Discussion:
[Openvpn-users] Win10 default gateway not being redirected
David Mehler
2017-04-24 14:07:48 UTC
Permalink
Hello,

I'm running 2.4 versions of Openvpn on both the server and a windows client.

I'm wanting to route all traffic through the vpn. I've got this on the server:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"

The Dns server push is working on the client. Here's the client's ipconfig /all

Is there something special I have to do to get this going on win10?

Thanks.
Dave.

ipconfig:

Windows IP Configuration

Host Name . . . . . . . . . . . . : kraken
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-5D-7E-85-66
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, April 24, 2017 9:51:29 AM
Lease Expires . . . . . . . . . . : Tuesday, April 24, 2018 9:51:29 AM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.0.254
DNS Servers . . . . . . . . . . . : 208.67.222.222
208.67.220.220
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR WNA1000M N150 Wireless
USB Micro Adapter #2
Physical Address. . . . . . . . . : 84-1B-5E-97-85-4E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7425:96fc:f2eb:1dcb%24(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.97(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, April 21, 2017 9:31:55 PM
Lease Expires . . . . . . . . . . : Tuesday, April 25, 2017 5:40:48 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 478419806
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-A9-12-FF-90-2B-34-98-ED-D7
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
Primary WINS Server . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled


on the client here's the log:
Mon Apr 24 09:51:27 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL
(OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Mon Apr 24 09:51:27 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Apr 24 09:51:27 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Enter Management Password:
Mon Apr 24 09:51:27 2017 MANAGEMENT: TCP Socket listening on
[AF_INET]127.0.0.1:25340
Mon Apr 24 09:51:27 2017 Need hold release from management interface, waiting...
Mon Apr 24 09:51:27 2017 MANAGEMENT: Client connected from
[AF_INET]127.0.0.1:25340
Mon Apr 24 09:51:27 2017 MANAGEMENT: CMD 'state on'
Mon Apr 24 09:51:27 2017 MANAGEMENT: CMD 'log all on'
Mon Apr 24 09:51:27 2017 MANAGEMENT: CMD 'echo all on'
Mon Apr 24 09:51:27 2017 MANAGEMENT: CMD 'hold off'
Mon Apr 24 09:51:27 2017 MANAGEMENT: CMD 'hold release'
Mon Apr 24 09:51:27 2017 MANAGEMENT: CMD 'password [...]'
Mon Apr 24 09:51:27 2017 WARNING: this configuration may cache
passwords in memory -- use the auth-nocache option to prevent this
Mon Apr 24 09:51:27 2017 Outgoing Control Channel Encryption: Cipher
'AES-256-CTR' initialized with 256 bit key
Mon Apr 24 09:51:27 2017 Outgoing Control Channel Encryption: Using
256 bit message hash 'SHA256' for HMAC authentication
Mon Apr 24 09:51:27 2017 Incoming Control Channel Encryption: Cipher
'AES-256-CTR' initialized with 256 bit key
Mon Apr 24 09:51:27 2017 Incoming Control Channel Encryption: Using
256 bit message hash 'SHA256' for HMAC authentication
Mon Apr 24 09:51:27 2017 TCP/UDP: Preserving recently used remote
address: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 24 09:51:27 2017 Socket Buffers: R=[65536->262144] S=[65536->262144]
Mon Apr 24 09:51:27 2017 UDPv4 link local: (not bound)
Mon Apr 24 09:51:27 2017 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 24 09:51:27 2017 MANAGEMENT: >STATE:1493041887,WAIT,,,,,,
Mon Apr 24 09:51:27 2017 MANAGEMENT: >STATE:1493041887,AUTH,,,,,,
Mon Apr 24 09:51:27 2017 TLS: Initial packet from
[AF_INET]xxx.xxx.xxx.xxx:1194, sid=0fc86e45 2516db19
Mon Apr 24 09:51:28 2017 VERIFY OK: depth=1, CN=Easy-RSA CA
Mon Apr 24 09:51:28 2017 VERIFY KU OK
Mon Apr 24 09:51:28 2017 Validating certificate extended key usage
Mon Apr 24 09:51:28 2017 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server Authentication
Mon Apr 24 09:51:28 2017 VERIFY EKU OK
Mon Apr 24 09:51:28 2017 VERIFY OK: depth=0, CN=openvpn-server
Mon Apr 24 09:51:28 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3
ECDHE-RSA-AES128-GCM-SHA256, 4096 bit RSA
Mon Apr 24 09:51:28 2017 [openvpn-server] Peer Connection Initiated
with [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Apr 24 09:51:29 2017 MANAGEMENT: >STATE:1493041889,GET_CONFIG,,,,,,
Mon Apr 24 09:51:29 2017 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST'
(status=1)
Mon Apr 24 09:51:29 2017 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS
208.67.222.222,dhcp-option DNS 208.67.220.220,comp-lzo
no,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart
120,ifconfig 192.168.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: timers and/or timeouts modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: compression parms modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: --ifconfig/up options modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: route options modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: route-related options modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: --ip-win32 and/or
--dhcp-option options modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: peer-id set
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: data channel crypto options modified
Mon Apr 24 09:51:29 2017 Data Channel Encrypt: Cipher 'AES-256-GCM'
initialized with 256 bit key
Mon Apr 24 09:51:29 2017 Data Channel Decrypt: Cipher 'AES-256-GCM'
initialized with 256 bit key
Mon Apr 24 09:51:29 2017 interactive service msg_channel=0
Mon Apr 24 09:51:29 2017 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 I=24
HWADDR=84:1b:5e:97:85:4e
Mon Apr 24 09:51:29 2017 open_tun
Mon Apr 24 09:51:29 2017 TAP-WIN32 device [Ethernet] opened:
\\.\Global\{5D7E8566-0F0D-4622-839F-E28A4D26E86E}.tap
Mon Apr 24 09:51:29 2017 TAP-Windows Driver Version 9.21
Mon Apr 24 09:51:29 2017 Set TAP-Windows TUN subnet mode
network/local/netmask = 192.168.0.0/192.168.0.2/255.255.255.0
[SUCCEEDED]
Mon Apr 24 09:51:29 2017 Notified TAP-Windows driver to set a DHCP
IP/netmask of 192.168.0.2/255.255.255.0 on interface
{5D7E8566-0F0D-4622-839F-E28A4D26E86E} [DHCP-serv: 192.168.0.254,
lease-time: 31536000]
Mon Apr 24 09:51:29 2017 Successful ARP Flush on interface [11]
{5D7E8566-0F0D-4622-839F-E28A4D26E86E}
Mon Apr 24 09:51:29 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
STATE:1493041889,ASSIGN_IP,,192.168.0.2,,,,
Mon Apr 24 09:51:34 2017 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD
xxx.xxx.xxx.xxx MASK 255.255.255.255 192.168.2.1
Mon Apr 24 09:51:34 2017 env_block: add
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0
MASK 128.0.0.0 192.168.0.1
Mon Apr 24 09:51:34 2017 env_block: add
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0
MASK 128.0.0.0 192.168.0.1
Mon Apr 24 09:51:34 2017 env_block: add
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 Initialization Sequence Completed
STATE:1493041894,CONNECTED,SUCCESS,192.168.0.2,xxx.xxx.xxx.xxx,1194,,
Thanks.
Dave.
Selva Nair
2017-04-24 15:33:52 UTC
Permalink
Hi,
Post by David Mehler
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD
xxx.xxx.xxx.xxx MASK 255.255.255.255 192.168.2.1
Mon Apr 24 09:51:34 2017 env_block: add
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0
MASK 128.0.0.0 192.168.0.1
Mon Apr 24 09:51:34 2017 env_block: add
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0
MASK 128.0.0.0 192.168.0.1
The required routes for redirect-gateway are being added, so it should
work. Check the routing table ("route print" will show it) to see why the
traffic is not going via the tunnel.

The logs show you are not using interactive service --- is openvpn is
started directly (not using the GUI)? If so you have to run it with admin
privileges. If you are using the GUI, do not run as admin and let the
interactive service set the routes.

By the way, though not related, setting the tunnel network to 192.168.0.0/24
is asking for trouble -- use a less common subnet.

Selva
debbie10t
2017-04-24 16:16:28 UTC
Permalink
Post by David Mehler
Hello,
I'm running 2.4 versions of Openvpn on both the server and a windows client.
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
The Dns server push is working on the client. Here's the client's ipconfig /all
Is there something special I have to do to get this going on win10?
Your client log shows that the client has set the routes required to
redirect it's gateway over the VPN.

(As Selva stated) Using --server 192.168.0.0 255.255.255.0 is a disaster
waiting to happen. I recommend you use the standard 10.8.0.0/24 subnet.

As you are running your server on Windows you either have to setup
your server side routing correctly or use Windows RAS service to NAT
your client packets.

See here:
https://forums.openvpn.net/viewtopic.php?f=7&t=7806

There are some more related posts in the examples board on the Forum:
https://forums.openvpn.net/viewforum.php?f=7

If you prefer to post to the forum for help, please see:
https://forums.openvpn.net/viewtopic.php?f=30&t=22603
--
Post by David Mehler
Mon Apr 24 09:51:29 2017 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST'
(status=1)
'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS
208.67.222.222,dhcp-option DNS 208.67.220.220,comp-lzo
no,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart
120,ifconfig 192.168.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: timers and/or timeouts modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: compression parms modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: --ifconfig/up options modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: route options modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: route-related options modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: --ip-win32 and/or
--dhcp-option options modified
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: peer-id set
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Apr 24 09:51:29 2017 OPTIONS IMPORT: data channel crypto options modified
Mon Apr 24 09:51:29 2017 Data Channel Encrypt: Cipher 'AES-256-GCM'
initialized with 256 bit key
Mon Apr 24 09:51:29 2017 Data Channel Decrypt: Cipher 'AES-256-GCM'
initialized with 256 bit key
Mon Apr 24 09:51:29 2017 interactive service msg_channel=0
Mon Apr 24 09:51:29 2017 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 I=24
HWADDR=84:1b:5e:97:85:4e
Mon Apr 24 09:51:29 2017 open_tun
\\.\Global\{5D7E8566-0F0D-4622-839F-E28A4D26E86E}.tap
Mon Apr 24 09:51:29 2017 TAP-Windows Driver Version 9.21
Mon Apr 24 09:51:29 2017 Set TAP-Windows TUN subnet mode
network/local/netmask = 192.168.0.0/192.168.0.2/255.255.255.0
[SUCCEEDED]
Mon Apr 24 09:51:29 2017 Notified TAP-Windows driver to set a DHCP
IP/netmask of 192.168.0.2/255.255.255.0 on interface
{5D7E8566-0F0D-4622-839F-E28A4D26E86E} [DHCP-serv: 192.168.0.254,
lease-time: 31536000]
Mon Apr 24 09:51:29 2017 Successful ARP Flush on interface [11]
{5D7E8566-0F0D-4622-839F-E28A4D26E86E}
Mon Apr 24 09:51:29 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
STATE:1493041889,ASSIGN_IP,,192.168.0.2,,,,
Mon Apr 24 09:51:34 2017 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD
xxx.xxx.xxx.xxx MASK 255.255.255.255 192.168.2.1
Mon Apr 24 09:51:34 2017 env_block: add
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0
MASK 128.0.0.0 192.168.0.1
Mon Apr 24 09:51:34 2017 env_block: add
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0
MASK 128.0.0.0 192.168.0.1
Mon Apr 24 09:51:34 2017 env_block: add
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 Initialization Sequence Completed
STATE:1493041894,CONNECTED,SUCCESS,192.168.0.2,xxx.xxx.xxx.xxx,1194,,
Gert Doering
2017-04-24 17:12:19 UTC
Permalink
Hi,
Post by David Mehler
I'm running 2.4 versions of Openvpn on both the server and a windows client.
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
The Dns server push is working on the client. Here's the client's ipconfig /all
Is there something special I have to do to get this going on win10?
Is there anything not working?
Post by David Mehler
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0
MASK 128.0.0.0 192.168.0.1
... except that it really shouldn't do this, if you running the GUI without
Admin privileges... which you *are* doing, aren't you?

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Selva Nair
2017-04-24 17:36:02 UTC
Permalink
Post by Gert Doering
... except that it really shouldn't do this, if you running the GUI without
Admin privileges... which you *are* doing, aren't you?
As I wrote before he is either not using the GUI or is running it as admin.
Note the message channel = 0 line in the logs.

Selva
Gert Doering
2017-04-24 17:39:52 UTC
Permalink
Hi,
Post by Selva Nair
Post by Gert Doering
... except that it really shouldn't do this, if you running the GUI without
Admin privileges... which you *are* doing, aren't you?
As I wrote before he is either not using the GUI or is running it as admin.
Note the message channel = 0 line in the logs.
That was a rhetorical question :-) - since route.exe isn't failing, he's
running as Admin, which is not recommended.

(I think the actual *question* in this thread might be one of perception,
that "route print" still shows the default gateway as "not changed" - but
I was waiting for a question to be asked...)

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Selva Nair
2017-04-24 17:50:36 UTC
Permalink
Post by Gert Doering
Hi,
Post by Selva Nair
Post by Gert Doering
... except that it really shouldn't do this, if you running the GUI
without
Post by Selva Nair
Post by Gert Doering
Admin privileges... which you *are* doing, aren't you?
As I wrote before he is either not using the GUI or is running it as
admin.
Post by Selva Nair
Note the message channel = 0 line in the logs.
That was a rhetorical question :-) - since route.exe isn't failing, he's
running as Admin, which is not recommended.
Sorry, I messed up the "Socratic Dialog" approach :) Will shut up now.

Selva
Илья Шипицин
2017-04-24 17:44:31 UTC
Permalink
Post by David Mehler
Hi,
Post by David Mehler
I'm running 2.4 versions of Openvpn on both the server and a windows
client.
Post by David Mehler
I'm wanting to route all traffic through the vpn. I've got this on the
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
The Dns server push is working on the client. Here's the client's
ipconfig /all
Post by David Mehler
Is there something special I have to do to get this going on win10?
Is there anything not working?
Post by David Mehler
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0
MASK 128.0.0.0 192.168.0.1
... except that it really shouldn't do this, if you running the GUI without
Admin privileges... which you *are* doing, aren't you?
I seen similar recently, interactive service was not started (due to
missing registry entries) ... and openvpn-gui decided to run openvpn.exe
directly (in very silent way).

I think, we should improve logging here:

https://github.com/OpenVPN/openvpn-gui/blob/master/openvpn.c#L1609-L1611

something like "oops, we tried to connect to interactive service, but it
failed..."
Post by David Mehler
gert
--
USENET is *not* the non-clickable part of WWW!
//
www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
Gert Doering - Munich, Germany
muenchen.de
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Selva Nair
2017-04-24 17:54:44 UTC
Permalink
Post by Илья Шипицин
I seen similar recently, interactive service was not started (due to
missing registry entries) ... and openvpn-gui decided to run openvpn.exe
directly (in very silent way).
https://github.com/OpenVPN/openvpn-gui/blob/master/openvpn.c#L1609-L1611
We already warn at GUI start up if interactive service is not running. Some
users were complaining about that as noise (don't recall the Trac ticket #)
so I I'd be wary of increasing the chatter further.

Selva
Илья Шипицин
2017-04-24 18:06:24 UTC
Permalink
Post by Selva Nair
Post by Илья Шипицин
I seen similar recently, interactive service was not started (due to
missing registry entries) ... and openvpn-gui decided to run openvpn.exe
directly (in very silent way).
https://github.com/OpenVPN/openvpn-gui/blob/master/openvpn.c#L1609-L1611
We already warn at GUI start up if interactive service is not running.
Some users were complaining about that as noise (don't recall the Trac
ticket #) so I I'd be wary of increasing the chatter further.
I'm going to reproduce it (by removing registry entries) a bit later.

from my point of view it looked like that

1) user complained "nothing works"
2) ok, show me logs
3) "route cannot be added"

no evidence why, no idea whether interactive service was used or direct
start.
I asked that user to check interactive service status and windows event log.

however, I think, it would be better to have something in log about that
situation. it would have saved time for people.
Post by Selva Nair
Selva
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Gert Doering
2017-04-24 18:18:50 UTC
Permalink
Hi,
Post by Илья Шипицин
from my point of view it looked like that
1) user complained "nothing works"
2) ok, show me logs
3) "route cannot be added"
Neither "1)" nor "3)" is what happened here.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
David Mehler
2017-04-24 18:08:55 UTC
Permalink
Hello,

Thanks for everyone's reply so far.

Below is a copy of route print.

I'm not sure what you mean interactive service, what I do is start the
openvpn gui then an openvpn gui icon shows up in my system area. I
right click that and select connect and it works.

With regards the subnet which one would you say would work?

I believe there is a miscommunication, the Openvpn 2.4 server is not
running on Windows, it's running on FreeBSD. The client that I'm
connecting to the server that's running on Windows 10 and using the
openvpn gui package both client and server are at v2.4.

As for the 10.8.0.0/24 suggestion not practical to me, conflicts with
my other jailed systems which are on the 10.0.0.0/8 and I've not
figured out CIDR to make that all work.

I missed something. When I start the openvpn gui from it's icon on the
desktop I am not an admin, but I get the win10 UAC screen popping up
asking me if I want to make changes to the device. To that question I
answer yes, is this now running as admin? My next step still as the
non-admin user is to right click the openvpn gui icon in the task area
and choose connect which openvpn then does.

Here's my route print:

route print
===========================================================================
Interface List
15...90 2b 34 98 ed d7 ......Realtek PCIe GBE Family Controller
9...84 1b 5e 97 85 4e ......Microsoft Hosted Network Virtual Adapter #2
22...84 1b 5e 97 85 4e ......Microsoft Wi-Fi Direct Virtual Adapter #2
2...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
6...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
11...00 ff 5d 7e 85 66 ......TAP-Windows Adapter V9
24...84 1b 5e 97 85 4e ......NETGEAR WNA1000M N150 Wireless USB Micro
Adapter #2
1...........................Software Loopback Interface 1
26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
3...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
10...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.97 55
0.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2 36
xxx.xxx.xxx.xxx 255.255.255.255 192.168.2.1 192.168.2.97 56
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2 36
192.168.0.0 255.255.255.0 On-link 192.168.0.2 291
192.168.0.2 255.255.255.255 On-link 192.168.0.2 291
192.168.0.255 255.255.255.255 On-link 192.168.0.2 291
192.168.2.0 255.255.255.0 On-link 192.168.2.97 311
192.168.2.97 255.255.255.255 On-link 192.168.2.97 311
192.168.2.255 255.255.255.255 On-link 192.168.2.97 311
192.168.153.0 255.255.255.0 On-link 192.168.153.1 291
192.168.153.1 255.255.255.255 On-link 192.168.153.1 291
192.168.153.255 255.255.255.255 On-link 192.168.153.1 291
192.168.237.0 255.255.255.0 On-link 192.168.237.1 291
192.168.237.1 255.255.255.255 On-link 192.168.237.1 291
192.168.237.255 255.255.255.255 On-link 192.168.237.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.237.1 291
224.0.0.0 240.0.0.0 On-link 192.168.153.1 291
224.0.0.0 240.0.0.0 On-link 192.168.0.2 291
224.0.0.0 240.0.0.0 On-link 192.168.2.97 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.237.1 291
255.255.255.255 255.255.255.255 On-link 192.168.153.1 291
255.255.255.255 255.255.255.255 On-link 192.168.0.2 291
255.255.255.255 255.255.255.255 On-link 192.168.2.97 311
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
24 311 fe80::/64 On-link
24 311 fe80::7425:96fc:f2eb:1dcb/128
On-link
1 331 ff00::/8 On-link
24 311 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

To the question of my services I just checked them. The Interactive
Services Detection is set to manual. The Openvpn Interactive Service
is running and set to automatic. The Openvpn Legacy Service is set to
manual. Both the Openvpn Legacy Service and the Interactive Services
Detection though on manual are not running.

Hope this helps.

Thanks.
Dave.
Post by Илья Шипицин
Post by David Mehler
Hi,
Post by David Mehler
I'm running 2.4 versions of Openvpn on both the server and a windows
client.
Post by David Mehler
I'm wanting to route all traffic through the vpn. I've got this on the
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
The Dns server push is working on the client. Here's the client's
ipconfig /all
Post by David Mehler
Is there something special I have to do to get this going on win10?
Is there anything not working?
Post by David Mehler
PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Apr 24 09:51:34 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0
MASK 128.0.0.0 192.168.0.1
... except that it really shouldn't do this, if you running the GUI without
Admin privileges... which you *are* doing, aren't you?
I seen similar recently, interactive service was not started (due to
missing registry entries) ... and openvpn-gui decided to run openvpn.exe
directly (in very silent way).
https://github.com/OpenVPN/openvpn-gui/blob/master/openvpn.c#L1609-L1611
something like "oops, we tried to connect to interactive service, but it
failed..."
Post by David Mehler
gert
--
USENET is *not* the non-clickable part of WWW!
//
www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
Gert Doering - Munich, Germany
muenchen.de
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Gert Doering
2017-04-24 18:17:58 UTC
Permalink
Hi,
Post by David Mehler
Below is a copy of route print.
IPv4 Route Table
===========================================================================
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.97 55
0.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2 36
128.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2 36
Things are working perfectly fine (and this is what I expected to see).

With "def1", you get two half-default-routes (0.0.0.0/128.0.0.0 and
128.0.0.0/128.0.0.0), which can be put into the table without having to
muck around with the 0.0.0.0/0.0.0.0 entry.

Due to the nature of routing, the most specific match for a destination
address will "win", as in "route the packet" - so a /24 will match
first, then a /8, then a /0 (for example) - "/0" being "the default route,
which matches everything".

With two /1 routes installed that cover the full IPv4 space, these serve
as "the least specific route that the packet will encounter", since
*together*, they match all destinations (/1+/1 = /0).


As for the UAC dialog popping up: this looks like you had 2.3 installed
previously, which needed the [x] "run as admin" setting to give you
the needed privs - depending on how this was configured, it is *so*
sticky that even removing older openvpn completely and then installing
2.4 might not get rid of it. With 2.4, you should never see an UAC
dialogue when starting the GUI.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
David Mehler
2017-04-24 18:31:16 UTC
Permalink
Hello,

Thanks for the information on routing. So it is working? How then when
I did the ipconfig /all didn't it show up as default gateway on the
openvpn adapter?

The issue when I tried to start the Interactive Services detection
service was it kept giving me an error 1. Here's the fix for that:

https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2012/10/09/windows-8-interactive-services-detection-error-1-incorrect-function/

Once Interactive Services detection service was going I restarted
Openvpn gui (it is v2.4 and I never had 2.3 on this box), I did not
get the Uac dialog box and the connection was successful. My current
route print looks like this:

===========================================================================
Interface List
15...90 2b 34 98 ed d7 ......Realtek PCIe GBE Family Controller
9...84 1b 5e 97 85 4e ......Microsoft Hosted Network Virtual Adapter #2
22...84 1b 5e 97 85 4e ......Microsoft Wi-Fi Direct Virtual Adapter #2
2...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
6...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
11...00 ff 5d 7e 85 66 ......TAP-Windows Adapter V9
24...84 1b 5e 97 85 4e ......NETGEAR WNA1000M N150 Wireless USB Micro
Adapter #2
1...........................Software Loopback Interface 1
26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
3...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
10...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.97 55
0.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2 291
xxx.xxx.xxx.xxx 255.255.255.255 192.168.2.1 192.168.2.97 311
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2 291
192.168.0.0 255.255.255.0 On-link 192.168.0.2 291
192.168.0.2 255.255.255.255 On-link 192.168.0.2 291
192.168.0.255 255.255.255.255 On-link 192.168.0.2 291
192.168.2.0 255.255.255.0 On-link 192.168.2.97 311
192.168.2.97 255.255.255.255 On-link 192.168.2.97 311
192.168.2.255 255.255.255.255 On-link 192.168.2.97 311
192.168.153.0 255.255.255.0 On-link 192.168.153.1 291
192.168.153.1 255.255.255.255 On-link 192.168.153.1 291
192.168.153.255 255.255.255.255 On-link 192.168.153.1 291
192.168.237.0 255.255.255.0 On-link 192.168.237.1 291
192.168.237.1 255.255.255.255 On-link 192.168.237.1 291
192.168.237.255 255.255.255.255 On-link 192.168.237.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.237.1 291
224.0.0.0 240.0.0.0 On-link 192.168.153.1 291
224.0.0.0 240.0.0.0 On-link 192.168.0.2 291
224.0.0.0 240.0.0.0 On-link 192.168.2.97 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.237.1 291
255.255.255.255 255.255.255.255 On-link 192.168.153.1 291
255.255.255.255 255.255.255.255 On-link 192.168.0.2 291
255.255.255.255 255.255.255.255 On-link 192.168.2.97 311
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
24 311 fe80::/64 On-link
24 311 fe80::7425:96fc:f2eb:1dcb/128
On-link
1 331 ff00::/8 On-link
24 311 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Is this setup now fully working? If so, can I tighten it up in any way?

Thanks.
Dave.
Post by Gert Doering
Hi,
Post by David Mehler
Below is a copy of route print.
IPv4 Route Table
===========================================================================
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.97
55
0.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2
36
128.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2
36
Things are working perfectly fine (and this is what I expected to see).
With "def1", you get two half-default-routes (0.0.0.0/128.0.0.0 and
128.0.0.0/128.0.0.0), which can be put into the table without having to
muck around with the 0.0.0.0/0.0.0.0 entry.
Due to the nature of routing, the most specific match for a destination
address will "win", as in "route the packet" - so a /24 will match
first, then a /8, then a /0 (for example) - "/0" being "the default route,
which matches everything".
With two /1 routes installed that cover the full IPv4 space, these serve
as "the least specific route that the packet will encounter", since
*together*, they match all destinations (/1+/1 = /0).
As for the UAC dialog popping up: this looks like you had 2.3 installed
previously, which needed the [x] "run as admin" setting to give you
the needed privs - depending on how this was configured, it is *so*
sticky that even removing older openvpn completely and then installing
2.4 might not get rid of it. With 2.4, you should never see an UAC
dialogue when starting the GUI.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
fax: +49-89-35655025
Gert Doering
2017-04-24 18:37:48 UTC
Permalink
Hi,
Post by David Mehler
Thanks for the information on routing. So it is working? How then when
I did the ipconfig /all didn't it show up as default gateway on the
openvpn adapter?
Right. It's not "the default gateway" (because that would be "the /0"),
but we "mask" the default route by having two catch-all /1 routes.

It needs some thinking through it, if you encounter it for the first
time, but then it feels like "oh, it is so obvious" :-)
Post by David Mehler
The issue when I tried to start the Interactive Services detection
https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2012/10/09/windows-8-interactive-services-detection-error-1-incorrect-function/
Once Interactive Services detection service was going I restarted
Openvpn gui (it is v2.4 and I never had 2.3 on this box), I did not
get the Uac dialog box and the connection was successful.
Mmmh. This isn't "our" interactive service, but something in windows,
which we *should* not need - but I leave that part to Selva, because
I'm not so good in esoteric windows internals.
Post by David Mehler
My current
[..]
Post by David Mehler
===========================================================================
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.97 55
Default (/0).
Post by David Mehler
0.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2 291
128.0.0.0 128.0.0.0 192.168.0.1 192.168.0.2 291
Half-defaults (2x /1), covering all the space, pointing to the tap
interface. Check, this is how it should be :-)

(Omitted the rest)

[..]
Post by David Mehler
Is this setup now fully working? If so, can I tighten it up in any way?
It should be fine.

If you run a network sniffer like wireshark on your LAN interface now,
you should only see encrypted packets going to your VPN server (and traffic
local to the LAN network).

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Selva Nair
2017-04-24 19:07:06 UTC
Permalink
Hi,
Post by David Mehler
Post by David Mehler
The issue when I tried to start the Interactive Services detection
https://blogs.technet.microsoft.com/home_is_where_i_lay_my_
head/2012/10/09/windows-8-interactive-services-
detection-error-1-incorrect-function/
Post by David Mehler
Once Interactive Services detection service was going I restarted
Openvpn gui (it is v2.4 and I never had 2.3 on this box), I did not
get the Uac dialog box and the connection was successful.
Mmmh. This isn't "our" interactive service, but something in windows,
which we *should* not need - but I leave that part to Selva, because
I'm not so good in esoteric windows internals.
Yes this has nothing to do with openvpnserviceinteractive. Just make sure

sc query openvpnserviceinteractive

shows the service is running.

Even if the service its running it will not get used if you start the GUI
as admin which appears to be forced in your case. The reason for UAC prompt
is most likely what Gert mentioned in a previous email: the GUI executable
or shortcut is set to run as admin. Probably customized by the user when
2.3 was in use. To fix this look at the properties of both openvpn-gui.exe
and its shortcut for any "run as admin" flags and uncheck if enabled. This
can occur at a couple of places: see Trac #811 for more details (
https://community.openvpn.net/openvpn/ticket/811)

Selva
David Mehler
2017-04-24 22:49:55 UTC
Permalink
Hello,

My thanks for everyone's help.
Thanks.
Dave.
pull
This is implied by --client, so not needed
comp-lzo no
This is deprecated, use "compress" if server is using compression. What I
do is push "compress method" in server config where method = lzo or
whatever you like and "compress" with no options in client config. That
adds compression support in client but leaves it off until the pushed
message is received. This allows for switching compression on/off from the
server side.
rcvbuf 262144
sndbuf 262144
route-method exe
route-delay 5
route-metric 550
Leave all that out. Especially "route method ..." -- let openvpn use the
best method for setting routes which will be using the service if run as
limited user or IPAPI if run as admin.
Selva
Loading...