[SOLVED] OpenVPN connection / no Internet access

Hi all,

The OpenVPN client 10.10.10.163 connects to server 10.10.10.101 but no access to Internet

What is wrong?

image.png1292×461 101 KB

image.png868×180 5.95 KB

image.png844×235 3.54 KB

image.png779×191 4.08 KB

image.png758×89 2 KB

image.png890×593 18.6 KB

OPENVPN LOG

Fri Oct 11 12:38:36 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Fri Oct 11 12:38:36 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Oct 11 12:38:36 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Enter Management Password:
Fri Oct 11 12:38:36 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Fri Oct 11 12:38:36 2019 Need hold release from management interface, waiting...
Fri Oct 11 12:38:36 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Fri Oct 11 12:38:36 2019 MANAGEMENT: CMD 'state on'
Fri Oct 11 12:38:36 2019 MANAGEMENT: CMD 'log all on'
Fri Oct 11 12:38:36 2019 MANAGEMENT: CMD 'echo all on'
Fri Oct 11 12:38:36 2019 MANAGEMENT: CMD 'bytecount 5'
Fri Oct 11 12:38:36 2019 MANAGEMENT: CMD 'hold off'
Fri Oct 11 12:38:36 2019 MANAGEMENT: CMD 'hold release'
Fri Oct 11 12:38:36 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 11 12:38:36 2019 MANAGEMENT: >STATE:1570811916,RESOLVE,,,,,,
Fri Oct 11 12:38:36 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.10.101:1194
Fri Oct 11 12:38:36 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Oct 11 12:38:36 2019 UDP link local: (not bound)
Fri Oct 11 12:38:36 2019 UDP link remote: [AF_INET]10.10.10.101:1194
Fri Oct 11 12:38:36 2019 MANAGEMENT: >STATE:1570811916,WAIT,,,,,,
Fri Oct 11 12:38:44 2019 MANAGEMENT: CMD 'signal SIGHUP'
Fri Oct 11 12:38:44 2019 SIGHUP[hard,] received, process restarting
Fri Oct 11 12:38:44 2019 MANAGEMENT: >STATE:1570811924,RECONNECTING,SIGHUP,,,,,
Fri Oct 11 12:38:44 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Fri Oct 11 12:38:44 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Oct 11 12:38:44 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Fri Oct 11 12:38:44 2019 Restart pause, 5 second(s)
Fri Oct 11 12:38:49 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 11 12:38:49 2019 MANAGEMENT: >STATE:1570811929,RESOLVE,,,,,,
Fri Oct 11 12:38:49 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.10.101:1194
Fri Oct 11 12:38:49 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Oct 11 12:38:49 2019 UDP link local: (not bound)
Fri Oct 11 12:38:49 2019 UDP link remote: [AF_INET]10.10.10.101:1194
Fri Oct 11 12:38:49 2019 MANAGEMENT: >STATE:1570811929,WAIT,,,,,,
Fri Oct 11 12:38:49 2019 MANAGEMENT: >STATE:1570811929,AUTH,,,,,,
Fri Oct 11 12:38:49 2019 TLS: Initial packet from [AF_INET]10.10.10.101:1194, sid=07261308 f4f09ebb
Fri Oct 11 12:38:49 2019 VERIFY OK: depth=0, CN=VotreFiscaliste, O=Votre fiscaliste, ST=Qc, emailAddress=root@ns1.toto.com, subjectAltName=*.toto.com, OU=Fiscalité, C=CA, L=La Prairie
Fri Oct 11 12:38:49 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Oct 11 12:38:49 2019 [VotreFiscaliste] Peer Connection Initiated with [AF_INET]10.10.10.101:1194
Fri Oct 11 12:38:50 2019 MANAGEMENT: >STATE:1570811930,GET_CONFIG,,,,,,
Fri Oct 11 12:38:50 2019 SENT CONTROL [VotreFiscaliste]: 'PUSH_REQUEST' (status=1)
Fri Oct 11 12:38:50 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DOMAIN toto.com,dhcp-option DNS 10.10.100.1,dhcp-option WINS 10.10.100.1,dhcp-option NBDD 10.10.100.1,dhcp-option NBT 2,route 10.10.10.0 255.255.255.0,route 10.10.100.0 255.255.255.0,topology net30,ping 20,ping-restart 120,ifconfig 10.10.100.6 10.10.100.5,peer-id 1,cipher AES-256-GCM'
Fri Oct 11 12:38:50 2019 OPTIONS IMPORT: timers and/or timeouts modified
Fri Oct 11 12:38:50 2019 OPTIONS IMPORT: --ifconfig/up options modified
Fri Oct 11 12:38:50 2019 OPTIONS IMPORT: route options modified
Fri Oct 11 12:38:50 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Oct 11 12:38:50 2019 OPTIONS IMPORT: peer-id set
Fri Oct 11 12:38:50 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Fri Oct 11 12:38:50 2019 OPTIONS IMPORT: data channel crypto options modified
Fri Oct 11 12:38:50 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Oct 11 12:38:50 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 11 12:38:50 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Oct 11 12:38:50 2019 interactive service msg_channel=512
Fri Oct 11 12:38:50 2019 ROUTE_GATEWAY 10.10.10.75/255.255.255.0 I=4 HWADDR=a0:b3:cc:cc:43:6e
Fri Oct 11 12:38:50 2019 open_tun
Fri Oct 11 12:38:50 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{74C141FE-9C3C-400F-8C07-E95DCF001298}.tap
Fri Oct 11 12:38:50 2019 TAP-Windows Driver Version 9.23
Fri Oct 11 12:38:50 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.100.6/255.255.255.252 on interface {74C141FE-9C3C-400F-8C07-E95DCF001298} [DHCP-serv: 10.10.100.5, lease-time: 31536000]
Fri Oct 11 12:38:50 2019 Successful ARP Flush on interface [19] {74C141FE-9C3C-400F-8C07-E95DCF001298}
Fri Oct 11 12:38:50 2019 MANAGEMENT: >STATE:1570811930,ASSIGN_IP,,10.10.100.6,,,,
Fri Oct 11 12:38:55 2019 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Fri Oct 11 12:38:55 2019 C:\Windows\system32\route.exe ADD 10.10.10.101 MASK 255.255.255.255 10.10.10.75 IF 4
Fri Oct 11 12:38:55 2019 Route addition via service succeeded
Fri Oct 11 12:38:55 2019 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.10.100.5
Fri Oct 11 12:38:55 2019 Route addition via service succeeded
Fri Oct 11 12:38:55 2019 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.10.100.5
Fri Oct 11 12:38:55 2019 Route addition via service succeeded
Fri Oct 11 12:38:55 2019 MANAGEMENT: >STATE:1570811935,ADD_ROUTES,,,,,,
Fri Oct 11 12:38:55 2019 C:\Windows\system32\route.exe ADD 10.10.10.0 MASK 255.255.255.0 10.10.100.5
Fri Oct 11 12:38:55 2019 Route addition via service succeeded
Fri Oct 11 12:38:55 2019 C:\Windows\system32\route.exe ADD 10.10.100.0 MASK 255.255.255.0 10.10.100.5
Fri Oct 11 12:38:55 2019 Route addition via service succeeded
Fri Oct 11 12:38:55 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Oct 11 12:38:55 2019 Initialization Sequence Completed
Fri Oct 11 12:38:55 2019 MANAGEMENT: >STATE:1570811935,CONNECTED,SUCCESS,10.10.100.6,10.10.10.101,1194,,

OPENVPN CLIENT

Microsoft Windows [version 6.3.9600]
(c) 2013 Microsoft Corporation. Tous droits réservés.

C:\Users\michelandre>ipconfig

Configuration IP de Windows


Carte Ethernet Ethernet 2 :

   Suffixe DNS propre à la connexion. . . : toto.com
   Adresse IPv6 de liaison locale. . . . .: fe80::c886:6e01:e67d:8d0e%19
   Adresse IPv4. . . . . . . . . . . . . .: 10.10.100.6
   Masque de sous-réseau. . . . . . . . . : 255.255.255.252
   Passerelle par défaut. . . . . . . . . :

Carte Ethernet Connexion réseau Bluetooth :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . :

Carte Ethernet Ethernet :

   Suffixe DNS propre à la connexion. . . :
   Adresse IPv6 de liaison locale. . . . .: fe80::7110:3047:b6d3:5e61%4
   Adresse IPv4. . . . . . . . . . . . . .: 10.10.10.163
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.1.163
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Passerelle par défaut. . . . . . . . . : 10.10.10.101
                                       192.168.1.1

Carte Ethernet VirtualBox Host-Only Network :

   Suffixe DNS propre à la connexion. . . :
   Adresse IPv6 de liaison locale. . . . .: fe80::1005:e11b:122:540%7
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.56.1
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Passerelle par défaut. . . . . . . . . :

Carte Tunnel isatap.{30CC2326-1728-4D03-A9A1-86DE063B99D2} :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . :

Carte Tunnel isatap.{D3824951-B5EF-40AA-A5C3-D555CD81DC2C} :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . :

Carte Tunnel isatap.toto.com :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . : toto.com

C:\Users\michelandre>



C:\Users\michelandre>ping google.com

Envoi d'une requête 'ping' sur google.com [172.217.164.238] avec 32 octets de do
nnées :
Délai d'attente de la demande dépassé.
Délai d'attente de la demande dépassé.
Délai d'attente de la demande dépassé.
Délai d'attente de la demande dépassé.

Statistiques Ping pour 172.217.164.238:
    Paquets : envoyés = 4, reçus = 0, perdus = 4 (perte 100%),

C:\Users\michelandre>

All comments/suggestions are appreciated,

Michel-André

Hi all,

I noticed the mask: 128.0.0.0.

I reconfigured OpenVPN roadwarrior:

I edited the user, but without changing noting, and Save.

All the documents I read always say - configure the user … configure the server.

So, I went back to Server. I unchecked one parameter, Save, rechecked the parameter and finally Save again.

I downloaded Configuration OpenVPN of the user, copied it to the config directory of OpenVPN on the client machine.

I started OpenVPN on the client → Connect the user.

Surprisingly all was working and the client had access to the Internet.

I did a tracert google.com and the first IP to appear was NS1 [192.168.2.1] . So all the traffic goes through the tunnel.

I did’nt believe it so: I disconnected the client, reboot the server, reconnected the client and it was still working.

Amazing!

Someone has an explanation?

Michel-André

P.S. I noticed that the Trusted Networks also changed automatically:

image857×179 3.21 KB

Hi all,

Since I do some documentation, I always choose 10.10.10.75 for the servers.

I always configure my main working station as below and enter the IP/Name of the server in the C:\Windows\System32\drivers\etc\hosts file of the station.

If the document server is down, the Gateway/DNS will be the secondary 192.168.1.1 which is my main NethServer connected directly to the Internet.

The new document server for OpenVPN is physical and I choose 10.10.10.101 to be able to also run a Virtual 10.10.10.75 server at the same time.

Since both servers are on 10.10.10.0/24 IP network, I never had problem to access both of them from my main working station.

The original configuration in OpenVPN roadwarrior was using 10.10.100.0/24.

First newbee mistake (shame on me):

I changed the test workstation IP Gateway to 10.10.10.101 but I didn’t change the DNS IP.

The OpenVPN client was able to connect but cannot resolve google.com when the Virtual server was down.

It seems like OpenVPN client always takes the main DNS IP only and never looks at the secondary one? ? ? (My poor excuse…)

Second newbee mistake (more than shame on me):

When I wanted to test a new config for the OpenVPN user, I Quit the OpenVPN on the Task bar. I should have first Disconnect (the Disconnect button is only shown on the Status screen which is closed after connecting) - the result is that when I restart the OpenVPN client, it cannot connect because the server consider the user still connected? ? ?.

Now, I configured the OpenVPN server Routed LAN with 10.10.100.0/24 and both the Test station Gateway/DNS to 10.10.10.101 and all is working correctly.

I’m really embarrassed to have made those unforgivable mistakes,

Michel-André