, if you more details of how its done lookup 464XLAT..

[unknownsoldierX]

This is all occurring over LTE on my phone. Mostly I get a ipv4 address, but sometimes it's ipv6. I can be connected to the VPN with one, disconnect and wait a few seconds, reconnect and get the other.

[+BudMan MVC]

T-mobile doesn't give IPv4 - maybe your roaming on another carrier?

 

Are you not in the US?  Maybe international they use both... But here in the US, your t-mobile phone connecting to t-mobile will only ever get IPv6

https://www.internetsociety.org/resources/deploy360/2014/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/

 

Looks like they might have some sort of fallback options, is your handset really OLD?

https://pc.nanog.org/static/published/meetings/NANOG73/1645/20180625_Lagerholm_T-Mobile_S_Journey_To_v1.pdf

 

But doesn't matter as you can connect over ipv6 to your ipv4 server.  when they 1st rolled that out, that was not the case.. But it has worked for years..

[Steven P. Administrators]

Maybe you want to give this a try, I haven't had time myself to look at  it https://yashints.dev/blog/2019/08/21/vpn-aws