Hi,

On Thu, Nov 17, 2016 at 08:34:58PM -0800, Daryl Morse wrote:
> Further to the previous email linked below. I upgraded to the 2.4_beta1
> software in case it might have made a difference. It did not. I'm wondering
> if any other users or developers encounter the same problem as I described.
> It's repeatable that when enabling internet connection sharing, the tap
> adapter gets non-automatic settings, which causes traffic from the vpn to
> not be routed to the gateway. This seems to be a bug.

None of the developers would use Windows to run a VPN *Server* - so
we're not likely to bump into that.

You might get it to work by setting "--ip-win32 netsh" (or "ipapi") in your
openvpn config - telling it, basically, to no longer try running DHCP on
the tap adapter but just calling netsh.exe or using the IP-API functions
to set addreses and routing.

> Also, I tried enabling ipv6 and it also does not route traffic from the vpn
> to the gateway, even though ipv4 is working and also the client and server
> can ping each other in both directions. I would really appreciate hearing
> from a user or developer who has an openvpn server running on a windows 10
> (or any windows) host.

IPv6 should just work, independent of "automatic settings" - if not, check
log files and routing. Not sure what internet connection sharing will do
for IPv6, though - for v4, it does "NAT to my public address", which is
generally not done for v6.

gert

--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de

Hi Gert,

Thanks for your reply. I didn't see anything in the how-to or documentation
that an openvpn server wasn't supported on windows and I have windows
available so that's what I tried. I couldn't get it working, so I posted on
the forum. There were no replies from anyone so I posted here, hoping I
would find someone who knows how to get it working.

I was using ICS because of the various configurations I read about on the
forum, it was the only configuration that would work (i.e., connect and pass
traffic). However, I can get the client and server connected and passing
traffic with ICS and ipv4, but if I enable ipv6, it connects, but no traffic
is passed.

I will give your suggestion a try and report back.

Thanks again.

-----Original Message-----
From: Gert Doering [mailto:***@greenie.muc.de]
Sent: Thursday, November 17, 2016 11:30 PM
To: Daryl Morse <***@telus.net>
Cc: openvpn-***@lists.sourceforge.net
Subject: Re: [Openvpn-users] Problems setting up dual-stack OpenVPN server
on a Windows 10 host

Hi,

On Thu, Nov 17, 2016 at 08:34:58PM -0800, Daryl Morse wrote:
> Further to the previous email linked below. I upgraded to the
> 2.4_beta1 software in case it might have made a difference. It did
> not. I'm wondering if any other users or developers encounter the same
problem as I described.
> It's repeatable that when enabling internet connection sharing, the
> tap adapter gets non-automatic settings, which causes traffic from the
> vpn to not be routed to the gateway. This seems to be a bug.

None of the developers would use Windows to run a VPN *Server* - so we're
not likely to bump into that.

You might get it to work by setting "--ip-win32 netsh" (or "ipapi") in your
openvpn config - telling it, basically, to no longer try running DHCP on the
tap adapter but just calling netsh.exe or using the IP-API functions to set
addreses and routing.

> Also, I tried enabling ipv6 and it also does not route traffic from
> the vpn to the gateway, even though ipv4 is working and also the
> client and server can ping each other in both directions. I would
> really appreciate hearing from a user or developer who has an openvpn
> server running on a windows 10 (or any windows) host.

IPv6 should just work, independent of "automatic settings" - if not, check
log files and routing. Not sure what internet connection sharing will do
for IPv6, though - for v4, it does "NAT to my public address", which is
generally not done for v6.

gert

--
USENET is *not* the non-clickable part of WWW!

//www.muc.de/~gert/
Gert Doering - Munich, Germany
***@greenie.muc.de
fax: +49-89-35655025
***@net.informatik.tu-muenchen.de


------------------------------------------------------------------------------

Hi,

On Thu, Nov 17, 2016 at 11:34 PM, Daryl Morse <***@telus.net> wrote:
> Further to the previous email linked below. I upgraded to the 2.4_beta1
> software in case it might have made a difference. It did not. I’m wondering
> if any other users or developers encounter the same problem as I described.


We have an openvpn server running on Windows (Server 2008R2), but we don't
let clients do redirect-gateway, so its a simple setup. A server config
similar to what you posted and no ICS or NAT.

On Fri, Nov 18, 2016 at 6:16 AM, Jan Just Keijser <***@nikhef.nl> wrote:

> I'd not use ICS , however, as ICS turns your (tap) adapter into a
> statically configured device , and sets up a DHCP server on this device. It
> *is* possible to run OpenVPN in such a configuration but it is very
> non-standard.


I too would suggest not to use ICS -- it could be probably made to work
with some registry hacks, but its going to be pain. Try if you could do the
NAT for the private ipv4 vpn addresses on the pfsense router of the
server-side network.

Selva

Hi Selva,



Thank you for the reply. If you aren’t using redirect gateway, I guess it’s a different situation.



WRT ICS, I’ll use anything that works. As I said, I couldn’t even get the client and server to connect using RRAS.



WRT NAT, server was NATting the 10.x.x.x VPN address to the LAN address and router was NATting to the WAN address. It was working exactly as you would expect, just not for ipv6.



Thanks.



From: Selva Nair [mailto:***@gmail.com]
Sent: Friday, November 18, 2016 10:47 AM
To: Daryl Morse <***@telus.net>
Cc: openvpn users list (openvpn-***@lists.sourceforge.net) <openvpn-***@lists.sourceforge.net>
Subject: Re: [Openvpn-users] Problems setting up dual-stack OpenVPN server on a Windows 10 host



Hi,



On Thu, Nov 17, 2016 at 11:34 PM, Daryl Morse <***@telus.net <mailto:***@telus.net> > wrote:
Further to the previous email linked below. I upgraded to the 2.4_beta1 software in case it might have made a difference. It did not. I’m wondering if any other users or developers encounter the same problem as I described.



We have an openvpn server running on Windows (Server 2008R2), but we don't let clients do redirect-gateway, so its a simple setup. A server config similar to what you posted and no ICS or NAT.



On Fri, Nov 18, 2016 at 6:16 AM, Jan Just Keijser <***@nikhef.nl <mailto:***@nikhef.nl> > wrote:

I'd not use ICS , however, as ICS turns your (tap) adapter into a statically configured device , and sets up a DHCP server on this device. It *is* possible to run OpenVPN in such a configuration but it is very non-standard.



I too would suggest not to use ICS -- it could be probably made to work with some registry hacks, but its going to be pain. Try if you could do the NAT for the private ipv4 vpn addresses on the pfsense router of the server-side network.



Selva

Hello,



That post looks familiar because it's my post. I didn't find any solution to
my problem so I'm trying here.



Since it's not clear to you what I'm trying to do, it's probably not clear
to others so I'll try to explain again.



I have two dual stack networks. One uses a hurricane electric tunnel for
ipv6. The other uses native ipv6. When I run ipv6-test.com or test-ipv6.com
on either network, they both verify that ipv6 is working properly using
chrome, edge and ie11. (I don't use firefox, but it should not be different
than the other browsers.) When dual-stack is available, all browsers are
supposed to default to ipv6 and only fallback to ipv4 if ipv6 has excessive
latency. Both of these tests verify that all three browsers are defaulting
to ipv6 and falling back reliably.



Here is what the ipv6-test.com browser test looks like when it passes:







When I use openvpn (not my server, but a service), it fails the above test
and reports it as an error. The reason I'm setting up my own server is to
conclusively determine if this an openvpn issue. If it is, I'll report it as
a bug. I'm not familiar with the code, but based on the symptom, I would not
be surprised if ipv6 packets are inadvertently getting buffered.



You are the only person I've heard from who has a working windows 10 dual
stack server! I'm glad to hear it's possible. I would really appreciate if
you would explain how you have the server configured (not only the
server.conf, but also the networking and routing), because as I explained, I
haven't been able to get my server working. Alternatively, please try going
to ipv6-test.com and test-ipv6.com and reporting your results.



I hope that clarifies sufficiently.



Thanks again.



-----Original Message-----
From: debbie10t [mailto:***@gmail.com]
Sent: Friday, November 18, 2016 11:55 AM
To: openvpn-***@lists.sourceforge.net
Subject: Re: [Openvpn-users] Problems setting up dual-stack OpenVPN server
on a Windows 10 host







On 14/11/16 18:05, Daryl Morse wrote:

> I'm trying to set up a dual-stack OpenVPN server on a windows 10 host.

> I'm also using a windows 10 host as the client. I have two dual-stack

> networks, both using pfsense. One is pfsense 2.3.2_1 with a hurricane
electric tunnel.

> The other is pfsense 2.4 (beta) with native ipv6.



I noticed this on the Forum:

<https://forums.openvpn.net/viewtopic.php?f=6&t=22477>
https://forums.openvpn.net/viewtopic.php?f=6&t=22477



Looks very familiar ..







I don't get what exactly you are trying to do but I do use W10 as OpenVPN
server with dual stack and that works.



As for "browser failover" from IPv6 to IPv4 ?

Firefox does not appear to be able to use IPv6 addresses directly.

(Unless there is a hidden setting I don't know about)



But W10 + OpenVPN Dual stack server work as expected.



Regards

Hi,

On 17/01/17 04:54, Daryl Morse wrote:
> Hi Debbie,
>
>
>
> I hope you don't mind me replying to you directly. If you would prefer, I
> will email openvpn-users.
>
>
>
> I was away on an extended business trip and vacation so have not been able
> to look at this further.
>
>
>
> Since you have a dual-stack openvpn server running on Windows 10, I would
> really like to know how you got it working. Is it possible for you to tell
> me about your configuration (both of openvpn and windows 10)?
>

See:
https://forums.openvpn.net/viewtopic.php?f=7&t=22811


>
>
> Regards,
>
> Daryl
>
>
>
> From: Daryl Morse [mailto:***@telus.net]
> Sent: Thursday, November 24, 2016 11:04 PM
> To: openvpn-***@lists.sourceforge.net
> Cc: 'debbie10t' <***@gmail.com>
> Subject: RE: [Openvpn-users] Problems setting up dual-stack OpenVPN server
> on a Windows 10 host
>
>
>
> Hello,
>
>
>
> That post looks familiar because it's my post. I didn't find any solution to
> my problem so I'm trying here.
>
>
>
> Since it's not clear to you what I'm trying to do, it's probably not clear
> to others so I'll try to explain again.
>
>
>
> I have two dual stack networks. One uses a hurricane electric tunnel for
> ipv6. The other uses native ipv6. When I run ipv6-test.com or test-ipv6.com
> on either network, they both verify that ipv6 is working properly using
> chrome, edge and ie11. (I don't use firefox, but it should not be different
> than the other browsers.) When dual-stack is available, all browsers are
> supposed to default to ipv6 and only fallback to ipv4 if ipv6 has excessive
> latency. Both of these tests verify that all three browsers are defaulting
> to ipv6 and falling back reliably.
>
>
>
> Here is what the ipv6-test.com browser test looks like when it passes:
>
>
>
>
>
>
>
> When I use openvpn (not my server, but a service), it fails the above test


These are the people you need to contact.

Failing that , please post your client log file at --verb 4 when using
that service.



> and reports it as an error. The reason I'm setting up my own server is to
> conclusively determine if this an openvpn issue. If it is, I'll report it as
> a bug. I'm not familiar with the code, but based on the symptom, I would not
> be surprised if ipv6 packets are inadvertently getting buffered.
>
>
>
> You are the only person I've heard from who has a working windows 10 dual
> stack server! I'm glad to hear it's possible. I would really appreciate if
> you would explain how you have the server configured (not only the
> server.conf, but also the networking and routing), because as I explained, I
> haven't been able to get my server working. Alternatively, please try going
> to ipv6-test.com and test-ipv6.com and reporting your results.
>
>
>
> I hope that clarifies sufficiently.
>
>
>
> Thanks again.
>
>
>
> -----Original Message-----
> From: debbie10t [mailto:***@gmail.com]
> Sent: Friday, November 18, 2016 11:55 AM
> To: openvpn-***@lists.sourceforge.net
> <mailto:openvpn-***@lists.sourceforge.net>
> Subject: Re: [Openvpn-users] Problems setting up dual-stack OpenVPN server
> on a Windows 10 host
>
>
>
>
>
>
>
> On 14/11/16 18:05, Daryl Morse wrote:
>
>> I'm trying to set up a dual-stack OpenVPN server on a windows 10 host.
>
>> I'm also using a windows 10 host as the client. I have two dual-stack
>
>> networks, both using pfsense. One is pfsense 2.3.2_1 with a hurricane
> electric tunnel.
>
>> The other is pfsense 2.4 (beta) with native ipv6.
>
>
>
> I noticed this on the Forum:
>
> <https://forums.openvpn.net/viewtopic.php?f=6&t=22477>
> https://forums.openvpn.net/viewtopic.php?f=6&t=22477
>
>
>
> Looks very familiar ..
>
>
>
>
>
>
>
> I don't get what exactly you are trying to do but I do use W10 as OpenVPN
> server with dual stack and that works.
>
>
>
> As for "browser failover" from IPv6 to IPv4 ?
>
> Firefox does not appear to be able to use IPv6 addresses directly.
>
> (Unless there is a hidden setting I don't know about)
>
>
>
> But W10 + OpenVPN Dual stack server work as expected.
>
>
>
> Regards
>
>
>
>
>
>

Hi Daryl,

On 25/11/16 07:15, Daryl Morse wrote:
>
> Hi JJK,
>
> Thanks for your reply.
>
> Based on your suggestion, I disabled ICS and went back to RRAS. With
> RRAS enabled, the client and server will not even connect with ipv4
> only, let alone pass any traffic. (I enabled “allow callers to access
> my local network”for ipv4 and ipv6 and I entered the /64 prefix.) If
> you (or anyone else) know of specific RRAS settings that work, please
> post them.
>
> WRT NATting /masquerading, I have no specific requirement for how it
> works, only that it passes traffic. The way it worked for ipv4 (using
> the ISP assigned WAN address) is fine.
>

I've just recreated your setup on Windows 7 Pro and also found that RRAS
is not working. That shows that my networking knowledge of Windows
stopped with XP, as this solution did work in windows XP (as you can
find on the internet as well). It turns out that Microsoft
disabled/removed NATting support in RRAS for Windows 7+: for that , they
explicitly want you to run Windows Server 20xx.

The next step was to use ICS :
- I enabled ICS on my local ethernet adapter
- as the "home network" adapter I choose the TAP adapter
- next, start OpenVPN as a server and connect a client; note that the IP
address of the VPN server was simply what I had configured in the config
file (192.168.200.1)


I also enabled ip routing on my Win 7 box (using regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\IPEnableRouter := 1 ) .

This setup worked for me , including restarts of the OpenVPN server
process. I did not try to automate the process - so I don't know if this
works after reboots, or while running OpenVPN as a service.

HTH,

JJK




> *From:*Jan Just Keijser [mailto:***@nikhef.nl]
> *Sent:* Friday, November 18, 2016 3:16 AM
> *To:* Daryl Morse <***@telus.net>;
> openvpn-***@lists.sourceforge.net
> *Subject:* Re: [Openvpn-users] Problems setting up dual-stack OpenVPN
> server on a Windows 10 host
>
> Hi,
>
>
> as Gert already pointed out, running OpenVPN as a server on Windows
> is not often done, so you will be hard-pressed to find lots of support
> for it.
> I'd not use ICS , however, as ICS turns your (tap) adapter into a
> statically configured device , and sets up a DHCP server on this
> device. It *is* possible to run OpenVPN in such a configuration but it
> is very non-standard.
>
> If you want to use NATting/masquerading for your clients then I'd
> suggest to use the Windows RRAS service, which will do NATting in a
> much nicer manner.
>
> Having said that, you'll probably be better off to run a
> pre-configuration Linux VM inside your Windows box ; this VM can then
> run the openvpn server and do all the networking and NATting for you,
> including IPv4 and IPv6.
>
> HTH,
>
> JJK
>
> On 14/11/16 19:05, Daryl Morse wrote:
>
> I’m trying to set up a dual-stack OpenVPN server on a windows 10
> host. I’m also using a windows 10 host as the client. I have two
> dual-stack networks, both using pfsense. One is pfsense 2.3.2_1
> with a hurricane electric tunnel. The other is pfsense 2.4 (beta)
> with native ipv6. Both of these networks use the same modem, which
> is 50 mbps down / 10 mbps up, but are otherwise completely
> separate. Both networks are working properly according to
> ipv6-test.com and test-ipv6.com. The speed and latency are the
> same on the native network and the ipv6 stack is around 10% slower
> than the ipv4 stack on the network using the tunnel. Both networks
> have a /64 prefix for ipv6. On the router for the native ipv6
> network, I have two separate /64 prefixes from a /56 prefix on two
> separate interfaces.
>
> I was initially using the openvpn-install-2.3.12-I601-x86_64
> release. I have also tried the openvpn-install-2.3.13-I601-x86_64
> release and the openvpn-install-2.4_alpha2-I601-x86_64 release.
> There was no noticeable difference between the different versions.
>
> I used the how-to and the example client and server configurations
> to set up the pki and the client and server. The pki works
> properly. I can get the client and server connected and I can ping
> the client from the server and the server from the client using
> both ipv4 and ipv6. The majority of the difficulty I’ve
> encountered has been getting traffic from the vpn to the gateway
> on the server. I’ve found that the how-to covers pki and client /
> server settings very thoroughly, but it leaves a lot of unanswered
> questions about setting up the server, aside from OpenVPN itself.
> It would be very helpful if someone from the development community
> who is working on the windows version would confirm what the
> intended configuration is for the server and document it in the
> how-to.
>
> I wasn’t making any progress getting dual-stack working so I
> decided to try to get ipv4 working first. Since my networks and
> hosts are set up to use dual-stack, I disabled ipv6 on the client
> and server ethernet interfaces and tap adapters. I got the server
> to work using internet connection sharing (ICS), with no other
> windows configuration changes. (Over on the forum, there are a
> variety of other recommended settings that I found either didn’t
> make any difference or didn’t work at all.) I also found what
> appears to be a problem with the tap adapter. After enabling ICS,
> the settings on the tap adapter get changed from “Obtain an ip
> address automatically” to use 192.168.137.1 address and
> 255.255.255.0 subnet with blank gateway and from “Obtain dns
> server address automatically” to use blank dns addresses. Here
> <https://dl.dropboxusercontent.com/u/61356231/tap%20settings.PNG>
> is a link to a screen capture. With these settings, the server
> will not route vpn traffic to the gateway. I’ve found that by
> resetting the tap adapter to obtain ip address and dns server
> addresses automatically it works properly – for a while. The vpn
> connects and stays connected, but after a while, if the server is
> disconnected or if the host is rebooted, the tap adapter settings
> get switched back to the settings above and the server won’t route
> vpn traffic again unless the settings are returned to automatic.
> I’ve tried this using only one network interface as well as using
> two network interfaces but the behaviour is the same.
>
> I would appreciate if someone would confirm if ICS is the intended
> way to configure the server and if there is an alternate
> configuration that does not have the problem that I’ve described
> above. If someone would like to see log files or any other
> information, I would be happy to provide it.
>
> I will provide a follow-up on the ipv6 configuration.
>
> Here is the client configuration:
>
> client
>
> dev tun
>
> proto udp
>
> remote 50.98.86.223 1194
>
> resolv-retry infinite
>
> persist-key
>
> persist-tun
>
> ca ca.crt
>
> cert client.crt
>
> key client.key
>
> remote-cert-tls server
>
> cipher AES-256-CBC
>
> comp-lzo
>
> verb 3
>
> block-outside-dns
>
> Here is the server configuration:
>
> port 1194
>
> proto udp
>
> dev tun
>
> ca ca.crt
>
> cert server.crt
>
> key server.key
>
> dh dh2048.pem
>
> server 10.8.0.0 255.255.255.0
>
> push "block-outside-dns"
>
> push "redirect-gateway def1 bypass-dhcp"
>
> push "dhcp-option DNS 10.8.0.1"
>
> keepalive 10 120
>
> cipher AES-256-CBC
>
> comp-lzo
>
> persist-key
>
> persist-tun
>
> status openvpn-status.log
>
> verb 3
>