openvpn connected, but not routing. (ping test fails)

I am setting up a VPN connection for the first time. I am working on a project in which i would like to access my LAN at my home from the outside world. So, I installed OpenVPN2.2.2 on my 32-bit Windows 7 laptop (acting as the server). My end goal is to load a page which is accessible only on my local network.

I created a client certificate which is 64-bit Windows 8 laptop (with OpenVPN2.2.2 installed on it). I am able to connect to the server through VPN using my client. I can see that green gui icon in system tray bar in both the laptops. I also see the "Initialization Sequence Completed" in the logs with no major errors. However, when i try to ping any of my devices within the LAN, i am not able to do it using my remote client running openVPN. Also, when i look for ip using http://www.whatismyip.com/, I still get the client's original IP address and not my LAN's IP.

These are the major warning/notesthat i have received.

Server:

NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Warning: route gateway is not reachable on any active network adapters: 10.8.0.2

MULTI: bad source address from client [192.168.2.30], packet dropped

Client:

WARNING: potential route subnet conflict between local LAN [172.20.10.0/255.255.255.240] and remote VPN [0.0.0.0/0.0.0.0]

I have been doing a lot of research on this for past week. I looked into openVPN documentation and forums. People are able to connect to the servers, but are not able to ping. These are the additional steps i have taken:

disabled my windows firewall completely (both on client and server) for addressing that TUN/TAP interface issue
setup port forwarding, so whatever connections are made to my router at port 1194 are forwarded to my server (with a static-ip of 192.168.1.168).
running everything with admin rights
configured Routing and Remote Access in Windows machine (server)
IPEnableRouter is 1.
Checked the box for "Allow other network users to connect through this computer's Internet connection for TAP adapter.

Some more steps that I undertook after obtaining them from openVPN forums:

Server.ovpn

port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "route 0.0.0.0 0.0.0.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 5

Client.ovpn

client
dev tun
proto udp
remote xx.xx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\config\\client1.crt"
key "C:\\Program Files (x86)\\OpenVPN\\config\\client1.key"
ns-cert-type server
comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60
route-method exe
route-delay 2

If you could help me troubleshoot this problem, it would be really great. Any hints/suggestions are extremely welcome. Thanks.

EDIT:1

Thanks a lot for your suggestions.

1) Could you please explain a little bit what exactly do you mean by "getting a firewall or if you have on using your firewall to VPN"? I already have the built-in firewalls in both my client and server, and i disabled them both, just so they don't interfere with my setup for the time being.

2) I did change my ip address subnet. So the default gateway on my server side is now 192.168.157.1 instead of 192.168.1.1.I will hide my IP address. :D

3)10.8.0.2 is the default gateway for TAP-Win32 adapter. So, after looking in openvpn forums, I added 10.8.0.2 as the default gateway on my server side by going into advaced settings IPv4 Properties of TAP-Win32 adapter. To be honest, i don't know why i did it. I was just desperate to get it working.

Now, since i changed the IP Subnet of my route to 192.168.157.1, I am only seeing two warnings in log files, which is real good news IMO. But I still can't ping (need to look into ping policies too, but i doubt if it could be the problem). Also the client side have zero access to internet when connected to my server. No ping, No web pages, No internet.

Server Side warning says:

Warning: route gateway is not reachable on any active network adapters: 10.8.0.2

Client side warning:

WARNING: potential route subnet conflict between local LAN [192.168.2.0/255.255.255.0] and remote VPN [0.0.0.0/0.0.0.0]

Thanks a lot again.

openvpn

user4252523

Posted 2014-05-19T20:23:02.723

Reputation: 51

You would be far better off using a tap interface if you want bidirectional access between your local machines and your VPN client with the least effort. – qasdfdsaq – 2015-07-07T14:51:46.747

Answers

-1

I would suggest getting a firewall or if you have one using your firewall to VPN. I have watchguard and it is very simple to make or edit policies, such as ping. I had an issue where I did not want users on sub-net "B" to even be able to ping sub-net "A" and easily changed that in that policy.

Anyway you could try changing the sub-net of your network (if possible) having a "normal" IP range as 192.168.1.1 is not the best practices method. I also would not put your external IP address for the world to see :)

To me it sounds like something in your firewall is not routing traffic to your 192.x.x.x sub-net and from the looks of it, its because your LANs have the same IP range. Also what device do you have on 10.8.0.2? looks like your gateway but your LANs are different. Please explain a little more...

P.S. sorry i tried to comment instead of answer but i dont have enough rep.

Vdub

Posted 2014-05-19T20:23:02.723

Reputation: 554

I edited my post to communicate with you. I am unable to say everything here. It will be really nice of you, if you could make some more suggestions. Thanks!! – user4252523 – 2014-05-20T16:41:09.287

What i meant by firewall is having a firebox or sonicwall as a gateway to your network. easy to use VPN access. anyway how is your network set up? such as router, switches? what exactly is your gateway @ 192.168.157.1? Without running vpn can you access ping, internet, ect on both systems? just trying to make sure your LAN networks are correctly set up on both ends before connecting together. – Vdub – 2014-05-20T18:02:10.677

the server is setup on my home network. I live in a house & has the IP assigned by the ISP. I believe I have a cable modem which is then connected to my router (port fwdng enabled). Router is just WRT160N Linksys. The ip address of that router is 192.168.157.1. (before 192.168.1.1). I don't have any switches involved. Server(windows 7) is connected with the router wirelessly. The client is on my friends's house who lives in a different house and has a different ISP. So, he connects to my laptop using openVPN. Both of us disabled our firewalls. OpenVPN assigned it the IP of 10.8.0.6 – user4252523 – 2014-05-20T19:00:57.913

i have internet enabled on both the networks without the VPN. But my friend's laptop ceases to connect once the VPN client is connected to my server. My server works perfectly fine wihout any trouble. WOuld you want me to post some more logs from iptables or tracert? – user4252523 – 2014-05-20T19:04:50.820

Ok from the looks of it you are using 192.168.157.x and he is on 10.8.0.x Im not an expert on openvpn but im wondering if you need to point it to his gateway @ 10.8.0.1? from the error you received "WARNING: potential route subnet conflict between local LAN [192.168.2.0/255.255.255.0] and remote VPN [0.0.0.0/0.0.0.0]" there isnt anything at 192.168.2.0 right? so what is pointing to that? – Vdub – 2014-05-21T15:35:08.920

Sorry I was confused, ok so the client is on 10.8.0.x and your trying to vpn to 192.168.157.x so on the client side you should have everything pointing to the server @ 10.8.0.x on our VPN software I just set up a username and password for VPN access and the rest is done from the client. As I said though I do not work on openvpn. Does it give you the option of configuring the server information on the client side or is there alot of configuring on both sides? – Vdub – 2014-05-21T15:49:13.370

To keep things simple, I am not using any username and password. I'll continue working on it starting Friday evening. Thanks again for your response. I'll let you know on Friday. Really busy with school until then. Thanks again :) – user4252523 – 2014-05-22T01:29:04.077

This statement

 push "route 0.0.0.0 0.0.0.0"

in the server.conf file is the origin of your problems. The

push "route ..."

statement, not to be confused with the

push route ...

statement which performs a different function, is used to inform OpenVPN clients of the existence of a LAN behind the OpenVPN server. Since you changed this subnet to 192.168.157.0/24, the above statement should be changed to:

  push "route 192.168.157.0 255.255.255.0"

You can find the description of this statement in the OpenVPN Howto. Besides detailing what I already told you, you will also find the followng statement:

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.

Both of these operations are crucial to the working of the OpenVPN, Unfortunately, they are also OS-dependent, so that you will have to figure out how to do it by yourself.

Users on Linux machines would need the following two commands:

   ip route add 10.8.0.0/24 via IP.of.TheOpenVPN.Server
   echo 1 > /proc/sys/net/ipv4/ip_forward

MariusMatutiae

Posted 2014-05-19T20:23:02.723

Reputation: 41 321