I recently installed OpenVPN on a remote CentOS 7 web server. I am able to connect to it from a local CentOS 7 devbox by typing openvpn --config /path/to/client.ovpn
. Once the connection is made, I am then able to ssh
to the server through the vpn by typing ssh username@10.8.0.1
, and I am able to view web apps hosted by apache on the remote server through the vpn by typing https : / / 10.8.0.1
into a web browser. So how can I my non-technical end-users make the same https connections from windows?
I downloaded and installed the SecurePoint OpenVPN client for Windows. I was then able to create a config for the server, including links to the .crt and .key files and definitions of other parameters that were defined in the client.ovpn
file in Linux. The SecurePoint client then forced me to use a username and password for an OS account on the remote server (perhaps for the better), but does not allow me to connect to web apps running on the server. Specifically, typing https : / / 10.8.0.1
into a web browser results in "This page can't be displayed", even though my Linux devbox allows content to be served from the server through the vpn to the client as described in the preceding paragraph. What am I doing wrong? And how can I get this to work?
EDIT
As per @garethTheRed's advice, I typed sudo firewall-cmd --list-all --zone=internal
and got the following results:
internal (active)
interfaces: tun0
sources:
services: dhcpv6-client https ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source NOT address="10.8.1.1" service name="ssh" reject
I then clicked "connect" in the SecurePoint GUI and, after it said the connection to the server was established, I opened up cmd.exe and typed ping 10.8.0.1
and got the following results:
Pinging 10.8.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.8.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Unchecking the user/auth option removed the username/password login requirement.
Note that, when SecurePoint is connected, all other internet access through the browser seems blocked because all requests for pages are rejected. Also, the VPN shows up in the windows list of wifi networks as "Unidentified Network" with "no internet access". When I disconnect from the VPN using SecurePoint, the "Unidentified Network" goes away. You can see what it looks like when the VPN connection is active by clicking on this link
What else can I try?
Best Answer
Confirm that your firewall on the CentOS server (
internal
zone if that where thetun0
device is located) hashttps
available as a service.You should be able to ping the server on
10.8.0.1
from the Windows machine. If this works, then your VPN is up and working and it's probably the CentOS server's firewall blocking you.If the ping doesn't work, then you have deeper underlying problems to solve before you look into your
https
pages.In the case of the latter, post the output of running
ìpconfig /all
androute print
on the Windows machine.Official OpenVPN Client
As an experiment, you could also install
openvpn
on the Windows machine and run it in a similar way to the way you did on the CentOS client using similar configuration files. It may give a clue to what's happening:Download the OpenVPN client for Windows from here, then install it. Towards the end of the installation you should see a tick-box that offers to start the client. Make sure that the client is NOT started.
Copy your
*.ovpn
file from the CentOS machine (the one that worked previously) to the Windows machine. If you are transferring the file, you may come across the issue of Unix/DOS line terminators. Thedos2unix
package has a converter calledunix2dos
that converts the files to DOS format for you.Open
notepad
as Administrator (right click and choose "Run as administrator") and edit the*.ovpn
file changing the paths to the key and two certificates remembering to use two back-slashes in the paths (e.g.C:\\Users\\Bloggs\\key.pem
). Save this file toC:\Program Files\OpenVPN\config
.Start the OpenVPN client from the Start Menu by right clicking on it and choosing "Run as administrator" (this is only needed the first time you run it). If the above has worked you should be able to right click on the icon in the task-bar and connect. If there is no connect option, then check the above.
After a second or three, you'll get a pop-up telling you that you've connected. Try your
https
webpage.Basic Windows Compatible Configuration
As a test, backup your current server configuration and try the following:
It works on my server with both Linux and Windows clients (both the OpenVPN and the SecurePoint) one. It won't provide the functionality you need for your server, but it may help you find where the problem is. You may need to adjust the paths to the files, of course.
For reference, here is the
*.ovpn
file I used:For the SecurePoint client, I left everything as default other than the
Auth user/pass
tick-box, which I un-ticked and (of course) the key and certificates.