Windows – How access remote network with OpenVPN

openvpnrouteroutingwindows

I am currently trying to configure OpenVPN to access our company network remotely.

I was able to establish a connection and ping the server at the configured address (10.8.0.1), but I was not able to access the network at the server side from clients.

The server is configured to push routes to the server with:

push "route 155.0.0.0 255.255.0.0 10.8.0.1 1"

where 155.0.0.0/16 is the server side network.

That did not work so I added

push "route 155.0.0.68 255.255.255.255 net_gateway 1"

because I read somewhere that it can be problematic if all packets including the ones to the server (155.0.0.68) are routed through the tunnel, but that still doesn't work. I am not able to ping any address on the server's network. Not even the server itself on 155.0.0.68.

What am I doing wrong?

Additional info:
Client and server run windows and OpenVPN runs in tun mode with the udp protocol. Firewalls are turned off on the client and the server.

I already asked this question on Network Engineering, but I was told ServerFault would be a better place for a problem like that.

Best Answer

Routes on both sides of the VPN tunnel are required.

Also IP Routing must be enabled on the server. For example on Windows 7:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"IPEnableRouter"=dword:00000001

Lets assume the following IPs and subnets:

Client side subnet 192.168.0.0/24
Client IP 192.168.0.2
Client VPN IP 10.8.0.2
Server side subnet 155.0.0.0/16
Server IP 155.0.0.68
Server VPN IP 10.8.0.1

Keys

Create a set of keys for the server and clients. Check the README in the OpenVPN installation dir ..\OpenVPN\easy-rsa\README.txt for instructions how to generate those.

Server side configuration

Add the following lines to the server config file:

port 1194
proto udp
dev tun
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir C:\\OpenVPN\\config\\ccd
route 192.168.0.0 255.255.255.0 10.8.0.2
ca C:\\OpenVPN\\config\\ca.crt
cert C:\\OpenVPN\\config\\server.crt
key C:\\OpenVPN\\config\\server.key
dh C:\\OpenVPN\\config\\dh1024.pem
keepalive 10 60
comp-lzo
persist-key
persist-tun
status C:\\OpenVPN\\config\\openvpn-status-tun.log 20
log C:\\OpenVPN\\config\\openvpn-tun.log
verb 3

Replace the paths with the respective installation directory.

Add a custom client config file on the server:

Create a directory ccd in the same directory as the server config file and in there a config file named after the CN (Common Name) of the client's certificate.

Check the client certificate and look for this line (CN=<client_name>):

Subject: C=CH, ST=State, L=City, O=org, OU=unit, CN=client1/name=EasyRSA/emailAddress=root@localhost

In this example the file will be named client1 (without an extension), add the following lines to the file:

ifconfig-push 10.8.0.2 255.255.255.0
push "route 155.0.0.0 255.255.0.0 10.8.0.1"
iroute 192.168.0.0 255.255.255.0

ifconfig-push will give a static IP to this client
push "route ..." pushes the route to reach the server side subnet to the client
iroute generates an internal route in OpenVPN to the client's subnet

Client side configuration

Add the following lines to the client config file:

client
dev tun
proto udp
remote 155.0.0.68 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ca C:\\OpenVPN\\config\\client1.crt
cert C:\\OpenVPN\\config\\client1.crt
key C:\\OpenVPN\\config\\client1.key
remote-cert-tls server

Replace the paths with your installation directory.

Additional Routes

This setup works if the server running OpenVPN is also a router and set as the default-gateway on all the clients on the server-side subnet.

In the case a dedicated router exists, add the following static routes to it (or add them on all of the clients) to reach the VPN subnet and the subnet of client1.

Static server-side subnet routes:

Destination        Gateway             Genmask
192.168.0.0        155.0.0.68          255.255.255.0
10.8.0.0           155.0.0.68          255.255.255.0

For additional hints on this topic, see this answer.

Related Solutions

OpenVPN routing problem

You need to map "incoming" trafic to be properly routed to the client. I.e. you need to set a NAT translation on the server for the IP (the VPN one) of the client.

What you see is that the server does not know how to forward the replies.

Here are instructions how to do this: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect - look at the iptables configuration on the server.

Firewall – Openvpn routing for lan to lan through tun

OP posted the answer on forums.openvpn.net

Use this server config:

port 1194
proto udp
dev tun

topology subnet
mode server
tls-server

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # flexo_client,10.8.0.4

client-config-dir ccd
client-to-client

#ifconfig 10.8.0.1 255.255.255.0
route 192.168.3.0 255.255.255.0 10.8.0.4
route 192.168.4.0 255.255.255.0 10.8.0.4

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/mom_server.crt
key /etc/openvpn/keys/mom_server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

keepalive 10 120i

comp-lzo

user nobody
chroot /etc/openvpn
group nogroup
daemon

persist-key
persist-tun

status openvpn-status.log

verb 3

With this /etc/openvpn/ccd/flexo_client

push "route 192.168.1.0 255.255.255.0 10.8.0.1"
iroute 192.168.3.0 255.255.255.0
iroute 192.168.4.0 255.255.255.0

and this client config:

config openvpn 'flexo_client'
   option nobind '1'
   option float '1'
   option client '1'
   option comp_lzo '1'
   option dev 'tun0'
   option verb '3'
   option persist_tun '1'
   option persist_key '1'
   option remote_cert_tls 'server'
   option remote 'x.x.x.x'
   option proto 'udp'
   option resolv_retry 'infinite'
   option ca '/etc/openvpn/ca.crt'
   option cert '/etc/openvpn/flexo_client.crt'
   option key '/etc/openvpn/flexo_client.key'
   option ns_cert_type 'server'
   option topology 'subnet'
   option enable '1'

More information on using OpenVPN and iroute can be found on backreference.org