Recommended Posts

I've set up OpenVPN server on my Windows 10 machine. When I connect my phone to the VPN using OpenVPN Connect, I can't access SMB or even ping any machine on my network, but I can ping my phone over the VPN from Windows.

 

My LAN is 192.168.11.0

VPN subnet is 192.168.12.0

 

I've configured the Windows Firewall rule "File and Printer sharing (SMB in)" scope to include my VPN subnet.

 

Server config:

port 1194
proto tcp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
server 192.168.12.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.11.0 255.255.255.0"
keepalive 10 120
key-direction 0
tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key"
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3

 

Client config:

dev tun
proto tcp
remote mydyndnsdomainhere.net 99999
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
verb 3

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>


key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

 

  • Like 1

So your windows machine is

  On 13/08/2019 at 03:32, unknownsoldierX said:

server 192.168.12.0 255.255.255.0

Expand  

that is not even a valid address.. that is a network.

 

And then you tell the client to get to 192.168.11/24 to come down the tunnel.. What IP are you trying to ping exactly to get to your machine sharing the files?

 

Why would you not just run openvpn on your edge, ie your router?  Did you install the openvpn mls softare, MS version?

 

You forwarded to your machine from outside?  On your router, and your connecting via that IP from your phone, while its not on your wireless network.. Or you connecting while the phone is on the wireless network?

 

The server address would be your machines actual address.. Say 192.168.11.X, your tunnel network could be 192.168.12/24... Client would get say 192.168.12.2, while server is 192.168.12.1 - it would go down the tunnel to get to your machines IP 192.168.11.X

You'll also have an issue accessing other machines, say you had another computer at 192.168.11.50, the packets from your phone would reach that computer, but that computer doesn't have a route to reach 192.168.12.X, so will use the default route, and send the reply to the router. The router also doesn't have a route to that network, so will either drop it, (it's an internal network, and shouldn't be routed over the WAN interface), or forward it to your ISP gateway, where it will be dropped.

 

If you're not going to run OpenVPN on your router, you should at least setup a static route on your router to point the 192.168.12.X subnet at the host on your network where the OpenVPN software is running, so that reply packets from other devices can find their way back to the VPN clients - otherwise the only machine you'll be able to access will be the one running the OpenVPN software.

  On 13/08/2019 at 09:37, BudMan said:

So your windows machine is

that is not even a valid address.. that is a network.

 

And then you tell the client to get to 192.168.11/24 to come down the tunnel.. What IP are you trying to ping exactly to get to your machine sharing the files?

 

Why would you not just run openvpn on your edge, ie your router?  Did you install the openvpn mls softare, MS version?

 

You forwarded to your machine from outside?  On your router, and your connecting via that IP from your phone, while its not on your wireless network.. Or you connecting while the phone is on the wireless network?

 

The server address would be your machines actual address.. Say 192.168.11.X, your tunnel network could be 192.168.12/24... Client would get say 192.168.12.2, while server is 192.168.12.1 - it would go down the tunnel to get to your machines IP 192.168.11.X

Expand  

I am connecting from my phone over LTE. My router is forwarding TCP 1194. It connects succesfully.

 

I don't want to use my router as a OVPN server.

 

Windows 10 machine IP on my LAN is 192.168.11.100

 

To test, I try to ping 192.168.11.100 from my phone thorugh the VPN.

 

The example given in the config for the server, and every other explanation I've found, says to config a network for the VPN. Not an address. Hence:

 

server 192.168.12.0 255.255.255.0

 

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

 

You are right, but where is your local statement for the IP the server is listening on?

 

That should be the 11.100 address... Let me duplicate your setup.. Did you edit the reg key for

"IPEnabledRouter

 

 

 

  On 13/08/2019 at 10:23, BudMan said:

You are right, but where is your local statement for the IP the server is listening on?

 

That should be the 11.100 address... Let me duplicate your setup.. Did you edit the reg key for

"IPEnabledRouter

 

 

 

Expand  

Hmm. I didn't know I had to do that. Would it even work if it wasn't already listening on that IP?

 

I have not edited IPEnabledRouter.

  On 13/08/2019 at 10:09, DaveLegg said:

You'll also have an issue accessing other machines, say you had another computer at 192.168.11.50, the packets from your phone would reach that computer, but that computer doesn't have a route to reach 192.168.12.X, so will use the default route, and send the reply to the router. The router also doesn't have a route to that network, so will either drop it, (it's an internal network, and shouldn't be routed over the WAN interface), or forward it to your ISP gateway, where it will be dropped.

 

If you're not going to run OpenVPN on your router, you should at least setup a static route on your router to point the 192.168.12.X subnet at the host on your network where the OpenVPN software is running, so that reply packets from other devices can find their way back to the VPN clients - otherwise the only machine you'll be able to access will be the one running the OpenVPN software.

Expand  

That makes sense. How would configure that here?

 

 

ovpnstaticroute.png

OK. Some progress.

 

Added IPEnabledRouter to the registry and enabled the routing and remote access service.

 

I've set a static route in my router.

 

Destinaion IP: 192.168.12.0

Subnet Mask: 255.255.255.0

Gateway IP: 192.168.11.100

Metric: 2

 

I can put my phone on LTE, connect to the VPN, and access SMB shares on one of my machines 192.168.11.103. I can even do it using its netbios name!

 

Now the only problem, and the most important, is now I don't know how to access the files or RDP to my Windows 10 machine that is running the VPN server (192.168.11.100).

Edited by unknownsoldierX

You go to 192.168.11.100..

 

Not sure where you got the idea you needed a static route in your router.  That is going to be asymmetrical for sure anyway..  Since you don't want to run openvpn on your router.. You would need to create host routes on other devices on your 11 you wanted to get to pointing to .100 for the 12 network.  Or you would have to source nat.

 

There is a reason vpn to a network are done on the edge, and not some client inside the network.

It works because his router is not actually doing any stateful firewalling, or it would not work or or only work until the state expired.

 

Its a BORKED soft of MacGyver setup with chewing gum and twigs.. There is another term from back in the day _____ Rig..  And its not by any means efficient, you have for sure one side of the conversation that is hairpinned.. And you could also run into the problem from boxes saying depending on their security software hey I sent this traffic to mac (gateway mac).. Why is my answer coming back from this different mac - depending on the direction of the start of the conversation.

 

If he wants to vpn into some downstream box from his edge, then he should source nat the traffic so devices on this network looks like all the traffic is coming from the vpn box IP in that network, this removes the asymmetrical issue.  Or you could host route, yes on each box in the network that will need to talk with vpn clients or be talked to from vpn clients.  Or he should hang his vpn box off a transit network off his router.  That will still have hairpinning.  The optimal solution for vpn into network(s) from outside is the edge device.

 

Another solution would be to bridge (tap vs tun) in openvpn so vpn clients get an IP on the network they are wanting to talk to from the vpn.  This has its own drawback as well, and should really be avoided as well unless you have specific need of L2 traffic over the vpn connection.

Well, with how I have it now, I am able to use RDP on the VPN host machine (192.168.11.100), and I can access shared folders on other machines on my LAN.

 

The only thing I am unable to do is access shares on 192.168.11.100, which would really like to do so I can use a file manager rather than RDP.

 

Any ideas for how I can do that?

It inexplicably stopped working for a while. I couldn't even ping anything over the VPN. Everything was working fine the first day, then the next few days I couldn't get anything to work. I didn't touch the configuration of anything.

 

Today everything is working again.

 

The other weird thing, when I was trying to figure out why I could connect but nothing was working, I would reconnect to the VPN a lot and would sometimes get what looks like a ipv6 address for my home IP. AFAIK I don't have any way of obtaining an ipv6 address. I plugged it into a few ip trace sites and they told me it was not a valid address.

ovpnipv6.png

You understand many phones only get IPv6 address via cell right.. t-mobile is like this for example.. With so many phones, it not possible to give every phone a public IPv4 address.

 

So you are T-mobile ;)

NetRange:       2607:7700:: - 2607:7700:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2607:7700::/32
NetName:        TMO2
Organization:   T-Mobile USA, Inc. (TMOBI)

 

 

  • Like 1
  On 19/08/2019 at 11:01, BudMan said:

You understand many phones only get IPv6 address via cell right.. t-mobile is like this for example.. With so many phones, it not possible to give every phone a public IPv4 address.

 

So you are T-mobile ;)

NetRange:       2607:7700:: - 2607:7700:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2607:7700::/32
NetName:        TMO2
Organization:   T-Mobile USA, Inc. (TMOBI)

 

 

Expand  

Server Public IP is supposed to display the WAN facing IP address of my home router. Most of the time it does. My router has never received a ipv6 address from my ISP, so the OVPN app should never display an ipv6 address. But, for some reason it does. Maybe one out of every four times I connect.

 

I appreciate your help, but you are confusing some things.

What am I confusing - you posted a screenshot showing your server IP as an IPv6 address.. And asking a question on why you were seeing that?? Its because your phone does not have an actual IPv4 address, so t-mobile translates any IPv4 to an IPv6 address.

 

ipv6.thumb.jpg.b647afedb49778c606a8ba7c19b34ead.jpg

 

I know exactly how this stuff works, and use it pretty much every day, support it and design for it to be used.. And have been for going like going on 30 years..  Well before any of this tech was even created.. So when I tell you how your trying to do it with asymmetrical routing and chewing gum and sticks you found on the ground is borked.. That is what you are doing ;) 

 

No ###### your home server doesn't haven IPv6 address.. What does that have to do with the price of tea in china?

 

If you connect to your server from some network where you have an actual IPv4 address and your LTE carrier doesn't have to translate your IPv4 address to IPv6 then that is what you will see.

 

Here I connected over wifi this time, where it only has ipv4 address

 

wifionly.thumb.jpg.857c2b2c473c6c6cc893967c4e61261d.jpg

Well where are you connecting from - if some hotspot via IPv4 then yeah... But many a mobile phone these days phones only get IPv6.. Any IPv4 they want to go to has to get translate to an IPv6 address. think of nat in reverse ;)  That is a real layman term to look at it, if you more details of how its done lookup 464XLAT..

  • 2 weeks later...

T-mobile doesn't give IPv4 - maybe your roaming on another carrier?

 

Are you not in the US?  Maybe international they use both... But here in the US, your t-mobile phone connecting to t-mobile will only ever get IPv6

https://www.internetsociety.org/resources/deploy360/2014/case-study-t-mobile-us-goes-ipv6-only-using-464xlat/

 

Looks like they might have some sort of fallback options, is your handset really OLD?

https://pc.nanog.org/static/published/meetings/NANOG73/1645/20180625_Lagerholm_T-Mobile_S_Journey_To_v1.pdf

 

But doesn't matter as you can connect over ipv6 to your ipv4 server.  when they 1st rolled that out, that was not the case.. But it has worked for years..

This topic is now closed to further replies.
  • Posts

    • Silly decision. Trying to pull Apple to łook/sound cool but it ain't. XPS was just fine.
    • This is 💯 what I came here to post. If they don't believe in their own framework then who will?
    • Stardock Start11 v2.5.3.1 by Razvan Serea Stardock Start11 is a Windows 11 customization tool designed to bring back the classic Start menu and enhance users' desktop experience. It offers a range of features and options that allow users to personalize their Start menu and taskbar to suit their preferences. Make Your Desktop Yours Take complete control of your desktop with Start11. With Windows 11, Microsoft chose form over functionality and removed many different features that were available in Windows 10. With Start11, you can customize the experience to fit your personality. Features You Expect Windows 11 removed many features that were present in Windows 10, Start11 brings them back. From the basics like returning the right-click menu on the taskbar to ungrouping of windows on the taskbar. You can also choose to have your icons centered on the taskbar with your Start menu left aligned. One Desktop to Rule Them All When working with multiple devices across various versions of Windows, Start11 can help you create a common desktop experience. Make Windows 10 look like Windows 11, or 11 look like Windows 10. Or how about making both Windows 10 and 11 look like Windows 7? The choice is yours. Remove Unwanted Content Windows 11 brings with it a new design language but also more advertisements and content that you can’t remove. Take back complete control with Start11 and remove unwanted outside content and sections of the Start menu that you don’t want to see. Start11 v2.5.3.1 changelog: All the changes from 2.52 that were went to beta but never was not released Resolves issue with not always releasing reserved space when closing an app which reserved space on the side such as Multiplicity KVM switch bar. Resolved issue with enhanced taskbar not showing status indicators correctly for some running apps Tweaks to start button sizing with vertical taskbars on Windows 11 especially when using small icon mode Tweaks to drag & drop in Win10/Win11/App/Pro/Launcher menus to make creating folders easier and less like playing chase the item around :) Resolved issue with dragging out of a group in Win11/App/Pro/Launcher menus where you couldn't always drag out of a folder to a group below Resolved issue with taskbar texture not refreshing when the OS accent colour changes. Resolved issue with on top taskbar not in enhanced mode and clicking on the taskbar search field which would make the search window appear off the top of the screen incorrectly Apps flagged as 'new' in Win10/11/App/Pro/Launcher menus will now not have the flag once run once or right clicked on Improved removal of 'new' indicator on newly installed apps so it goes away in a day or so. The apps will still be considered 'new' for the recently installed apps list Improved sorting of child items in sub folders in all apps list Start10 style search no longer shows control panel results which are duplicates of the results in the Control Panel section. Enabled sort A-Z option for Folders and Fences groups too on Win11/App/Pro/Launcher menus Small tweaks to icon & tile image loading for Universal apps on Windows 10/11/App/Pro/Launcher menus Fixes setting pins to only show on a secondary not working for some apps. Users will need to reset the show only on a secondary setting on the pins which were not working. Start11 is only $7.40 For more information about Start11, please visit Start11 website. Disclaimer: Neowin's relationship to Stardock. Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Brave 1.80.113 by Razvan Serea Brave Browser is a lightning-fast, secure web browser that stands out from the competition with its focus on privacy, security, and speed. With features like HTTPS Everywhere and built-in tracker blocking, Brave keeps your online activities safe from prying eyes. Brave is one of the safest browsers on the market today. It blocks third-party data storage. It protects from browser fingerprinting. And it does all this by default. Speed - Brave is built on Chromium, the same technology that powers Google Chrome, and is optimized for speed, providing a fast and responsive browsing experience. Brave Browser also features Brave Rewards, a system that rewards users with Basic Attention Tokens (BAT) for viewing opt-in ads. This innovative system provides an alternative revenue model for content creators and a way to support the Brave community. Brave 1.80.113 changelog: Web3 Implemented stricter wallet routing and added a 404 page for an invalid route. (#45684) Updated opt-in screen for Meld to fit on small screen sizes. (#44318) Removed the “Edit” gas button for Zcash transactions. (#45748) Fixed crash which occurred when trying to render Brave Wallet image in certain cases. (#46828) Fixed “Search” icon being cut off on the “Explore” page. (#44950) Leo Added support for automatic default model. (#45954) Added loading spinner to display when uploading image attachments. (#45889) Improved image attachment UI. (#45672) Removed Mixtral from the default Leo model list. (#46406) Fixed attachment thumbnail image not being displayed correctly. (#45916) Rewards Updated dark mode color theme for Rewards UI. (#45741) General Added the ability to open Progressive Web Apps (PWAs) in a tabbed window. (#45435) Updated extension import to warn the user to close Chrome if opened during import attempt. (#44945) Updated extension import to import both “IndexedDB” and “Local Extension Storage” when present for an extension. (#44946) Updated buttons on interstitial pages to use Brave theme. (#45666) Removed the password check box from brave://settings/importData dialog when importing from Chrome. (#46206) Fixed crash which occurred when moving a tab across monitors. (#46066) Fixed issue with “:matches-path” being used at the beginning of a filter rule. (#46220) Fixed display of long keyboard shortcuts on brave://settings/system/shortcuts. (#41873) Fixed “Toggle Vertical Tabs Expanded” keyboard shortcut not working when “Expand Vertical Tabs Independently per Window” is enabled. (#41074) Upgraded Chromium to 138.0.7204.49. (#47094) Download: Brave Browser 64-bit | 1.2 MB (Freeware) Download: Brave Browser 32-bit View: Brave Homepage | Offline Installers | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Google releases Gemma 3n, a new AI model built for mobile devices by David Uzondu Google has announced Gemma 3n, the next generation of its open AI models, and it is a significant step up from what we saw before. After a preview last month at Google I/O, the full version is now here and ready to run directly on your hardware. For those of you who are not aware, Gemma is a family of open AI models. It is different from Gemini in that it is designed for developers to download and modify, whereas Gemini is Google's closed, proprietary powerhouse. The model can now natively process inputs like images, audio, and video to generate text, a leap from just being a text-based model. It can also run on hardware with as little as 2GB of memory, and is supposedly better at tasks like coding and reasoning. Here's the full list of improvements as outlined by Google: Multimodal by design: Gemma 3n natively supports image, audio, video, and text inputs and text outputs. Optimized for on-device: Engineered with a focus on efficiency, Gemma 3n models are available in two sizes based on effective parameters: E2B and E4B. While their raw parameter count is 5B and 8B respectively, architectural innovations allow them to run with a memory footprint comparable to traditional 2B and 4B models, operating with as little as 2GB (E2B) and 3GB (E4B) of memory. Groundbreaking architecture: At its core, Gemma 3n features novel components like the MatFormer architecture for compute flexibility, Per Layer Embeddings (PLE) for memory efficiency, and new audio and MobileNet-v5 based vision encoders optimized for on-device use cases. Enhanced quality: Gemma 3n delivers quality improvements across multilinguality (supporting 140 languages for text and multimodal understanding of 35 languages), math, coding, and reasoning. The core of its efficiency is a new architecture Google calls MatFormer. Google uses the analogy of a Russian Matryoshka doll to describe it: a larger model contains a smaller, fully functional version inside. This allows a single model to run at different sizes for different tasks. And as for benchmarks, the larger E4B model is the first model under 10B parameters to break a LMArena score of 1300. The model's audio capabilities now support on-device speech-to-text and translation, using an encoder that can process speech in fine detail. The vision side of things is powered by a new encoder called MobileNet-V5, which is much faster and more efficient than its predecessor. It can process video at up to 60FPS on a Google Pixel device. If you're interested, you can start playing with it immediately as the models are available through familiar platforms like Hugging Face and Kaggle, and you can even experiment with them directly in Google AI Studio. More details can be found in the official announcement post.
  • Recent Achievements

    • One Month Later
      jfam earned a badge
      One Month Later
    • First Post
      TheRingmaster earned a badge
      First Post
    • Conversation Starter
      Kavin25 earned a badge
      Conversation Starter
    • One Month Later
      Leonard grant earned a badge
      One Month Later
    • Week One Done
      pcdoctorsnet earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      543
    2. 2
      ATLien_0
      200
    3. 3
      +FloatingFatMan
      176
    4. 4
      Michael Scrip
      145
    5. 5
      snowy owl
      112
  • Tell a friend

    Love Neowin? Tell a friend!