I have recently installed OpenVPN on my windows 2003 server.
Once someone is connected to the server, they do not have internet access.
- My network is on 192.168.1.1
- my server is on 192.168.1.110
- I am using the dd-wrt firmware
- I have enabled port 1194 for 192.168.1.110 on the router
- Routing and Remote Access is disabled
- I have 2 Tap-Win32 Adapter V8(s) on my windows 2003 server
- I have tried setting this line to 192.168.1.1 and also my isp's dns servers
push "dhcp-option DNS 192.168.1.1" # Replace the Xs with the IP address of the DNS for your
home network (usually your ISP's DNS) -
I have created an advanced routing Gateway in dd-wrt
Destination LAN NET: 192.168.10.0 Subnet Mask: 255.255.255.252 Gateway: 192.168.1.110 Interface: Lan & WLAN
I have followed this website exactly: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/
EDIT: I just tried to connect through the cmd prompt and get the following subnet error – potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
My server file looks as follows:
local 192.168.1.110 # This is the IP address of the real network interface on the server connected to the router
port 1194 # This is the port OpenVPN is running on - make sure the router is port forwarding this port to the above IP
proto udp # UDP tends to perform better than TCP for VPN
mssfix 1400 # This setting fixed problems I was having with apps like Remote Desktop
push "dhcp-option DNS 192.168.1.1" # Replace the Xs with the IP address of the DNS for your home network (usually your ISP's DNS)
#push "dhcp-option DNS X.X.X.X" # A second DNS server if you have one
dev tap
#dev-node MyTAP #If you renamed your TAP interface or have more than one TAP interface then remove the # at the beginning and change "MyTAP" to its name
ca "ca.crt"
cert "server.crt"
key "server.key" # This file should be kept secret
dh "dh1024.pem"
server 192.168.10.0 255.255.255.128 # This assigns the virtual IP address and subent to the server's OpenVPN connection. Make sure the Routing Table entry matches this.
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1" # This will force the clients to use the home network's internet connection
keepalive 10 120
cipher BF-CBC # Blowfish (default) encryption
comp-lzo
max-clients 100 # Assign the maximum number of clients here
persist-key
persist-tun
status openvpn-status.log
verb 1 # This sets how detailed the log file will be. 0 causes problems and higher numbers can give you more detail for troubleshooting
My client1 file is as follows:
client
dev tap
#dev-node MyTAP #If you renamed your TAP interface or have more than one TAP interface then remove the # at the beginning and change "MyTAP" to its name
proto udp
remote my-dyna-dns.com 1194 #You will need to enter you dyndns account or static IP address here. The number following it is the port you set in the server's config
route 192.168.1.0 255.255.255.0 vpn_gateway 3 #This it the IP address scheme and subnet of your normal network your server is on. Your router would usually be 192.168.1.1
resolv-retry infinite
nobind
persist-key
persist-tun
ca "ca.crt"
cert "client1.crt" # Change the next two lines to match the files in the keys directory. This should be be different for each client.
key "client1.key" # This file should be kept secret
ns-cert-type server
cipher BF-CBC # Blowfish (default) encrytion
comp-lzo
verb 1
Thanks in advance!
Best Answer
It looks to me like the server is pushing the "redirect-gateway" option down to the client. This causes the client to use the VPN as its default gateway. Comment out the line in the server config 'push "redirect-gateway def1"'.
Woah there-- just saw your edit. You client can't be using the same IP addresses as the LAN it's connecting to. That's not going to work. One end or the other needs to use different IP addresses.
Edit:
Assuming routing is configured properly on your Windows Server 2003 machine (per the www.itsatechworld.com page you referenced), you should be able to PING the Windows Server 2003 machine and Windows Vista machine by their LAN IPs via the VPN. If you can, then you've got routing right on the Windows Server 2003 and DD-WRT machines and you can proceed. If not, then you need to start tracking down why either (1) PING traffic coming off the OpenVPN tunnel isn't getting to the destination, or (b) why PING replies from the destination host aren't coming back. You may end up putting something like Wireshark on your Windows Vista machine to see if the PING requests are even getting there (since PING can't tell you if your request is being received and the reply is just being lost).
Once you've got IP connectivity across the VPN working fine. I'd recommend installing the DNS and WINS services on your Windows Server 2003 VPN server computer and configuring the server computer and the Windows Vista home computer to use that machine for WINS and DNS. You can either add your ISP's DNS as a "forwarded" on the Windows Server 2003 machine, or leave the stock "root hints" configured to allow it to resolve Internet names. In your OpenVPN server configuration, add the following line right after the 'push "dhcp-option DNS 192.168.1.1" line:
This is going to get the remote clients taking to the WINS and DNS servers on your Windows Server 2003 machine, and should get you both DNS and NetBIOS name resolution.
If you're not using an Active Directory domain at home, you'll probably want to setup a standard forward lookup zone on the Windows Server 2003 DNS server for your Windows Server 2003 and Windows Vista machines to register into. You'll want to grant clients permission to dynamically update records (albeit insecurely) when you create this zone. You should add the option "DNS domain name" (option 15) to your DHCP scope at home so that your client computers there pick up the right DNS domain name suffix. (If you're using DD-WRT for DNS then I can't tell you how to do that. I'm an OpenWRT guy, and I manage my WRT54G from the command line. I'd recommend running DHCP from the Windows Server 2003 machine anyway, but I just like that DHCP server more.)
If you are using an Active Directory domain you'll already have a forward lookup zone created in DNS. Since your remote VPN clients aren't members of your domain, though, they won't be able to register in DNS under the stock security settings that Windows Server sets on the DNS zone (at least, if you let it create the zone during DCPROMO). It's insecure, but if you want to allow them to register you could either (a - less secure) chang the permission on the zone to allow insecure registrations, or (b - more secure but still insecure) create A and PTR records for them and modify the permission on each of those records to allow anyone to update them.
It sounds like this is a home networking thing, and it's really a good learning opportunity for a lot of things-- IP routing, VPNs, name resolution. Perhaps you're looking for it to "just work" and not as a learning opportunity, in which case I can only offer my apologies and say that these things just aren't "turnkey" yet.