Openvpn – Simple OpenVPN setup on Windows Server 2003 SBS with RRAS


I am trying to set up the most basic VPN configuration with OpenVPN. The server is Windows Server 2003 SBS. A typical client system is Windows 7 Professional.

The server has two physical NICs (WAN & LAN). The WAN NIC is assigned a static WAN IP by the router. The server manages the NAT & Firewall with Windows' Routing and Remote Access service.

I have followed the setup HOWTO and attempted to keep things as simple as possible.

The OpenVPN client connects to the OpenVPN server and is assigned an IP address.

The problem is that I cannot ping the server from the client after the connection is established (or perform any other communication for that matter).

I suspect that there may be a conflict with RRAS.

I would like to provide more information, but I need guidance as to what information is needed to solve this problem. The following is a starting point:

OpenVPN server config:

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
max-clients 100
status openvpn-status.log
verb 3

Typical OpenVPN client config:

dev tun
proto tcp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3

OpenVPN Client startup output:

OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Socket Buffers: R=[8192->8192] S=[8192->8192]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): '69109d17'
Expected Remote Options hash (VER=V4): 'c0103fa8'
Attempting to establish TCP connection with XXX.XXX.XXX.XXX:1194
TCP connection established with XXX.XXX.XXX.XXX:1194
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: XXX.XXX.XXX.XXX:1194
TLS: Initial packet from XXX.XXX.XXX.XXX:1194, sid=2c253639 f0d75bbe
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
[XXX] Peer Connection Initiated with XXX.XXX.XXX.XXX:1194
PUSH: Received control message: 'PUSH_REPLY,route,topology net30,ping 10,ping-restart 120,ifconfig'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
ROUTE default_gateway=
TAP-WIN32 device [OpenVPN] opened: \\.\Global\{F4CEEE7C-B82C-4EF3-8C1E-4EA31CCC237A}.tap
TAP-Win32 Driver Version 9.8 
TAP-Win32 MTU=1500
Notified TAP-Win32 driver to set a DHCP IP/netmask of on interface {F4CEEE7C-B82C-4EF3-8C1E-4EA31CCC237A} [DHCP-serv:, lease-time: 31536000]
Successful ARP Flush on interface [16] {F4CEEE7C-B82C-4EF3-8C1E-4EA31CCC237A}
TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
C:\WINDOWS\system32\route.exe ADD MASK
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
Initialization Sequence Completed

Best Answer

Why would RRAS be interfering? By the looks of it OpenVPN is listening on a completely different port than what RRAS uses. Furthermore, if the VPN client connects then that means it is working. Your problem is a routing problem. RRAS has an option to enable LAN routing and will function as a router between the VPN client and the internal network. Without that option set in RRAS a RRAS VPN client would only be able to access the VPN server. I'm assuming the problem is the same with OpenVPN. What mechanism does OpenVPN use to route traffic between the VPN client and the internal network?

In addition, as gravyface stated in his answer, why add the complexity of OpenVPN (on both the server and client side) when RRAS is a perfectly capable VPN solution, with the advantage of having a built-in VPN client on the client side. There's no software installation neccessary on either end, and there's minimal set up and configuration.