0

I have two Windows boxes (Windows 10 and Windows 7). The first one named SERVER runs OpenVPN as server, the remote one named REMOTE runs the OpenVPN client and connects to the SERVER fine. Both have IP routing enabled through HKLM\System\CurrentControlSet\services\Tcpip\Parameters\IPEnableRouter=1 and both are running the Routing and RAS Service. Both have their Windows firewalls disabled entirely.

Here are the IP configuration details:

SERVER:

local IP 10.150.1.1/24
default gateway is 10.150.1.254
VPN Transfer IP 10.150.2.1/24

REMOTE

local IP 192.168.1.251/24
default gateway is 192.168.1.254
VPN Transfer IP 10.150.2.6/24 (assigned by the OpenVPN Server when the connection is established)

The problem is, that from the SERVER I can not ping REMOTE's local IP address 192.168.1.251, while all other pings work.

In detail:

From SERVER:

ping 10.150.2.6 is ok

ping 192.168.1.251 fails!!!!!!!!!!!!

tracert -d 192.168.1.251 yields
  1    <1 ms    <1 ms    <1 ms  10.150.1.254   (<<< the default gateway of SEVER)
and from there out to the public Internet...

From REMOTE

ping 10.150.1.1 is ok
ping 10.150.2.1 is ok, too

I would like to be able to ping 192.168.1.251 from the SERVER (and, as the next step, have PCs on REMOTE PCs local LAN be able to ping the SERVER through the OpenVPN link, but that is anothe issue). I don't find the cause for the SERVER forwarding the packets aimed at REMOTE's local LAN interface to the public Internet, rather than forwarding them via OpenVPN to the REMOTE PC.

Here are the two routing tables:

SERVER

===========================================================================
Schnittstellenliste
 15...d0 17 c2 ac a2 1a ......Realtek PCIe GBE Family Controller #2
  5...00 ff 1b 1f c1 7f ......TeamViewer VPN Adapter
  4...00 ff 18 da d2 10 ......TAP-Windows Adapter V9
  1...........................Software Loopback Interface 1
  2...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0     10.150.1.254       10.150.1.1    266
       10.150.1.0    255.255.255.0   Auf Verbindung        10.150.1.1    266
       10.150.1.1  255.255.255.255   Auf Verbindung        10.150.1.1    266
     10.150.1.255  255.255.255.255   Auf Verbindung        10.150.1.1    266
       10.150.2.0    255.255.255.0       10.150.2.2       10.150.2.1     20
       10.150.2.0  255.255.255.252   Auf Verbindung        10.150.2.1    276
       10.150.2.1  255.255.255.255   Auf Verbindung        10.150.2.1    276
       10.150.2.3  255.255.255.255   Auf Verbindung        10.150.2.1    276
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
      192.168.1.0    255.255.255.0       10.150.2.6       10.150.2.1     21
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung        10.150.1.1    266
        224.0.0.0        240.0.0.0   Auf Verbindung        10.150.2.1    276
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung        10.150.1.1    266
  255.255.255.255  255.255.255.255   Auf Verbindung        10.150.2.1    276
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0     10.150.1.254  Standard
      192.168.1.0    255.255.255.0       10.150.2.6       1
===========================================================================

REMOTE

===========================================================================
Schnittstellenliste
 20...00 ff ce e4 56 f0 ......TAP-Windows Adapter V9 #2
 19...00 ff 0e 36 39 0b ......TAP-Windows Adapter V9
 18...00 0c 29 74 75 c7 ......Intel(R) PRO/1000 MT-Netzwerkverbindung #2
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter
 17...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
 21...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #3
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.251    266
       10.150.1.0    255.255.255.0       10.150.2.5       10.150.2.6     21
       10.150.2.1  255.255.255.255       10.150.2.5       10.150.2.6     21
       10.150.2.4  255.255.255.252   Auf Verbindung        10.150.2.6    276
       10.150.2.6  255.255.255.255   Auf Verbindung        10.150.2.6    276
       10.150.2.7  255.255.255.255   Auf Verbindung        10.150.2.6    276
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
      192.168.1.0    255.255.255.0   Auf Verbindung     192.168.1.251    266
    192.168.1.251  255.255.255.255   Auf Verbindung     192.168.1.251    266
    192.168.1.255  255.255.255.255   Auf Verbindung     192.168.1.251    266
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung     192.168.1.251    266
        224.0.0.0        240.0.0.0   Auf Verbindung        10.150.2.6    276
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung     192.168.1.251    266
  255.255.255.255  255.255.255.255   Auf Verbindung        10.150.2.6    276
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0    192.168.1.254  Standard
===========================================================================
Improve this question
3
  • 1
    Your Server and Client are on entirely seperate subnets. Why?
    – Ramhound
    Commented Jul 22, 2016 at 20:24
  • That's a prerequisite of routing - if the remote and local networks had the same address, the systems wouldn't know whether to send the data packets to the local or to the remote network. If you were bridging via the VPN, then having the same IP networks on both ends would be fine, but when routing, they must be different.
    – Thomas
    Commented Jul 23, 2016 at 13:01
  • If you say so. I see no evidence of you have something that provides a route between the subnets
    – Ramhound
    Commented Jul 23, 2016 at 14:04

2 Answers 2

Reset to default
0

What you would need to do is set up Site to Site VPN tunnel. Right now, SERVER only has access to two networks; its local network, and the VPN network. This would make it so that devices on both networks could see each other.

To setup a Site to Site VPN tunnel, you will need to do the following:

Generate the certificates.

Configure the routers. In order for both networks to be able to talk to each other, each router will need to be configured for this Site to Site tunnel. Without knowing the exact routers you are using on each end, I can only make general statements, and can't verify if your routers are actually capable of doing this.

Assuming your routers have a GUI, and a menu in that interface for VPNs, you'll need to set up network details for the VPN:

  • Private network to be used for the VPN tunnel.
  • Global/Public IP address of the router on the other end. If you have a dynamic assignment on either end, you'll end up changing this setting whenever your address changes.
  • Allow VPN traffic in each router firewall.
  • Copy the certificates to the routers.

If your router does not have a GUI, but uses CLI, and does support Site to Site VPN, then you will need to configure a server config file for the VPN tunnel. You'll also need to upload the certificates and config file via SSH/FTP/TFTP. You will probably also have to install OpenVPN, assuming it isn't (or an equivalent) isn't installed on the router already.

Here is an example configuration file for you to start with:


float
dev tun
proto udp
remote [public address of other end here]
resolv-retry infinite
nobind
auth-user-pass /path/to/user/credentials/here/cred.conf
#user nobody
#group nobody
persist-key
persist-tun
ca /path/to/server/cert/here/ca.crt
cert /path/to/user/cert/here/user.crt
key /path/to/user/key/here/user.key
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

cipher AES-128-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20


-----BEGIN CERTIFICATE-----
[Long certificate hash here.  Will look like gibberish.]
-----END CERTIFICATE-----



-----BEGIN CERTIFICATE-----
[Long certificate hash here.  Will look like gibberish.]
-----END CERTIFICATE-----



-----BEGIN PRIVATE KEY-----
[Long key hash here.  Will look like gibberish.]
-----END PRIVATE KEY-----

After that, you should have a VPN tunnel connecting the two networks, allowing the two ends to communicate freely.

If you find that one, or both, of your routers do not allow for VPN configuration, then you will need to replace them as needed. I personally like the Ubiquiti Edge Lite Router 3, but you may find another router that you are more comfortable with.

I hope this helps. If you are able to provide more information on your routers, I can go more in-depth on configuration.

Improve this answer
3
  • I don't see why I was down voted. Thomas wants devices on both ends to freely share resources between the two networks, not just between SERVER and REMOTE. Rather than configure the VPN on each device that wants access to SERVER, or share the VPN connection with extra software, this solves the problem much more elegantly.
    – Caturday Saint
    Commented Jul 25, 2016 at 14:33
  • While I haven't been the one who voted your answer down, I think I know why that happened. See, I explained in great detail what configuration I have installed, and you just replied "set up a site-to-site tunnel". Had you given a precise example, configuration files, anything, your reply would have been helpful. But so... I already knew I wanted site-to-site... and thought I had set this up.
    – Thomas
    Commented Jul 29, 2016 at 15:57
  • @Thomas You are correct. I will try and give as detailed information as I can for setting it up. Without the information on the routers, I won't be able to go into detail on how to configure them for a Site-to-Site VPN (if the routers are capable of such), but I can at least give some basic information.
    – Caturday Saint
    Commented Aug 1, 2016 at 14:09
0

I have now solved the issue, however I have installed a router with DD-WRT on it as the Server, rather using a Windows PC for that. This way I have removed possible problems with RRAS on the Windows PC.

There were issues with that router-based setup, too, but these were solved. Still, for reference, here are the configurations I ended up with:

The significant part of the OpenVPN Server's config file:

push "route 10.150.1.0 255.255.255.0" 
server 10.150.2.0 255.255.255.0 
route 192.168.1.0 255.255.255.0 
client-config-dir ccd 
client-to-client

The ccd-file (ccd/callcenter, as "callcenter" is the name of client's key):

iroute 192.168.1.0 255.255.255.0
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .