I am setting up a VPN connection for the first time. I am working on a project in which i would like to access my LAN at my home from the outside world. So, I installed OpenVPN2.2.2 on my 32-bit Windows 7 laptop (acting as the server). My end goal is to load a page which is accessible only on my local network.
I created a client certificate which is 64-bit Windows 8 laptop (with OpenVPN2.2.2 installed on it). I am able to connect to the server through VPN using my client. I can see that green gui icon in system tray bar in both the laptops. I also see the "Initialization Sequence Completed" in the logs with no major errors. However, when i try to ping any of my devices within the LAN, i am not able to do it using my remote client running openVPN. Also, when i look for ip using http://www.whatismyip.com/, I still get the client's original IP address and not my LAN's IP.
These are the major warning/notesthat i have received.
Server:
NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Warning: route gateway is not reachable on any active network adapters: 10.8.0.2
MULTI: bad source address from client [192.168.2.30], packet dropped
Client:
WARNING: potential route subnet conflict between local LAN [172.20.10.0/255.255.255.240] and remote VPN [0.0.0.0/0.0.0.0]
I have been doing a lot of research on this for past week. I looked into openVPN documentation and forums. People are able to connect to the servers, but are not able to ping. These are the additional steps i have taken:
- disabled my windows firewall completely (both on client and server) for addressing that TUN/TAP interface issue
- setup port forwarding, so whatever connections are made to my router at port 1194 are forwarded to my server (with a static-ip of 192.168.1.168).
- running everything with admin rights
- configured Routing and Remote Access in Windows machine (server)
- IPEnableRouter is 1.
- Checked the box for "Allow other network users to connect through this computer's Internet connection for TAP adapter.
Some more steps that I undertook after obtaining them from openVPN forums:
Server.ovpn
port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "route 0.0.0.0 0.0.0.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 5
Client.ovpn
client
dev tun
proto udp
remote xx.xx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\config\\client1.crt"
key "C:\\Program Files (x86)\\OpenVPN\\config\\client1.key"
ns-cert-type server
comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60
route-method exe
route-delay 2
If you could help me troubleshoot this problem, it would be really great. Any hints/suggestions are extremely welcome.
Thanks.
EDIT:1
Thanks a lot for your suggestions.
1) Could you please explain a little bit what exactly do you mean by "getting a firewall or if you have on using your firewall to VPN"? I already have the built-in firewalls in both my client and server, and i disabled them both, just so they don't interfere with my setup for the time being.
2) I did change my ip address subnet. So the default gateway on my server side is now 192.168.157.1 instead of 192.168.1.1.I will hide my IP address. 😀
3)10.8.0.2 is the default gateway for TAP-Win32 adapter. So, after looking in openvpn forums, I added 10.8.0.2 as the default gateway on my server side by going into advaced settings IPv4 Properties of TAP-Win32 adapter. To be honest, i don't know why i did it. I was just desperate to get it working.
Now, since i changed the IP Subnet of my route to 192.168.157.1, I am only seeing two warnings in log files, which is real good news IMO. But I still can't ping (need to look into ping policies too, but i doubt if it could be the problem). Also the client side have zero access to internet when connected to my server. No ping, No web pages, No internet.
Server Side warning says:
Warning: route gateway is not reachable on any active network adapters: 10.8.0.2
Client side warning:
WARNING: potential route subnet conflict between local LAN [192.168.2.0/255.255.255.0] and remote VPN [0.0.0.0/0.0.0.0]
Thanks a lot again.
Best Answer
I would suggest getting a firewall or if you have one using your firewall to VPN. I have watchguard and it is very simple to make or edit policies, such as ping. I had an issue where I did not want users on sub-net "B" to even be able to ping sub-net "A" and easily changed that in that policy.
Anyway you could try changing the sub-net of your network (if possible) having a "normal" IP range as 192.168.1.1 is not the best practices method. I also would not put your external IP address for the world to see :)
To me it sounds like something in your firewall is not routing traffic to your 192.x.x.x sub-net and from the looks of it, its because your LANs have the same IP range. Also what device do you have on 10.8.0.2? looks like your gateway but your LANs are different. Please explain a little more...
P.S. sorry i tried to comment instead of answer but i dont have enough rep.