OpenVPN server (windows 10) Wel connectie geen LAN toegang

Pagina: 1
Acties:

Acties:
  • 0 Henk 'm!

  • Cpri
  • Registratie: Juni 2001
  • Laatst online: 20-03-2023
Met een hoop gepuzzel heb ik eindelijk OpenVPN weten te installeren op mijn Windows 10 servertje
Heb hierbij voornamelijk gebruik gemaakt van het volgende artikel
OPenVPN howto

Inmiddels draait alles en kan ik via de OpenVPN client ook verbinding maken met de VPN server.

Via ipconfig zie ik dat ik keurig een ipadres krijg van de VPN server

Ik kan echter niet op het LAN komen waarop de OpenVPN server draait.
En dit is nou net wel de bedoeling

Ik heb hiervoor al de push route optie in de server.ovpn file aangezet
Echter zonder succes
Ook de register sleutel IPEnableRouter is toegevoegd. (Daarna opnieuw opgestart)

kortom wat gaat er mis, hieronder de logs en de ipconfig.
Heb wel wat zaken geblurred voor de veiligheid


code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
AGENT LOG

IPHelper: delete route 10.8.0.0/24 13 10.8.0.5 metric=-1
IPHelper: delete route 192.168.3.0/24 13 10.8.0.5 metric=-1
IPHelper: delete route 10.8.0.1/32 13 10.8.0.5 metric=-1
netsh interface ip delete route xxx.xxx.xxx.xxx/32 7 192.168.199.37 store=active
Element not found.


netsh interface ip delete route 0.0.0.0/1 13 10.8.0.5 store=active
Ok.

netsh interface ip delete route 128.0.0.0/1 13 10.8.0.5 store=active
Ok.

ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.
Tue Mar 14 15:28:04 2023 connection from C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe
Tue Mar 14 15:28:04 2023 HTTP request received from NAMED_PIPE
HTTP Request
method=POST
uri=/add-bypass-route
version=1/1
[0] Host=\\.\pipe\agent_ovpnconnect
[1] Content-Type=application/json
[2] Content-Length=49
[3] Accept=*/*

Tue Mar 14 15:28:04 2023 GetBestGateway: selected gateway 192.168.199.37 on adapter 7 for destination xxx.xxx.xxx.xxx
Tue Mar 14 15:28:04 2023 netsh interface ip add route xxx.xxx.xxx.xxx/32 7 192.168.199.37 store=active
Ok.


Tue Mar 14 15:28:04 2023 connection from C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe
Tue Mar 14 15:28:04 2023 HTTP request received from NAMED_PIPE
HTTP Request
method=POST
uri=/tun-setup
version=1/1
[0] Host=\\.\pipe\agent_ovpnconnect
[1] Content-Type=application/json
[2] Content-Length=1186
[3] Accept=*/*

Tue Mar 14 15:28:04 2023 GetBestGateway: selected gateway 192.168.199.37 on adapter 7 for destination 141.224.227.138
Tue Mar 14 15:28:04 2023 proxy_auto_config_url 
Tue Mar 14 15:28:05 2023 TUN SETUP
TAP ADAPTERS:
guid='{894F67E6-C520-4423-8B3A-7E799A5276D5}' index=13 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{894F67E6-C520-4423-8B3A-7E799A5276D5}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=13
netsh interface ip set interface 13 metric=1
Ok.
netsh interface ip set address 13 static 10.8.0.6 255.255.255.252 gateway=10.8.0.5 store=active
IPHelper: add route 10.8.0.0/24 13 10.8.0.5 metric=-1
IPHelper: add route 192.168.3.0/24 13 10.8.0.5 metric=-1
IPHelper: add route 10.8.0.1/32 13 10.8.0.5 metric=-1
netsh interface ip add route xxx.xxx.xxx.xxx/32 7 192.168.199.37 store=active
The object already exists.
netsh interface ip add route 0.0.0.0/1 13 10.8.0.5 store=active
Ok.
netsh interface ip add route 128.0.0.0/1 13 10.8.0.5 store=active
Ok.
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP: ARP flush succeeded
Tue Mar 14 15:28:05 2023 TUN CONFIRM


code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
SERVER LOG
2023-03-14 15:26:53 WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
2023-03-14 15:26:53 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations. 
2023-03-14 15:26:53 NOTE: --remote is not defined, disabling data channel offload.
2023-03-14 15:26:53 OpenVPN 2.6.1 [git:v2.6.1/2c2a98a0e559928c] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar  8 2023
2023-03-14 15:26:53 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-03-14 15:26:53 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-03-14 15:26:53 Diffie-Hellman initialized with 2048 bit key
2023-03-14 15:26:53 interactive service msg_channel=0
2023-03-14 15:26:53 open_tun
2023-03-14 15:26:53 tap-windows6 device [OpenVPN TAP-Windows6] opened
2023-03-14 15:26:53 TAP-Windows Driver Version 9.24 
2023-03-14 15:26:53 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {1A056EA0-C29B-4AD2-A871-5BAAAA489AC4} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
2023-03-14 15:26:53 Sleeping for 10 seconds...
2023-03-14 15:27:03 Successful ARP Flush on interface [6] {1A056EA0-C29B-4AD2-A871-5BAAAA489AC4}
2023-03-14 15:27:03 IPv4 MTU set to 1500 on interface 6 using SetIpInterfaceEntry()
2023-03-14 15:27:03 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
2023-03-14 15:27:03 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
2023-03-14 15:27:03 Route addition via ipapi [adaptive] succeeded
2023-03-14 15:27:03 Could not determine IPv4/IPv6 protocol. Using AF_INET6
2023-03-14 15:27:03 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-03-14 15:27:03 setsockopt(IPV6_V6ONLY=0)
2023-03-14 15:27:03 UDPv6 link local (bound): [AF_INET6][undef]:1194
2023-03-14 15:27:03 UDPv6 link remote: [AF_UNSPEC]
2023-03-14 15:27:03 MULTI: multi_init called, r=256 v=256
2023-03-14 15:27:03 IFCONFIG POOL IPv4: base=10.8.0.4 size=62
2023-03-14 15:27:03 ifconfig_pool_read(), in='MyName,10.8.0.4,'
2023-03-14 15:27:03 succeeded -> ifconfig_pool_set(hand=0)
2023-03-14 15:27:03 IFCONFIG POOL LIST
2023-03-14 15:27:03 MyName,10.8.0.4,
2023-03-14 15:27:03 Initialization Sequence Completed
2023-03-14 15:28:01 84.241.202.195:28025 VERIFY OK: depth=1, CN=MyName
2023-03-14 15:28:01 84.241.202.195:28025 VERIFY OK: depth=0, CN=MyName
2023-03-14 15:28:01 84.241.202.195:28025 peer info: IV_VER=3.git::d3f8b18b
2023-03-14 15:28:01 84.241.202.195:28025 peer info: IV_PLAT=win
2023-03-14 15:28:01 84.241.202.195:28025 peer info: IV_NCP=2
2023-03-14 15:28:01 84.241.202.195:28025 peer info: IV_TCPNL=1
2023-03-14 15:28:01 84.241.202.195:28025 peer info: IV_PROTO=30
2023-03-14 15:28:01 84.241.202.195:28025 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
2023-03-14 15:28:01 84.241.202.195:28025 peer info: IV_AUTO_SESS=1
2023-03-14 15:28:01 84.241.202.195:28025 peer info: IV_GUI_VER=OCWindows_3.3.7-2979
2023-03-14 15:28:01 84.241.202.195:28025 peer info: IV_SSO=webauth,openurl,crtext
2023-03-14 15:28:01 84.241.202.195:28025 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-14 15:28:01 84.241.202.195:28025 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-14 15:28:01 84.241.202.195:28025 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-03-14 15:28:01 84.241.202.195:28025 [MyName] Peer Connection Initiated with [AF_INET6]::ffff:84.241.202.195:28025
2023-03-14 15:28:01 MyName/84.241.202.195:28025 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
2023-03-14 15:28:01 MyName/84.241.202.195:28025 MULTI: Learn: 10.8.0.6 -> MyName/84.241.202.195:28025
2023-03-14 15:28:01 MyName/84.241.202.195:28025 MULTI: primary virtual IP for MyName/84.241.202.195:28025: 10.8.0.6
2023-03-14 15:28:01 MyName/84.241.202.195:28025 SENT CONTROL [MyName]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,route 192.168.3.0 255.255.255.0,redirect-gateway def1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM,key-derivation tls-ekm' (status=1)
2023-03-14 15:28:01 MyName/84.241.202.195:28025 PUSH: Received control message: 'PUSH_REQUEST'
2023-03-14 15:28:02 MyName/84.241.202.195:28025 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2023-03-14 15:28:02 MyName/84.241.202.195:28025 Timers: ping 10, ping-restart 240
2023-03-14 15:28:02 MyName/84.241.202.195:28025 Protocol options: explicit-exit-notify 1, protocol-flags tls-ekm


code:
1
2
3
4
5
6
7
8
9
10
11
STATUS LOG
OpenVPN CLIENT LIST
Updated,2023-03-14 15:37:04
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
myName,84.241.202.195:28025,377859,7785,2023-03-14 15:28:01
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,MyName,84.241.202.195:28025,2023-03-14 15:35:31
GLOBAL STATS
Max bcast/mcast queue length,0
END

Acties:
  • 0 Henk 'm!

  • Cpri
  • Registratie: Juni 2001
  • Laatst online: 20-03-2023
Voor zover ik kan zien moet ik dus nog ergens een static route toevoegen zodat het VPN netwerk 10.8.0.0 verbinding kan maken met de server.

Welke IP adressen moet ik hiervoor gebruiken?
Gateway van het LAN of het LAN IP Adress van mijn server
IP adres van de VPN (10.8.0.1) of toch een ander adres in die reeks of juist het IP adres van de client??

Acties:
  • 0 Henk 'm!

  • Goldenpants0291
  • Registratie: Maart 2020
  • Laatst online: 10-07 09:52
Je VPN en je LAN zijn 2 verschillende subnets. Normaal gesproken knoop je 2 subnets aan elkaar met een Router of een ander L3 device. In het geval van een VPN verbinding moet ik zeggen dat ik daar wat minder kaas van heb gegeten eerlijk gezegd. Maar misschien helpt dat je al iets verder op weg?

Edit:
Heb je hier wat aan?

https://community.cisco.c...o-lan-subnet/td-p/3781902

[ Voor 18% gewijzigd door Goldenpants0291 op 14-03-2023 17:16 ]


Acties:
  • 0 Henk 'm!

  • Faifz
  • Registratie: November 2010
  • Laatst online: 23-06 14:35
Let wel op dat je devices op je LAN netwerk waarschijnlijk een firewall hebben die ping blokkeert. Verifieer dit vooraleer je doorgaat. Post ook je server config file.

Acties:
  • 0 Henk 'm!

  • Cpri
  • Registratie: Juni 2001
  • Laatst online: 20-03-2023
Ping wordt idd geblokkeerd maar er zijn wel andere devices in mijn LAN die ik zou moeten kunnen benaderen

hierbij mijn server config file
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
#################################################

# Sample OpenVPN 2.0 config file for            #

# multi-client server.                          #

#                                               #

# This file is for the server side              #

# of a many-clients <-> one-server              #

# OpenVPN configuration.                        #

#                                               #

# OpenVPN also supports                         #

# single-machine <-> single-machine             #

# configurations (See the Examples page         #

# on the web site for more info).               #

#                                               #

# This config should work on Windows            #

# or Linux/BSD systems.  Remember on            #

# Windows to quote pathnames and use            #

# double backslashes, e.g.:                     #

# "C:\\Program Files\\OpenVPN\\config\\foo.key" #

#                                               #

# Comments are preceded with '#' or ';'         #

#################################################



# Which local IP address should OpenVPN

# listen on? (optional)

;local a.b.c.d



# Which TCP/UDP port should OpenVPN listen on?

# If you want to run multiple OpenVPN instances

# on the same machine, use a different port

# number for each one.  You will need to

# open up this port on your firewall.

port 1194



# TCP or UDP server?

;proto tcp

proto udp



# "dev tun" will create a routed IP tunnel,

# "dev tap" will create an ethernet tunnel.

# Use "dev tap0" if you are ethernet bridging

# and have precreated a tap0 virtual interface

# and bridged it with your ethernet interface.

# If you want to control access policies

# over the VPN, you must create firewall

# rules for the the TUN/TAP interface.

# On non-Windows systems, you can give

# an explicit unit number, such as tun0.

# On Windows, use "dev-node" for this.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun



# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel if you

# have more than one.  On XP SP2 or higher,

# you may need to selectively disable the

# Windows firewall for the TAP adapter.

# Non-Windows systems usually don't need this.

;dev-node MyTap



# SSL/TLS root certificate (ca), certificate

# (cert), and private key (key).  Each client

# and the server must have their own cert and

# key file.  The server and all clients will

# use the same ca file.

#

# See the "easy-rsa" directory for a series

# of scripts for generating RSA certificates

# and private keys.  Remember to use

# a unique Common Name for the server

# and each of the client certificates.

#

# Any X509 key management system can be used.

# OpenVPN can also use a PKCS #12 formatted key file

# (see "pkcs12" directive in man page).

ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"

cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt"

key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\server.key"  # This file should be kept secret



# Diffie hellman parameters.

# Generate your own with:

#   openssl dhparam -out dh2048.pem 2048

dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"



# Network topology

# Should be subnet (addressing via IP)

# unless Windows clients v2.0.9 and lower have to

# be supported (then net30, i.e. a /30 per client)

# Defaults to net30 (not recommended)

;topology subnet



# Configure server mode and supply a VPN subnet

# for OpenVPN to draw client addresses from.

# The server will take 10.8.0.1 for itself,

# the rest will be made available to clients.

# Each client will be able to reach the server

# on 10.8.0.1. Comment this line out if you are

# ethernet bridging. See the man page for more info.

server 10.8.0.0 255.255.255.0



# Maintain a record of client <-> virtual IP address

# associations in this file.  If OpenVPN goes down or

# is restarted, reconnecting clients can be assigned

# the same virtual IP address from the pool that was

# previously assigned.

ifconfig-pool-persist ipp.txt



# Configure server mode for ethernet bridging.

# You must first use your OS's bridging capability

# to bridge the TAP interface with the ethernet

# NIC interface.  Then you must manually set the

# IP/netmask on the bridge interface, here we

# assume 10.8.0.4/255.255.255.0.  Finally we

# must set aside an IP range in this subnet

# (start=10.8.0.50 end=10.8.0.100) to allocate

# to connecting clients.  Leave this line commented

# out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100



# Configure server mode for ethernet bridging

# using a DHCP-proxy, where clients talk

# to the OpenVPN server-side DHCP server

# to receive their IP address allocation

# and DNS server addresses.  You must first use

# your OS's bridging capability to bridge the TAP

# interface with the ethernet NIC interface.

# Note: this mode only works on clients (such as

# Windows), where the client-side TAP adapter is

# bound to a DHCP client.

;server-bridge



# Push routes to the client to allow it

# to reach other private subnets behind

# the server.  Remember that these

# private subnets will also need

# to know to route the OpenVPN client

# address pool (10.8.0.0/255.255.255.0)

# back to the OpenVPN server.
push "route 10.8.0.0 255.255.255.0"

push "route 192.168.3.0 255.255.255.0"

;push "route 192.168.20.0 255.255.255.0"



# To assign specific IP addresses to specific

# clients or if a connecting client has a private

# subnet behind it that should also have VPN access,

# use the subdirectory "ccd" for client-specific

# configuration files (see man page for more info).



# EXAMPLE: Suppose the client

# having the certificate common name "Thelonious"

# also has a small subnet behind his connecting

# machine, such as 192.168.40.128/255.255.255.248.

# First, uncomment out these lines:

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

# Then create a file ccd/Thelonious with this line:

#   iroute 192.168.40.128 255.255.255.248

# This will allow Thelonious' private subnet to

# access the VPN.  This example will only work

# if you are routing, not bridging, i.e. you are

# using "dev tun" and "server" directives.



# EXAMPLE: Suppose you want to give

# Thelonious a fixed VPN IP address of 10.9.0.1.

# First uncomment out these lines:

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

# Then add this line to ccd/Thelonious:

#   ifconfig-push 10.9.0.1 10.9.0.2



# Suppose that you want to enable different

# firewall access policies for different groups

# of clients.  There are two methods:

# (1) Run multiple OpenVPN daemons, one for each

#     group, and firewall the TUN/TAP interface

#     for each group/daemon appropriately.

# (2) (Advanced) Create a script to dynamically

#     modify the firewall in response to access

#     from different clients.  See man

#     page for more info on learn-address script.

;learn-address ./script



# If enabled, this directive will configure

# all clients to redirect their default

# network gateway through the VPN, causing

# all IP traffic such as web browsing and

# and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT

# or bridge the TUN/TAP interface to the internet

# in order for this to work properly).

# push "redirect-gateway def1"

push "redirect-gateway autolocal def1"


# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses.  CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

# The addresses below refer to the public

# DNS servers provided by opendns.com.

;push "dhcp-option DNS 208.67.222.222"

;push "dhcp-option DNS 208.67.220.220"



# Uncomment this directive to allow different

# clients to be able to "see" each other.

# By default, clients will only see the server.

# To force clients to only see the server, you

# will also need to appropriately firewall the

# server's TUN/TAP interface.

;client-to-client



# Uncomment this directive if multiple clients

# might connect with the same certificate/key

# files or common names.  This is recommended

# only for testing purposes.  For production use,

# each client should have its own certificate/key

# pair.

#

# IF YOU HAVE NOT GENERATED INDIVIDUAL

# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

# EACH HAVING ITS OWN UNIQUE "COMMON NAME",

# UNCOMMENT THIS LINE OUT.

;duplicate-cn



# The keepalive directive causes ping-like

# messages to be sent back and forth over

# the link so that each side knows when

# the other side has gone down.

# Ping every 10 seconds, assume that remote

# peer is down if no ping received during

# a 120 second time period.

keepalive 10 120



# For extra security beyond that provided

# by SSL/TLS, create an "HMAC firewall"

# to help block DoS attacks and UDP port flooding.

#

# Generate with:

#   openvpn --genkey tls-auth ta.key

#

# The server and each client must have

# a copy of this key.

# The second parameter should be '0'

# on the server and '1' on the clients.

tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ta.key" 0 # This file is secret



# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

# Note that v2.4 client/server will automatically

# negotiate AES-256-GCM in TLS mode.

# See also the ncp-cipher option in the manpage

cipher AES-256-CBC



# Enable compression on the VPN link and push the

# option to the client (v2.4+ only, for earlier

# versions see below)

;compress lz4-v2

;push "compress lz4-v2"



# For compression compatible with older clients use comp-lzo

# If you enable it here, you must also

# enable it in the client config file.

;comp-lzo



# The maximum number of concurrently connected

# clients we want to allow.

;max-clients 100



# It's a good idea to reduce the OpenVPN

# daemon's privileges after initialization.

#

# You can uncomment this on non-Windows

# systems after creating a dedicated user.

;user openvpn

;group openvpn



# The persist options will try to avoid

# accessing certain resources on restart

# that may no longer be accessible because

# of the privilege downgrade.

persist-key

persist-tun



# Output a short status file showing

# current connections, truncated

# and rewritten every minute.

status "C:\\Program Files\\OpenVPN\\log\\status.log"



# By default, log messages will go to the syslog (or

# on Windows, if running as a service, they will go to

# the "\Program Files\OpenVPN\log" directory).

# Use log or log-append to override this default.

# "log" will truncate the log file on OpenVPN startup,

# while "log-append" will append to it.  Use one

# or the other (but not both).

log  "C:\\Program Files\\OpenVPN\\log\\openvpn.log"

#log-append  "C:\\Program Files\\OpenVPN\\log\\openvpn.log"



# Set the appropriate level of log

# file verbosity.

#

# 0 is silent, except for fatal errors

# 4 is reasonable for general usage

# 5 and 6 can help to debug connection problems

# 9 is extremely verbose

verb 3



# Silence repeating messages.  At most 20

# sequential messages of the same message

# category will be output to the log.

mute 20



# Notify the client that when the server restarts so it

# can automatically reconnect.

explicit-exit-notify 1

Acties:
  • 0 Henk 'm!

  • Frogmen
  • Registratie: Januari 2004
  • Niet online
Heb je in de client aangegeven dat alle connecties via de VPN moeten? Bedenk wel dat alleen IP verkeer werkt.

Voor een Tweaker is de weg naar het resultaat net zo belangrijk als het resultaat.


Acties:
  • 0 Henk 'm!

  • Cpri
  • Registratie: Juni 2001
  • Laatst online: 20-03-2023
Blijkbaar wel want zodra ik verbonden ben met de VPN heb ik geen toegang meer tot internet

Acties:
  • 0 Henk 'm!

  • jadjong
  • Registratie: Juli 2001
  • Laatst online: 17:20
Dat is veel tekst.
Wat zijn de IP-adressen van alle betrokken apparaten?

Acties:
  • 0 Henk 'm!

  • Cpri
  • Registratie: Juni 2001
  • Laatst online: 20-03-2023
De server waarop de OpenVPN server draait heeft als IP 192.168.3.2
Op dit zelfde LAN zitten de apparaten die ik wil benaderen (NAS en Printer)

De VPNserver heeft als IP adres 10.8.0.1

Volgens mij moet ik nu alleen nog een static route toevoegen op de server die al het verkeer van de 10.8.0.1 doorsluist naar het 192.168.3.0 netwerk

Acties:
  • 0 Henk 'm!

  • Faifz
  • Registratie: November 2010
  • Laatst online: 23-06 14:35
Je hebt twee opties:

1) NAT je 10.8.0.0/24 netwerk naar het IP adres 192.168.3.2
2) Voeg static routes toe op alle hosts (onmogelijk op een printer). Dit kan heel lastig zijn, daarom is het beter dat je het op de router doet. Destination 10.8.0.0/24 next-hop 192.168.3.2 en uitgaande interface is de LAN interface.

Jij hebt sowieso geen router die je toelaat om static routes te maken, dus ga je het op de hosts moeten doen maar dit is waanzinnig. Dan blijft NAT de beste oplossing, maar dit ga je niet kunnen bereiken met een ovpn server file. Op linux gingen ze met IPtables werken, maar je hebt zoiets niet gelijkwaardig in Windows.

Ik stel voor dat je een hypervisor installeert zoals VirtualBox/Workstation Pro. Haal de OpenVPN Access Server appliance af. Die is gebruiksklaar, alleen maar importeren en het is gratis voor 2 gebruikers. Het komt met een web-interface en het doet NAT standaard. Je gaat het gewoon veel gebruiksvriendelijker vinden hoor.

https://openvpn.net/access-server/

Acties:
  • 0 Henk 'm!

  • jadjong
  • Registratie: Juli 2001
  • Laatst online: 17:20
Cpri schreef op donderdag 16 maart 2023 @ 11:28:
De server waarop de OpenVPN server draait heeft als IP 192.168.3.2
Op dit zelfde LAN zitten de apparaten die ik wil benaderen (NAS en Printer)

De VPNserver heeft als IP adres 10.8.0.1

Volgens mij moet ik nu alleen nog een static route toevoegen op de server die al het verkeer van de 10.8.0.1 doorsluist naar het 192.168.3.0 netwerk
Hoe weten de clients uit 192.168.3.0/24 waar de pakketjes van 10.8.0.0/24 weer terug moeten? Die zullen ze afleveren bij hun default gateway. (192.168.3.1?) Daar moet wel duidelijk zijn dat 10.8.0.0 bereikbaar is via 192.168.3.2

Acties:
  • 0 Henk 'm!

  • Cpri
  • Registratie: Juni 2001
  • Laatst online: 20-03-2023
De OpenVPN access server ziet heel interessant uit.
Helaas dit weekend geen tijd om het te proberen zeker met twee gratis users zou dit ideaal zijn

Bednakt voor de tip
Pagina: 1