OpenVpn clients access to local resources only, specific setup.
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
OpenVpn clients access to local resources only, specific setup.
Goodmorning.
I have a set up of two SE servers, server 1 is behind firewall. Server 2 is acting as a "gateway" for server 1, they are connected between with SE VPN cascade connection. I am planning to use OpenVPN connections to server, but i need them to have access only to specific network, but not internet through it. So i have to set up static routing. If i turn on secure nat on server 1, enable dhcp and set static routing to push, and server 2 without secure nat, it works if you connect with Softether client, but it does not work with OpenVpn client (win), i get an error. Then if i turn off Secure nat on server 1, and set it on server 2, with same static route, i can't access that network even when connecting with Softether VPN client. Technically there should not be any difference since cascade connection is layer 2... but there is...
What would be correct configuration in this case?
I have a set up of two SE servers, server 1 is behind firewall. Server 2 is acting as a "gateway" for server 1, they are connected between with SE VPN cascade connection. I am planning to use OpenVPN connections to server, but i need them to have access only to specific network, but not internet through it. So i have to set up static routing. If i turn on secure nat on server 1, enable dhcp and set static routing to push, and server 2 without secure nat, it works if you connect with Softether client, but it does not work with OpenVpn client (win), i get an error. Then if i turn off Secure nat on server 1, and set it on server 2, with same static route, i can't access that network even when connecting with Softether VPN client. Technically there should not be any difference since cascade connection is layer 2... but there is...
What would be correct configuration in this case?
You do not have the required permissions to view the files attached to this post.
-
- Posts: 1519
- Joined: Sun Feb 14, 2021 10:31 am
Re: OpenVpn clients access to local resources only, specific setup.
Switch OpenVPN to TAP mode and forget scenario #2.
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
You do not have the required permissions to view the files attached to this post.
-
- Posts: 1519
- Joined: Sun Feb 14, 2021 10:31 am
Re: OpenVpn clients access to local resources only, specific setup.
TAP works for me...
Code: Select all
Tue Apr 26 15:49:51 2022 MANAGEMENT: >STATE:1650952191,GET_CONFIG,,,
Tue Apr 26 15:49:52 2022 SENT CONTROL [vpn16647666.softether.net]: 'PUSH_REQUEST' (status=1)
Tue Apr 26 15:49:52 2022 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10'
Tue Apr 26 15:49:52 2022 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 26 15:49:52 2022 open_tun, tt->ipv6=0
Tue Apr 26 15:49:52 2022 TAP-WIN32 device [Local Area Connection 6] opened: \\.\Global\{8B4A5AC1...}.tap
Tue Apr 26 15:49:52 2022 TAP-Windows Driver Version 9.9
Tue Apr 26 15:49:52 2022 Successful ARP Flush on interface [65544] {8B4A5AC1-E4DF-4837-93E8-FA6949A564C4}
Tue Apr 26 15:49:57 2022 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Tue Apr 26 15:49:57 2022 Initialization Sequence Completed
Tue Apr 26 15:49:57 2022 MANAGEMENT: >STATE:1650952197,CONNECTED,SUCCESS,,127.0.0.1
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
Is that OpenVpn windows client?
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
Is that log from 2022? I think there were a lot of updates for OpenVpn since then...
Code: Select all
Tue Apr 26 15:49:51 2022
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
Ok, that's why:
You do not have the required permissions to view the files attached to this post.
-
- Posts: 1519
- Joined: Sun Feb 14, 2021 10:31 am
Re: OpenVpn clients access to local resources only, specific setup.
Yeah yours is v3. A fresh log from the latest v2...
Code: Select all
2024-11-04 16:51:06 OpenVPN 2.6.10 [git:v2.6.10/ba0f62fb950c56a0] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 20 2024
2024-11-04 16:51:06 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-11-04 16:51:06 library versions: OpenSSL 3.2.1 30 Jan 2024, LZO 2.10
2024-11-04 16:51:06 DCO version: N/A
2024-11-04 16:51:06 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2024-11-04 16:51:06 Need hold release from management interface, waiting...
2024-11-04 16:51:07 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49693
2024-11-04 16:51:07 MANAGEMENT: CMD 'state on'
2024-11-04 16:51:07 MANAGEMENT: CMD 'log on all'
2024-11-04 16:51:07 MANAGEMENT: CMD 'echo on all'
2024-11-04 16:51:07 MANAGEMENT: CMD 'bytecount 5'
2024-11-04 16:51:07 MANAGEMENT: CMD 'state'
2024-11-04 16:51:07 MANAGEMENT: CMD 'hold off'
2024-11-04 16:51:07 MANAGEMENT: CMD 'hold release'
2024-11-04 16:51:07 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-11-04 16:51:07 MANAGEMENT: >STATE:1730699467,RESOLVE,,,,,,
2024-11-04 16:51:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
2024-11-04 16:51:07 Socket Buffers: R=[65536->65536] S=[65536->65536]
2024-11-04 16:51:07 UDPv4 link local: (not bound)
2024-11-04 16:51:07 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
2024-11-04 16:51:07 MANAGEMENT: >STATE:1730699467,WAIT,,,,,,
2024-11-04 16:51:07 MANAGEMENT: >STATE:1730699467,AUTH,,,,,,
2024-11-04 16:51:07 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:xxxx, sid=06c1e778 ec03fafc
2024-11-04 16:51:07 VERIFY OK: depth=1
2024-11-04 16:51:07 VERIFY OK: depth=0
2024-11-04 16:51:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2024-11-04 16:51:07 [xxx] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:xxxx
2024-11-04 16:51:07 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-11-04 16:51:07 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-11-04 16:51:08 MANAGEMENT: >STATE:1730699468,GET_CONFIG,,,,,,
2024-11-04 16:51:08 SENT CONTROL [xxx]: 'PUSH_REQUEST' (status=1)
2024-11-04 16:51:08 PUSH: Received control message: 'PUSH_REPLY,route-gateway dhcp,ping 10,ping-restart 120,peer-id 1'
2024-11-04 16:51:08 OPTIONS IMPORT: route-related options modified
2024-11-04 16:51:08 Using peer cipher 'AES-256-CBC'
2024-11-04 16:51:08 interactive service msg_channel=652
2024-11-04 16:51:08 open_tun
2024-11-04 16:51:08 tap-windows6 device [Local Area Connection] opened
2024-11-04 16:51:08 TAP-Windows Driver Version 9.27
2024-11-04 16:51:08 Successful ARP Flush on interface [3] {0CDCCA71-6399-4E26-9C4B-8916335A43C8}
2024-11-04 16:51:08 MANAGEMENT: >STATE:1730699468,ASSIGN_IP,,,,,,
2024-11-04 16:51:08 Data Channel: cipher 'AES-256-CBC', auth 'SHA1', peer-id: 1, compression: 'lzo'
2024-11-04 16:51:08 Timers: ping 10, ping-restart 120
2024-11-04 16:51:13 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
2024-11-04 16:51:13 Initialization Sequence Completed
2024-11-04 16:51:13 MANAGEMENT: >STATE:1730699473,CONNECTED,SUCCESS,,xxx.xxx.xxx.xxx:xxxx,,
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
Ok, used OpenVpn 2.6.12 (latest), managed to connect... Sort of...
Client says "Connected", i can't reach the lan that i supposed to reach, and there is also no internet.
Also, where did i get this one from?:
Client says "Connected", i can't reach the lan that i supposed to reach, and there is also no internet.
Also, where did i get this one from?:
Code: Select all
192.0.0.8/255.255.255.240
Code: Select all
2024-11-04 21:47:52 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
2024-11-04 21:47:52 OPTIONS IMPORT: --ifconfig/up options modified
2024-11-04 21:47:52 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-11-04 21:47:52 Using peer cipher 'AES-128-CBC'
2024-11-04 21:47:52 interactive service msg_channel=448
2024-11-04 21:47:52 open_tun
2024-11-04 21:47:52 tap-windows6 device [OpenVPN TAP-Windows6] opened
2024-11-04 21:47:52 TAP-Windows Driver Version 9.27
2024-11-04 21:47:52 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.0.0.8/255.255.255.240 on interface {3C629F95-23F0-423D-BAA0-4880B0D7CF24} [DHCP-serv: 192.0.0.0, lease-time: 31536000]
2024-11-04 21:47:52 Successful ARP Flush on interface [83] {3C629F95-23F0-423D-BAA0-4880B0D7CF24}
2024-11-04 21:47:52 MANAGEMENT: >STATE:1730753272,ASSIGN_IP,,192.0.0.8,,,,
2024-11-04 21:47:52 IPv4 MTU set to 1500 on interface 83 using service
2024-11-04 21:47:52 Blocking outside dns using service succeeded.
2024-11-04 21:47:52 Data Channel: cipher 'AES-128-CBC', auth 'SHA1'
2024-11-04 21:47:52 Timers: ping 3, ping-restart 10
2024-11-04 21:47:57 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
2024-11-04 21:47:57 Initialization Sequence Completed
2024-11-04 21:47:57 MANAGEMENT: >STATE:1730753277,CONNECTED,SUCCESS,192.0.0.8,xxx.xxx.xxx.xxx,xxx,,
-
- Posts: 1519
- Joined: Sun Feb 14, 2021 10:31 am
Re: OpenVpn clients access to local resources only, specific setup.
You have not switched to TAP mode yet. Correct it and while at it, add to .ovpn config "route-nopull" and "route xxx..." for the remote LAN.mendoza_lt wrote: ↑Mon Nov 04, 2024 9:00 pmCode: Select all
...PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
I'm a little bit confused here... isn't it if i use "blabla_openvpn_site_to_site_bridge_l2.ovpn" generated by SE vpn server manager, and there is "dev tap" entry in the file it should automatically switch to TAP?You have not switched to TAP mode yet
How else can i switch to TAP?
-
- Posts: 1519
- Joined: Sun Feb 14, 2021 10:31 am
Re: OpenVpn clients access to local resources only, specific setup.
Start the VPN and post AS CODE the output of:mendoza_lt wrote: ↑Sun Nov 03, 2024 5:32 pmIf i turn on secure nat on server 1, enable dhcp and set static routing to push, and server 2 without secure nat, it works if you connect with Softether client, but it does not work with OpenVpn client (win)
Code: Select all
VPN server #1:
-----------------
netstat -r
ipconfig /all
vpncmd localhost:port /server /password:*** /cmd ServerInfoGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd StatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd NatGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatStatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatHostGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd DhcpGet
//replace: port with number; *** with SE admin password; @@@ with hub name
SoftEther VPN client:
------------------------
netstat -r
ipconfig /all
ping xxx.xxx.xxx.xxx //address from the remote LAN
Code: Select all
netstat -r
ipconfig /all
ping xxx.xxx.xxx.xxx //address from the remote LAN
+ the contents of your .ovpn file
+ a fresh OpenVPN log of only the "...PUSH_REPLY..." line
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
I have added this:
route-nopull
route 192.168.12.0 255.255.255.0
route-gateway 192.168.120.1
which should be same as this:
but i have this:
2024-11-05 09:26:24 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:25 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:25 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:26 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:26 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:27 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:27 MANAGEMENT: >STATE:1730795187,ADD_ROUTES,,,,,,
2024-11-05 09:26:27 C:\WINDOWS\system32\route.exe ADD 192.168.12.0 MASK 255.255.255.0 192.168.120.1
2024-11-05 09:26:27 Warning: route gateway is not reachable on any active network adapters: 192.168.120.1
SYSTEM ROUTING TABLE
Yes, 192.168.12.0 and 192.168.120.1 is correct, that is not typo.
route-nopull
route 192.168.12.0 255.255.255.0
route-gateway 192.168.120.1
which should be same as this:
but i have this:
2024-11-05 09:26:24 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:25 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:25 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:26 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:26 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:27 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:27 MANAGEMENT: >STATE:1730795187,ADD_ROUTES,,,,,,
2024-11-05 09:26:27 C:\WINDOWS\system32\route.exe ADD 192.168.12.0 MASK 255.255.255.0 192.168.120.1
2024-11-05 09:26:27 Warning: route gateway is not reachable on any active network adapters: 192.168.120.1
SYSTEM ROUTING TABLE
Yes, 192.168.12.0 and 192.168.120.1 is correct, that is not typo.
You do not have the required permissions to view the files attached to this post.
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
Server #1:
Code: Select all
Edit: At the request of the original poster, this post has been modified to remove sensitive information.
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
Client PC with SE VPN Connected:
Code: Select all
rs\mailt\kaka> netstat -r
Edit: At the request of the original poster, this post has been modified to remove sensitive information.
-
- Posts: 1519
- Joined: Sun Feb 14, 2021 10:31 am
Re: OpenVpn clients access to local resources only, specific setup.
Please remove those, start OpenVPN and post AS CODE the output of:mendoza_lt wrote: ↑Tue Nov 05, 2024 8:51 amI have added this:
route-nopull
route 192.168.12.0 255.255.255.0
route-gateway 192.168.120.1
Code: Select all
netstat -r
ipconfig /all
ping xxx.xxx.xxx.xxx //address from the remote LAN
+ the contents of your .ovpn file
+ a fresh OpenVPN log of only the "...PUSH_REPLY..." line
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
ok i will, but i will have to do that later, i am away from that PC, have only remote access... and if i connect with OpenVpn, i will loose conection...
-
- Posts: 1519
- Joined: Sun Feb 14, 2021 10:31 am
Re: OpenVpn clients access to local resources only, specific setup.
While waiting for your log note that if you see "PUSH_REPLY ... ifconfig" in it, then it is not TAP mode. Your SE server is properly set up and all you have to do is use the default L2/TAP ovpn config - no need to change anything else (apart from data-ciphers, tcp/udp, etc).
You're making a basic mistake somewhere. You had imported configs first in v3 then in v2 and something got mixed up. OpenVPN keeps configs in a few places - fix it."I'm a little bit confused here... isn't it if i use "blabla_openvpn_site_to_site_bridge_l2.ovpn" generated by SE vpn server manager, and there is "dev tap" entry in the file it should automatically switch to TAP? How else can i switch to TAP?"
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
if you see "PUSH_REPLY ... ifconfig" in it
Code: Select all
2024-11-05 15:54:46 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
-
- Posts: 1519
- Joined: Sun Feb 14, 2021 10:31 am
Re: OpenVpn clients access to local resources only, specific setup.
I've checked SE v4.42 source code and see no "block-outside-dns" statement in it. It is deployed by the original OpenVPN server and you are not connecting to SoftEther.mendoza_lt wrote: ↑Tue Nov 05, 2024 3:12 pmCode: Select all
...'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
This forum topic is such a waste of time, lol.
-
- Posts: 29
- Joined: Fri Jul 05, 2024 8:37 pm
Re: OpenVpn clients access to local resources only, specific setup.
Oh... ok, i am very sorry about that...
Openvpn is not even installed or running in that server. I have installed it (debian) about a week or two ago... but i will check.
But anyway, thanks for your help :)
Openvpn is not even installed or running in that server. I have installed it (debian) about a week or two ago... but i will check.
But anyway, thanks for your help :)
-
- Posts: 1519
- Joined: Sun Feb 14, 2021 10:31 am
Re: OpenVpn clients access to local resources only, specific setup.
Do double-check because according to your log that server is not on Debian but Windows.mendoza_lt wrote: ↑Wed Nov 06, 2024 6:07 amOpenvpn is not even installed or running in that server. I have installed it (debian) about a week or two ago... but i will check.
Code: Select all
Product Name |SoftEther VPN Server (64 bit)
Version |Version 4.42 Build 9798 (English)
Type of Operating System |Windows NT
Product Name of Operating System|Windows 10