Connecting a LAN to an OpenVPN server via a windows 7 client gateway
Posted
by
user705142
on Server Fault
See other posts from Server Fault
or by user705142
Published on 2012-03-15T09:44:06Z
Indexed on
2012/03/19
23:31 UTC
Read the original article
Hit count: 359
I've got OpenVPN set up between my windows 7 client and linux server. The goal is that I'll get secure access to a webapp running on the server from any computer on the client LAN.
I'm using ccd to assign static ip addresses to each client connection, with key authentication. It's working on my client machine (10.83.41.9), and when you go to the gateway IP address (10.83.41.1), it loads up the webapp.
Now I really need the other computers on the client LAN to be able to connect to the webapp as well, via the windows machine.
The client has a static IP address of 192.168.2.100 on the LAN, and I've enabled IP forwarding in windows (confirmed by ipconfig /all). In my router I've forwarded 10.83.41.1 / 255.255.255.255 to 192.168.2.100.
In server.conf I have..
route 192.168.2.0 255.255.255.0
And in the office ccd..
ifconfig-push 10.83.41.9 10.83.41.10 iroute 192.168.2.0 255.255.255.0
The client log is as follows:
Thu Mar 15 20:19:56 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Thu Mar 15 20:19:56 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Mar 15 20:19:56 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Thu Mar 15 20:19:56 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 15 20:19:56 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 15 20:19:56 2012 LZO compression initialized
Thu Mar 15 20:19:56 2012 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Mar 15 20:19:56 2012 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Mar 15 20:19:56 2012 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Mar 15 20:19:56 2012 Local Options hash (VER=V4): '9e7066d2'
Thu Mar 15 20:19:56 2012 Expected Remote Options hash (VER=V4): '162b04de'
Thu Mar 15 20:19:56 2012 UDPv4 link local: [undef]
Thu Mar 15 20:19:56 2012 UDPv4 link remote: 111.65.224.202:1194
Thu Mar 15 20:19:56 2012 TLS: Initial packet from 111.65.224.202:1194, sid=ceb04c22 8cc6d151
Thu Mar 15 20:19:56 2012 VERIFY OK: depth=1, /C=NZ/O=XXX./CN=XXX
Thu Mar 15 20:19:56 2012 VERIFY OK: nsCertType=SERVER
Thu Mar 15 20:19:56 2012 VERIFY OK: depth=0, /C=NZ/O=XXX./CN=XXX
Thu Mar 15 20:19:56 2012 Replay-window backtrack occurred [1]
Thu Mar 15 20:19:56 2012 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Mar 15 20:19:56 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 15 20:19:56 2012 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Mar 15 20:19:56 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 15 20:19:56 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Mar 15 20:19:56 2012 [server] Peer Connection Initiated with 111.65.224.202:1194
Thu Mar 15 20:19:58 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Mar 15 20:19:59 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.83.41.1,topology net30,ping 10,ping-restart 120,ifconfig 10.83.41.9 10.83.41.10'
Thu Mar 15 20:19:59 2012 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 15 20:19:59 2012 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 15 20:19:59 2012 OPTIONS IMPORT: route options modified
Thu Mar 15 20:19:59 2012 ROUTE default_gateway=192.168.2.1
Thu Mar 15 20:19:59 2012 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{B32D85C9-1942-42E2-80BA-7E0B5BB5185F}.tap
Thu Mar 15 20:19:59 2012 TAP-Win32 Driver Version 9.9
Thu Mar 15 20:19:59 2012 TAP-Win32 MTU=1500
Thu Mar 15 20:19:59 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.83.41.9/255.255.255.252 on interface {B32D85C9-1942-42E2-80BA-7E0B5BB5185F} [DHCP-serv: 10.83.41.10, lease-time: 31536000]
Thu Mar 15 20:19:59 2012 Successful ARP Flush on interface [45] {B32D85C9-1942-42E2-80BA-7E0B5BB5185F}
Thu Mar 15 20:20:04 2012 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Mar 15 20:20:04 2012 C:\WINDOWS\system32\route.exe ADD 10.83.41.1 MASK 255.255.255.255 10.83.41.10
Thu Mar 15 20:20:04 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 15 20:20:04 2012 Route addition via IPAPI succeeded [adaptive]
Thu Mar 15 20:20:04 2012 Initialization Sequence Completed
From the other machines I can ping 192.169.2.100, but not 10.83.41.1.
In the how-to, it mentions "Make sure your network interface is in promiscuous mode." as well. I can't find in the windows network config, so this may or may not be part of it.
Ideally this would be achieved without any special configuration the other LAN computers. Not sure how far I'm going to get on my own at this point, any ideas? Is there something I'm missing, or anything I should need to know?
© Server Fault or respective owner