OpenVPN LAN Access in Windows 10

Question

I have a simple home network(10.1.1.0/24), where few Windows 10 machines are connected to a wireless router and one of them is running OpenVPN server (Say PC1).

Remote clients can ping PC1(10.1.1.8) but not to any other device, even though the VPN server and other devices are in the same subnet. Pretty much similar to this scenario. I have tried adding 10.1.1.0 mask 255.255.255.0 10.1.1.1 to the route table along with enabling IPEnableRouter in registry, but no luck.

I am new to VPN tricks so I feel like I'm missing something here, Any ideas folks? (Except for Bridging).

server.ovpn

port 1194
proto udp
dev tun
****ca/cert/key/dh/tls-auth omitted****
server 10.8.0.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

client.ovpn

dev tun
proto udp
remote myddns.com 443
resolv-retry infinite
nobind
comp-lzo
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
****ca/cert/key/tls-auth omitted****

Route table of PC1

    Interface List
 21...00 ff a0 50 2d 1b ......TAP-Windows Adapter V9
  7...ea 4e 06 6b 4f 39 ......Microsoft Wi-Fi Direct Virtual Adapter #13
 58...e8 4e 06 6b 4f 39 ......Microsoft Wi-Fi Direct Virtual Adapter #14
 14...e8 4e 06 6b 4f 39 ......Realtek RTL8192EU Wireless LAN 802.11n USB 2.0 Network Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.1.1         10.1.1.8     45
         10.1.1.0    255.255.255.0         On-link          10.1.1.8    301
         10.1.1.8  255.255.255.255         On-link          10.1.1.8    301
       10.1.1.255  255.255.255.255         On-link          10.1.1.8    301
         10.8.0.0    255.255.255.0         10.8.0.2         10.8.0.1     25
         10.8.0.0  255.255.255.252         On-link          10.8.0.1    281
         10.8.0.1  255.255.255.255         On-link          10.8.0.1    281
         10.8.0.3  255.255.255.255         On-link          10.8.0.1    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link          10.8.0.1    281
        224.0.0.0        240.0.0.0         On-link          10.1.1.8    301
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link          10.8.0.1    281
  255.255.255.255  255.255.255.255         On-link          10.1.1.8    301
===========================================================================

Route table of a Client

Interface List
  2...f8 a9 63 e0 26 bc ......Realtek PCIe GbE Family Controller
 20...00 ff d5 aa e2 9e ......TAP-Windows Adapter V9
 10...1e 0e c4 42 55 73 ......Microsoft Wi-Fi Direct Virtual Adapter
  4...2e 0e c4 42 55 73 ......Microsoft Wi-Fi Direct Virtual Adapter #2
  7...ec 0e c4 42 55 73 ......Qualcomm Atheros AR956x Wireless Network Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   192.168.43.129   192.168.43.150     55
         10.1.1.0    255.255.255.0         10.8.0.5         10.8.0.6     25
         10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     25
         10.8.0.4  255.255.255.252         On-link          10.8.0.6    281
         10.8.0.6  255.255.255.255         On-link          10.8.0.6    281
         10.8.0.7  255.255.255.255         On-link          10.8.0.6    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     192.168.43.0    255.255.255.0         On-link    192.168.43.150    311
   192.168.43.150  255.255.255.255         On-link    192.168.43.150    311
   192.168.43.255  255.255.255.255         On-link    192.168.43.150    311
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    192.168.43.150    311
        224.0.0.0        240.0.0.0         On-link          10.8.0.6    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    192.168.43.150    311
  255.255.255.255  255.255.255.255         On-link          10.8.0.6    281
===========================================================================

Little help please!!

1) Routing and Remote Access service is running ? 2) Firewall on pc2, pc3, ecc.. is allowing traffic from VPN subnet ? — Danfossi, Commented Oct 21, 2019 at 13:39
@Danfossi Yep that service is running and set to automatic. I allowed OpenVPN application in firewall of PC1 and other client PCs. I will add the PC1 route table, it looks bit odd for me. — Pahan, Commented Oct 21, 2019 at 14:27
The pc1 routing table looks ok :) could you publish the routing table of one of the clients? — Danfossi, Commented Oct 21, 2019 at 18:33
@Danfossi I have published a route table of a windows 10 client :) anything unusual? — Pahan, Commented Oct 22, 2019 at 4:40
Have you added return route (i.e. make 10.1.1.8 the gateway for 10.8.0.0/24) to the wireless router or any of the other devices? Wonder if Windows does NAT/masquerading. — Tom Yan, Commented Oct 22, 2019 at 6:12

Pahan · Accepted Answer · 2019-10-22 13:19:19Z

0

How to article in community.openvpn.net states:

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

I believe this is the solution but unfortunately I cant test it as my LAN gateway(wireless router) has no functionality to enable LAN side static routes.

I guess I have to buy a better router, preferably a one that comes with OpenVPN integrated. ;)

answered Oct 22, 2019 at 13:19

Pahan

131 silver badge8 bronze badges

A better router isn't needed, simply add the correct dhcp-option to the server config: push 'dhcp-option DNS 10.1.1.1' and push 'dhcp-option WINS 10.1.1.1', where 10.1.1.1 is the LAN DNS server. However, if you're going to buy a new router for OpenVPN or otherwise, buy one that's capable of running OpenWrt. Routers have a supported lifecycle of 1 - 2yrs max (EOL is usually 1yr for most manufacturers)... the ability to utilize OpenWrt ensures the router stays current with security patches, as well as greatly expands the router's capabilities and features.
– JW0914
Commented Oct 22, 2019 at 17:28
@JW0914 I tested after adding the dcp-options you mentioned but unfortunately the client still cant ping other devices including the gateway(10.1.1.1). I also noted that PC1(server) is unable to ping the client(10.8.0.6) :(
– Pahan
Commented Oct 23, 2019 at 10:36

Add a comment |

JW0914 · Accepted Answer · 2019-10-22 14:51:49Z

Your issue is the server config is missing the correct options for LAN access routing, which is why I always recommend taking the time to read the

OpenVPN HowTo (~15min)
OpenVPN Man Page (~45min)

openvpn-server.conf

# Pushed Routes #
#---------------------------------------------------
  push                'dhcp-option    DNS 10.1.1.1'
  push                'dhcp-option    WINS 10.1.1.1'

  client-to-client    '1'
    # Each OS deals with parameters differently, so the 1 may need to be specified

Where 10.1.1.1/24 is the DNS & DHCP server behind the VPN you want to access

Also, AES-256-CBC is not required, as AES-128-CBC is currently uncrackable and will remain so for several years... all you're doing is massively slowing throughput with no security gains.
- A better option, if concerned, would be changing the rekey time and size values

General FYI:

Many simply use the generic configs found online, however, the most benefit and best security comes from tuning the configs.

Tuned Config Example

#

        ##::[[---  OpenVPN Server Config  ---]]::##

#===========================================================
              ##----- VPN Admin Server -----##
#===========================================================

  # Protocol #
#-----------------------------------------------------------
  dev                     'tun0'
  topology                'subnet'
  proto                   'udp'
  port                    '61194'

  # Routes #
#-----------------------------------------------------------
  server                  '10.32.2.0 255.255.255.248'
  ifconfig                '10.32.2.1 255.255.255.248'

  # Client Config #
#-----------------------------------------------------------
  ccd-exclusive           '1'
  ifconfig-pool-persist   '/etc/openvpn/clients/vpn/ipp.txt'
  client-config-dir       '/etc/openvpn/clients/vpn'

  # Pushed Routes #
#-----------------------------------------------------------
  push                    'route 192.168.2.0 255.255.255.240'
  push                    'dhcp-option  DNS 192.168.2.1'
  push                    'dhcp-option  WINS 192.168.2.1'
  push                    'dhcp-option  DNS 208.67.222.222'
  push                    'dhcp-option  DNS 208.67.220.220'
  push                    'dhcp-option  NTP 129.6.15.30'

  # Encryption #
#-----------------------------------------------------------
  # Diffie-Hellmann:
  dh                      '/etc/ssl/openvpn/dh2048.pem'

  # PKCS12:
  pkcs12                  '/etc/ssl/openvpn/vpn-server.p12'

  # SSL:
  cipher                  'AES-128-CBC'
  auth                    'SHA512'
  tls-crypt               '/etc/ssl/openvpn/tls-crypt.psk'

  # TLS:
  tls-version-min         '1.2'
  tls-cipher              'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'

  # Logging #
#-----------------------------------------------------------
  log                     '/tmp/vpn-server.log'
  status                  '/tmp/vpn-server-status.log'
  verb                    '4'

  # Connection Options #
#-----------------------------------------------------------
  keepalive               '10 120'
  compress                'lz4'

  # Connection Reliability #
#-----------------------------------------------------------
  client-to-client        '1'
  persist-key             '1'
  persist-tun             '1'

  # Connection Speed #
#-----------------------------------------------------------
  sndbuf                  '393216'
  rcvbuf                  '393216'
  fragment                '0'
  mssfix                  '0'
  tun-mtu                 '48000'

  # Pushed Buffers #
#-----------------------------------------------------------
  push                    'sndbuf 393216'
  push                    'rcvbuf 393216'

  # Permissions #
#-----------------------------------------------------------
  user                    'nobody'
  group                   'nogroup'

I tried this but it didn't resolve the ping issue. I verified client's DNS and WINS IPs via ipconfig, and they are set to 10.1.1.1 — Pahan, Commented Oct 23, 2019 at 10:44
Then there's an issue with the PC running the OpenVPN server routing traffic correctly to the router serving the LAN subnet behind the VPN, as those two dhcp-option parameters are all that's required for this to work correctly when the VPN server is run on a router. Generally speaking, it's highly unwise to run an OpenVPN server on a PC as you must pass non-firewalled WAN traffic from the WAN side router to the PC running the VPN server. Have you looked at OpenWrt's (preferably, as its more mature than other opensource router firmware) or DD-WRT's sites to see if your router is supported? — JW0914, Commented Oct 23, 2019 at 14:05
Huawei HG8245H router is not supported by OpenWRT nor DD-WRT. But good news, I managed to add the static route(10.8.0.0 255.255.255.0 10.1.1.8) to router's configuration.xml manually. ;) Clients can now successfully ping all LAN devices. I would like to know if having these dhcp-options are important when the server and gateway are two different machines? (maybe these options can avoid a DNS leak in clients?) — Pahan, Commented Oct 23, 2019 at 17:30
That's an excellent question and not one I have an answer to. I would recommend asking that on the OpenVPN forum or as a separate question on here. As to the HG8245H, since it's a modem+router combo, it's not supported by OpenWrt, DD-WRT, etc. because they don't support modems, only routers. Just an FYI if this was provided by your ISP, it's recommended to firewall your LAN from the device (i.e. personal router connected between ISP equipment and LAN devices), as ISPs retain remote access to their equipment. — JW0914, Commented Oct 24, 2019 at 11:48

Tom Yan · Accepted Answer · 2019-10-26 09:13:09Z

Perhaps you can try the following PowerShell (don't mix up with Command Prompt) cmdlet:

New-NetNat -Name "VpnMasq" -InternalIPInterfaceAddressPrefix "10.8.0.0/24"

which apparently would enable NAT (overload) for packets of the specified source prefix.

It might only be available on Windows 10 Pro/Enterprise like Hyper-V, which it mainly serves.

If it doesn't help just:

Remove-NetNat -Name "VpnMasq"

But before that you should make sure you can ping (or, rather, reach) from the server to the clients via the tunnel. I'm not familiar how net30 work (the default topology of OpenVPN), and the subnet topology might be simpler and suit your use case more anyway. So add the line:

topology subnet

before the server line. Then the client IP from both sides POV should be the same.

Note that with the subnet topology being used, whether the client can reach each other (not each other's LAN though) depends on whether the server allow packets from the tunnel to be forwarded back to the tunnel when client-to-client is not used in the server conf.

Stack Exchange Network

OpenVPN LAN Access in Windows 10

3 Answers 3

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
networking
windows-10
vpn
routing
openvpn
.

Linked

Hot Network Questions

OpenVPN LAN Access in Windows 10

3 Answers 3

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged networkingwindows-10vpnroutingopenvpn.

Linked

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
networking
windows-10
vpn
routing
openvpn
.