OpenVPN site to site VPN tunnel with Windows Server 2012 R2

openvpnroutingsite-to-site-vpnwindows-server-2012-r2

This is my clients setup:

         Site A                                     Site B
     192.168.2.0/24                             192.168.0.0/24
Client A1 --|-- Server A                    Server B --|-- Client B1
            |   (192.168.2.2)           (192.168.0.2)  |
            |   (10.8.0.6)                 (10.8.0.1)  |
Client A2 --|-- Router A ---- Internet ---- Router B --|-- Client B2
            |   (192.168.2.1)         (192.168.0.254)  |
Client A3 --|                                          |-- Client B3

Server A connects to Server B via OpenVPN to connect both sites to each other. Server A and Server B were Windows Server 2003 and are now reinstalled with Windows 2012 R2. Now the routing, which used to work with the 2003 configuration doesn't work anymore.

I added the following routes on the Servers:

Server A: 192.168.0.0 mask 255.255.255.0 gw 10.8.0.1
Server B: 192.168.2.0 mask 255.255.255.0 gw 10.8.0.6

Routes pushed to the Clients via DHCP:

Clients A: 192.168.0.0 mask 255.255.255.0 gw 192.168.2.2
           default gw 192.168.2.1
Clients B: 192.168.2.0 mask 255.255.255.0 gw 192.168.0.2
           default gw 192.168.0.254

OpenVPN configuration on Server A (OpenVPN client)

client
dev tun
proto udp
remote dyndns.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert server-sb.crt
key server-sb.key
remote-cert-tls server
comp-lzo
verb 3

OpenVPN configuration on Server B (OpenVPN server)

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Pings:

  • Server A -> 10.8.0.1 OK
  • Server B -> 10.8.0.6 OK
  • Server A -> 192.168.2.2 FAILS
  • Server B -> 192.168.0.2 FAILS
  • Any Device A -> Any Device B FAILS
  • Any Device B -> Any Device A FAILS

Firewalls on all Windows-Machines were disabled during the tests. My diagnosis is that the VPN tunnel works, but the problem is either a setting in OpenVPN that prevents the routing, or something in my routing tables is off.

I'm pretty sure thats the same configuration as it was with windows 2003, where every device could reach every other device on both sites.

IPv4 forwarding and LAN routing is enabled in Routing and Remote Access.

Best Answer

After a lot of manpage reading I figured it out: I was missing the iroute directive in the OpenVPN server configuration.

After adding these entries to the config it worked:

server.ovpn

client-config-dir ccd
route 192.168.0.0 255.255.255.0 10.8.0.1

ccd\client

iroute 192.168.2.0 255.255.255.0
Related Topic