OpenVPN server for access to the local network

Issues related to configuring your network
Post Reply
hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

OpenVPN server for access to the local network

Post by hack3rcon » 2023/07/30 12:51:41

Hello,
My OpenVPN server NICs are:

Code: Select all

enp0s3 (NAT)
enp0s8 (LAN)
And their IP addresses are:

Code: Select all

# ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:feed:b47c  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:ed:b4:7c  txqueuelen 1000  (Ethernet)
        RX packets 21328  bytes 5784129 (5.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14787  bytes 2805600 (2.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.20  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe74:6397  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:74:63:97  txqueuelen 1000  (Ethernet)
        RX packets 9853  bytes 1811888 (1.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3657  bytes 1472226 (1.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
My OpenVPN can ping my internal network:

Code: Select all

# ping 172.20.1.18
PING 172.20.1.18 (172.20.1.18) 56(84) bytes of data.
64 bytes from 172.20.1.18: icmp_seq=1 ttl=63 time=1.10 ms
64 bytes from 172.20.1.18: icmp_seq=2 ttl=63 time=0.954 ms
64 bytes from 172.20.1.18: icmp_seq=3 ttl=63 time=1.21 ms
^C
--- 172.20.1.18 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2054ms
rtt min/avg/max/mdev = 0.954/1.089/1.214/0.106 ms
I want to connect a windows client to this server so that it can see my internal network. My OpenVPN server configuration file is:

Code: Select all

port 1194
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key                              
dh dh.pem
server 10.8.0.0 255.255.255.0               
push "redirect-gateway def1 bypass-dhcp"
route 172.20.1.0  255.255.0.0
push "route 172.20.1.0  255.255.0.0"
push "dhcp-option DNS 172.20.1.2"
keepalive 10 120
tls-auth ta.key 0                          
data-ciphers AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
On OpenVPN server I did the following iptables rules:

Code: Select all

# IF_MAIN=enp0s3
# IF_TUNNEL=tun0
# YOUR_OPENVPN_SUBNET=10.8.0.0/16
# iptables -I INPUT -p udp --dport 1194 -j ACCEPT
# iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT
# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE
Then, I disable the IP forwarding:

Code: Select all

# sysctl -p
net.ipv4.ip_forward = 0
And the client.ovpn file is:

Code: Select all

dev tun
proto udp
remote 192.168.1.20 1194
route add 172.20.1.0 255.255.0.0               
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
data-ciphers AES-256-CBC
verb 3
When I connected to the OpenVPN server, then I got the following message:

Code: Select all

Sun Jul 30 16:25:01 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sun Jul 30 16:25:01 2023 Note: cipher 'AES-256-CBC' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.
Sun Jul 30 16:25:01 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
Sun Jul 30 16:25:01 2023 Windows version 6.1 (Windows 7), amd64 executable
Sun Jul 30 16:25:01 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Sun Jul 30 16:25:01 2023 DCO version: v0
Sun Jul 30 16:25:01 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sun Jul 30 16:25:01 2023 Need hold release from management interface, waiting...
Sun Jul 30 16:25:01 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1095
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'state on'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'log on all'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'echo on all'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'bytecount 5'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'state'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'hold off'
Sun Jul 30 16:25:01 2023 MANAGEMENT: CMD 'hold release'
Sun Jul 30 16:25:02 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:1194
Sun Jul 30 16:25:02 2023 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jul 30 16:25:02 2023 UDPv4 link local: (not bound)
Sun Jul 30 16:25:02 2023 UDPv4 link remote: [AF_INET]192.168.1.20:1194
Sun Jul 30 16:25:02 2023 MANAGEMENT: >STATE:1690718102,WAIT,,,,,,
Sun Jul 30 16:25:02 2023 MANAGEMENT: >STATE:1690718102,AUTH,,,,,,
Sun Jul 30 16:25:02 2023 TLS: Initial packet from [AF_INET]192.168.1.20:1194, sid=859b58ea 7fe7a961
Sun Jul 30 16:25:02 2023 VERIFY OK: depth=1, CN=Server
Sun Jul 30 16:25:02 2023 VERIFY KU OK
Sun Jul 30 16:25:02 2023 Validating certificate extended key usage
Sun Jul 30 16:25:02 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jul 30 16:25:02 2023 VERIFY EKU OK
Sun Jul 30 16:25:02 2023 VERIFY OK: depth=0, CN=server
Sun Jul 30 16:25:02 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sun Jul 30 16:25:02 2023 [server] Peer Connection Initiated with [AF_INET]192.168.1.20:1194
Sun Jul 30 16:25:02 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sun Jul 30 16:25:02 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted
Sun Jul 30 16:25:02 2023 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 172.20.1.0  255.255.0.0,dhcp-option DNS 172.20.1.2,dhcp-option DNS 172.20.1.7,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-CBC,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: route options modified
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul 30 16:25:02 2023 OPTIONS IMPORT: tun-mtu set to 1500
Sun Jul 30 16:25:02 2023 interactive service msg_channel=312
Sun Jul 30 16:25:02 2023 open_tun
Sun Jul 30 16:25:02 2023 tap-windows6 device [OpenVPN TAP-Windows6] opened
Sun Jul 30 16:25:02 2023 TAP-Windows Driver Version 9.24 
Sun Jul 30 16:25:02 2023 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {6A2BF0FA-B68E-4062-9447-B078773E36FD} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sun Jul 30 16:25:02 2023 Successful ARP Flush on interface [15] {6A2BF0FA-B68E-4062-9447-B078773E36FD}
Sun Jul 30 16:25:02 2023 MANAGEMENT: >STATE:1690718102,ASSIGN_IP,,10.8.0.6,,,,
Sun Jul 30 16:25:02 2023 IPv4 MTU set to 1500 on interface 15 using service
Sun Jul 30 16:25:02 2023 Data Channel: cipher 'AES-256-CBC', auth 'SHA1', peer-id: 1
Sun Jul 30 16:25:02 2023 Timers: ping 10, ping-restart 120
Sun Jul 30 16:25:02 2023 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
Sun Jul 30 16:25:07 2023 TEST ROUTES: 4/4 succeeded len=3 ret=1 a=0 u/d=up
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 192.168.1.20 MASK 255.255.255.255 192.168.1.20 IF 11
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 MANAGEMENT: >STATE:1690718107,ADD_ROUTES,,,,,,
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 172.20.1.0 MASK 255.255.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 ERROR: route addition failed using service: The parameter is incorrect.   [status=87 if_index=15]
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 172.20.1.0 MASK 255.255.0.0 10.8.0.5
Sun Jul 30 16:25:07 2023 ERROR: route addition failed using service: The parameter is incorrect.   [status=87 if_index=15]
Sun Jul 30 16:25:07 2023 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sun Jul 30 16:25:07 2023 Route addition via service succeeded
Sun Jul 30 16:25:07 2023 Initialization Sequence Completed
Sun Jul 30 16:25:07 2023 MANAGEMENT: >STATE:1690718107,CONNECTED,ROUTE_ERROR,10.8.0.6,192.168.1.20,1194,,
Sun Jul 30 16:25:07 2023 ERROR: Some routes were not successfully added. The connection may not function correctly
Client connected to the server:

Code: Select all

Unknown adapter OpenVPN TAP-Windows6:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-6A-2B-F0-FA
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b404:5a8b:df0e:52c3%15(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : Sunday, July 30, 2023 4:25:02 PM
   Lease Expires . . . . . . . . . . : Monday, July 29, 2024 4:25:02 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.5
   DHCPv6 IAID . . . . . . . . . . . : 335609706
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-E4-62-78-08-00-27-43-77-E3

   DNS Servers . . . . . . . . . . . : 172.20.1.2
                                       172.20.1.7
   NetBIOS over Tcpip. . . . . . . . : Enabled

Unknown adapter OpenVPN Wintun:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Wintun Userspace Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
   Physical Address. . . . . . . . . : 08-00-27-43-77-E3
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6ca6:a423:e55d:a449%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.20
   DHCPv6 IAID . . . . . . . . . . . : 235405351
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-E4-62-78-08-00-27-43-77-E3

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
...
But, I can't ping the internal network:

Code: Select all

C:\>ping 172.20.1.18

Pinging 172.20.1.18 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.20.1.18:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>
What is the problem?


Thank you.
Top
Post Reply

Return to “8 /8-Stream / 9-Stream - Networking Support”