I have an OpenVPN client on a Windows 7, that connects to an OpenVPN server with tap.
The tunnel establishes correctly.
AFAIK, tap means that my virtual adapter is 'virtually' connected to the remote LAN, gets a remote LAN ip and participate in the LAN broadcast domani and so on.
When the tunnel is established, my virtual adapter gets the correct IP.
But I cannot ping the other hosts in the remote network.
It might be a problem on the sererver side, but before checking there i've noticed something strange on the client side, in the way Windows handles the virtual interface.
Let's begin.
When the tunnel is up, the virtual interface is up too. In my routing table i can see my phisical network, infact my local IP is
Then I can see the remote network, directly attached to my interface So far so good. (i've removed loopback entries)

     25         On-link    276         On-link    276         On-link    276         On-link    281         On-link    281         On-link    281         On-link    276         On-link    281         On-link    276         On-link    281

Thus, clients on the remote network shouldn't be reached via gateway, but through direct routing via the virtual interface provided by openvpn.
But when i trace the route to an host on the remote network (that my PC should see as local) my client routes it on the gateway, and obviously, get lost.

  1     1 ms     1 ms     1 ms
  2    14 ms    96 ms   101 ms
  3     *        *        *     Richiesta scaduta.
  4    24 ms    12 ms    12 ms
  5     *        *        *     Richiesta scaduta.

And here it seems that the system routes packages straight to the gateway as it didn't see the directly attached network adapter. Why does this happen?

Edit 1 - details on my OpenVPN client config

C:\Users\agostinox>openvpn --version
OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08

And my client config:

remote xxx.xxx.xxx.xxx
cipher AES-128-CBC
port 1194
proto tcp-client
dev tap
dev-node "Connessione alla rete locale (LAN) 3"
secret a_file_containing_my_preshared_key.key
ping 10
verb 4
mute 10

Edit 2, details on my server configuration

Here is the "backup" of my (pfsense) server configuration.
As you can see the configuration is at the minimum possible.

  <ipaddr /> 
  <description><![CDATA[ test tap OpenVPN server]]> 
  <custom_options /> 
  <shared_key>... my shared key, omitted ...</shared_key> 
  <tunnel_network /> 
  <tunnel_networkv6 /> 
  <remote_network /> 
  <remote_networkv6 /> 
  <gwredir /> 
  <local_network /> 
  <local_networkv6 /> 
  <maxclients /> 
  <passtos /> 
  <client2client /> 
  <dynamic_ip /> 
  <topology_subnet /> 
  <serverbridge_dhcp /> 
  <serverbridge_interface /> 
  <serverbridge_dhcp_start /> 
  <serverbridge_dhcp_end /> 
  <netbios_enable /> 
  <netbios_scope /> 

Edit 3, output of ipconfig /all

When the tunnel is up, this is the output of

ipconfig /all
Scheda Ethernet TAP-Interface:

   Suffisso DNS specifico per connessione:
   Descrizione . . . . . . . . . . . . . : TAP-Windows Adapter V9
   Indirizzo fisico. . . . . . . . . . . : 00-FF-7B-FB-32-C0
   DHCP abilitato. . . . . . . . . . . . : Sì
   Configurazione automatica abilitata   : Sì
   Indirizzo IPv6 locale rispetto al collegamento . : fe80::3838:3c0c:c3c6:fcca%35(Preferenziale)
   Indirizzo IPv4. . . . . . . . . . . . :
   Subnet mask . . . . . . . . . . . . . :
   Lease ottenuto. . . . . . . . . . . . : giovedì 16 aprile 2015 09:57:32
   Scadenza lease . . . . . . . . . . .  : venerdì 15 aprile 2016 09:57:32
   Gateway predefinito . . . . . . . . . : fe80::20c:29ff:fe92:2272%35
   Server DHCP . . . . . . . . . . . . . :
   IAID DHCPv6 . . . . . . . . . . . : 1107361659
   DUID Client DHCPv6. . . . . . . . : 00-01-00-01-14-AE-89-EA-F0-4D-A2-63-11-97
   Server DNS . . . . . . . . . . . . .  : fec0:0:0:ffff::1%1
   NetBIOS su TCP/IP . . . . . . . . . . : Attivato
    Did you start OpenVPN with administrator privileges? – shodanshok Apr 12 '15 at 11:26
    Yes, I've used a user that has full privileges on the machine. – AgostinoX Apr 12 '15 at 15:10
    Could we see the server config? – Lenniey Apr 14 '15 at 12:58
    @Lenniey, i've updated the question adding the server configuration. it's the pfsense backup format and should be readable enough, hope it's fine. – AgostinoX Apr 14 '15 at 13:38
    I'd look at the metric being supplied by OpenVPN. If I start up my tunnels (using TUN, but nevertheless), my routes get added with a lower metric than the default route of my machine. – Lenniey Apr 14 '15 at 14:30
    "I've used a user that has full privileges on the machine." is not enough if UAC is active, you have to run the client with "Run as administrator" so it can add routes to the system routing table. – Brian Apr 15 '15 at 13:56
    UAC has been deactivated. And Run as administrator has been used. The problem is still there. It seems like the openvpn client binds itself with the "phisical" network, it seems to be not a routing problem but a 'binding' one. – AgostinoX Apr 15 '15 at 14:17
  • Well, you can test that with ipconfig /all, are the OpenVPN IPs correctly bound to your TAP-device? – Lenniey Apr 16 '15 at 07:15
  • @Lenniey, I've added the ipconfig /all output; it's in italian but it should be clear enough. Here I can check that the interface is connected, but what about the entire network? – AgostinoX Apr 16 '15 at 08:21
  • Hm, you can see that the TAP interface has the right IP, but is using an IPv6 gateway. I think that may be the problem. The interface tries to send the packets to the default gateway of your TAP-device, the IPv6 one, that won't work without a gateway using IPv6 itself. do you have any static gateways or something used in the device configuration? – Lenniey Apr 16 '15 at 08:47
  • I tried again and the gateway disappeared, yet it doesn't work. Then, disconnected and reconnected, it has appeared again. I'm thinking of giving up. – AgostinoX Apr 16 '15 at 20:32
  • What OS are you using on the OpenVPN server? – Iulian Apr 17 '15 at 14:31
  • can you post the output of ipconfig /all in its entirety? also, when you say you can't ping the hosts in the 'other network' ... what IPs are those hosts? Your problem is you need OpenVPN to do a 'push route' - but I need more info to see what you have going on... – EdH Apr 21 '15 at 02:13
  • The most important thing to watch for on Windows 7 clients is of course running the client with admin privileges to get the routing information properly. You should also check for a corresponding firewall rule on your OpenVPN server, otherwise the packets will be silently discarded and you will get nothing on OpenVPN logs. BTW uploading your log files will certainly help in further diagnosing the problem. – Umair Naqvi Aug 01 '15 at 18:58

3 Answers3


Not being too Windows savvy wrt. OpenVPN, FWIW, here is my bid on what the culprit might be here:

  • Looking at the output from your Windows route command, it seems you are missing a gateway entry for the OpenVPN network. True, you have an address on the VPN net (the address), but no gw is defined for that net. On my box, I have access to several networks, each with its own GW like so:     20     21

To fix this, open your openvpn server config and add a line like this:

 push "route"

to it. This ensures that a proper route is pushed to the client whenever the connection to the server is up.

  • You may also be missing the return route - sometimes (not always for reasons I don't quite get) you need to add an iroute to the config entry you have for a given client in the server ccd directory (/etc/openvpn/ccd/<vpn>/<client-id>). This brings up the reverse route when a client connects to the server. the contents of one of my ccd files looks like this:


This ensures the OpenVPN server can correctly route stuff back to the client

  • I think you can also just add iroutes to the main server config, but then they will be defined even if the client is not connected. That would look like this:

  • EDIT: Also note that running OpenVPN clients on Windows requires administrative privileges. Otherwise, OpenVPN will not be able to add routes and such (as noted in the comments to your question). Best thing is to run it as a service so connections come up automatically on boot. At least, that works out really well in my scenarios.

I think that might get you going again. OpenVPN is really great and I have used it successfully for both business and gaming purposes for some time now :-)

    But does all this reasoning on routes apply to tap, that is non-routed vpn too? – AgostinoX Apr 16 '15 at 20:26
    Hmm - I may have jumped the gun on this. I have only used tun for my stuff, but I would imagine the routing stuff is still needed. How else would the OpenVPN server know about how to direct traffic back to clients? Also, since you have two networks in play (not just a bridge between two halves of one network), it seems routing is a must in any case. Have a look at [this](https://community.openvpn.net/openvpn/wiki/BridgingAndRouting) page on OpenVPN routing. – MrMajestyk Apr 17 '15 at 06:19
    I have two networks but the situation is more like a multihomed host (and big chances are that THIS is where problems come from) than a routed network. From the routing point of view, i should have a directly connected network. The local and remote interfaces will be bridged. The remote network will see my client as reachable via level 2 frames in the local network. – AgostinoX Apr 17 '15 at 07:13
    I still think you will have to do some routing to get this running - think of it from the server (B) side. Let's say your client machine (A) sends a request to some machine (C) on the remote network beyond B - how will C be able to send responses back to A unless B has published a route to A? – MrMajestyk Apr 17 '15 at 07:18
    C would use 'direct routing'. My address is an address on the remote network ( The point is that machines on the remote network won't reach my pc passing trought a gateway, but talking with the interface of the VPN server "as it was" my pc, because of the bridge. That's how tap should work, it's all about not setting routes on remote machines. – AgostinoX Apr 17 '15 at 07:48
    I think TAP would only work 'router-free' if all hosts share the same LAN - say (no involved at all), i.e. A, B and C are all on _only_. I would think (haven't checked) that packages from A might have the address. Without the GW definition, traffic to would go to the default GW Similarly, without a route, traffic from C to A would go through the default GW on that side, rather than the bridge at B without a suitable route. You can test this by assigning A a GW for the net I would think. – MrMajestyk Apr 17 '15 at 08:46

Locate the OpenVPNgui.exe, openvpn.exe and openvpnserver.exe files in the bin folder of your open vpn install. Right-click the executables, select properties and then the compatibility tab. Click the "Run this program as an administrator" check box, and close the properties panel. Completely close out of OpenVPN (use task manager to confirm none of the executables are still running). Launch OpenVPN again and give it another try.

I have a feeling you are not pushing your routes correctly from the server. I noticed that your gateway for the VPN is an IPv6 address.

Try using the push option in server.conf to push your routes. You might also want to add the server directive so you can reserve the client subnet.

If you're on linux you will need to have net.ipv4.ip_forward = 1 on the VPN server set up with sysctl as well.



  • This in the case of TAP too? I'm not 'routing' to the remote network. I 'AM' in the remote network. My local virtual interface should be bridged to the remote vpn server interface, and all level 2 traffic would be forwarded with no routing activity, AFAIK. – AgostinoX Apr 17 '15 at 15:02