Page 1 of 1
OpenVpn clients access to local resources only, specific setup.
Posted: Sun Nov 03, 2024 5:32 pm
by mendoza_lt
Goodmorning.
I have a set up of two SE servers, server 1 is behind firewall. Server 2 is acting as a "gateway" for server 1, they are connected between with SE VPN cascade connection. I am planning to use OpenVPN connections to server, but i need them to have access only to specific network, but not internet through it. So i have to set up static routing. If i turn on secure nat on server 1, enable dhcp and set static routing to push, and server 2 without secure nat, it works if you connect with Softether client, but it does not work with OpenVpn client (win), i get an error. Then if i turn off Secure nat on server 1, and set it on server 2, with same static route, i can't access that network even when connecting with Softether VPN client. Technically there should not be any difference since cascade connection is layer 2... but there is...
What would be correct configuration in this case?
Screenshot 2024-11-03 183055.png
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Sun Nov 03, 2024 10:51 pm
by solo
Switch OpenVPN to TAP mode and forget scenario #2.
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Mon Nov 04, 2024 4:59 am
by mendoza_lt
Screenshot 2024-11-04 055837.png
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Mon Nov 04, 2024 5:22 am
by solo
TAP works for me...
Code: Select all
Tue Apr 26 15:49:51 2022 MANAGEMENT: >STATE:1650952191,GET_CONFIG,,,
Tue Apr 26 15:49:52 2022 SENT CONTROL [vpn16647666.softether.net]: 'PUSH_REQUEST' (status=1)
Tue Apr 26 15:49:52 2022 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10'
Tue Apr 26 15:49:52 2022 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 26 15:49:52 2022 open_tun, tt->ipv6=0
Tue Apr 26 15:49:52 2022 TAP-WIN32 device [Local Area Connection 6] opened: \\.\Global\{8B4A5AC1...}.tap
Tue Apr 26 15:49:52 2022 TAP-Windows Driver Version 9.9
Tue Apr 26 15:49:52 2022 Successful ARP Flush on interface [65544] {8B4A5AC1-E4DF-4837-93E8-FA6949A564C4}
Tue Apr 26 15:49:57 2022 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Tue Apr 26 15:49:57 2022 Initialization Sequence Completed
Tue Apr 26 15:49:57 2022 MANAGEMENT: >STATE:1650952197,CONNECTED,SUCCESS,,127.0.0.1
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Mon Nov 04, 2024 5:27 am
by mendoza_lt
Is that OpenVpn windows client?
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Mon Nov 04, 2024 5:34 am
by mendoza_lt
Is that log from 2022? I think there were a lot of updates for OpenVpn since then...
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Mon Nov 04, 2024 5:36 am
by mendoza_lt
Ok, that's why:
Screenshot 2024-11-04 063557.png
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Mon Nov 04, 2024 6:01 am
by solo
Yeah yours is v3. A fresh log from the latest v2...
Code: Select all
2024-11-04 16:51:06 OpenVPN 2.6.10 [git:v2.6.10/ba0f62fb950c56a0] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 20 2024
2024-11-04 16:51:06 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-11-04 16:51:06 library versions: OpenSSL 3.2.1 30 Jan 2024, LZO 2.10
2024-11-04 16:51:06 DCO version: N/A
2024-11-04 16:51:06 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2024-11-04 16:51:06 Need hold release from management interface, waiting...
2024-11-04 16:51:07 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49693
2024-11-04 16:51:07 MANAGEMENT: CMD 'state on'
2024-11-04 16:51:07 MANAGEMENT: CMD 'log on all'
2024-11-04 16:51:07 MANAGEMENT: CMD 'echo on all'
2024-11-04 16:51:07 MANAGEMENT: CMD 'bytecount 5'
2024-11-04 16:51:07 MANAGEMENT: CMD 'state'
2024-11-04 16:51:07 MANAGEMENT: CMD 'hold off'
2024-11-04 16:51:07 MANAGEMENT: CMD 'hold release'
2024-11-04 16:51:07 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-11-04 16:51:07 MANAGEMENT: >STATE:1730699467,RESOLVE,,,,,,
2024-11-04 16:51:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
2024-11-04 16:51:07 Socket Buffers: R=[65536->65536] S=[65536->65536]
2024-11-04 16:51:07 UDPv4 link local: (not bound)
2024-11-04 16:51:07 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
2024-11-04 16:51:07 MANAGEMENT: >STATE:1730699467,WAIT,,,,,,
2024-11-04 16:51:07 MANAGEMENT: >STATE:1730699467,AUTH,,,,,,
2024-11-04 16:51:07 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:xxxx, sid=06c1e778 ec03fafc
2024-11-04 16:51:07 VERIFY OK: depth=1
2024-11-04 16:51:07 VERIFY OK: depth=0
2024-11-04 16:51:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2024-11-04 16:51:07 [xxx] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:xxxx
2024-11-04 16:51:07 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-11-04 16:51:07 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-11-04 16:51:08 MANAGEMENT: >STATE:1730699468,GET_CONFIG,,,,,,
2024-11-04 16:51:08 SENT CONTROL [xxx]: 'PUSH_REQUEST' (status=1)
2024-11-04 16:51:08 PUSH: Received control message: 'PUSH_REPLY,route-gateway dhcp,ping 10,ping-restart 120,peer-id 1'
2024-11-04 16:51:08 OPTIONS IMPORT: route-related options modified
2024-11-04 16:51:08 Using peer cipher 'AES-256-CBC'
2024-11-04 16:51:08 interactive service msg_channel=652
2024-11-04 16:51:08 open_tun
2024-11-04 16:51:08 tap-windows6 device [Local Area Connection] opened
2024-11-04 16:51:08 TAP-Windows Driver Version 9.27
2024-11-04 16:51:08 Successful ARP Flush on interface [3] {0CDCCA71-6399-4E26-9C4B-8916335A43C8}
2024-11-04 16:51:08 MANAGEMENT: >STATE:1730699468,ASSIGN_IP,,,,,,
2024-11-04 16:51:08 Data Channel: cipher 'AES-256-CBC', auth 'SHA1', peer-id: 1, compression: 'lzo'
2024-11-04 16:51:08 Timers: ping 10, ping-restart 120
2024-11-04 16:51:13 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
2024-11-04 16:51:13 Initialization Sequence Completed
2024-11-04 16:51:13 MANAGEMENT: >STATE:1730699473,CONNECTED,SUCCESS,,xxx.xxx.xxx.xxx:xxxx,,
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Mon Nov 04, 2024 9:00 pm
by mendoza_lt
Ok, used OpenVpn 2.6.12 (latest), managed to connect... Sort of...
Client says "Connected", i can't reach the lan that i supposed to reach, and there is also no internet.
Also, where did i get this one from?:
Code: Select all
2024-11-04 21:47:52 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
2024-11-04 21:47:52 OPTIONS IMPORT: --ifconfig/up options modified
2024-11-04 21:47:52 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-11-04 21:47:52 Using peer cipher 'AES-128-CBC'
2024-11-04 21:47:52 interactive service msg_channel=448
2024-11-04 21:47:52 open_tun
2024-11-04 21:47:52 tap-windows6 device [OpenVPN TAP-Windows6] opened
2024-11-04 21:47:52 TAP-Windows Driver Version 9.27
2024-11-04 21:47:52 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.0.0.8/255.255.255.240 on interface {3C629F95-23F0-423D-BAA0-4880B0D7CF24} [DHCP-serv: 192.0.0.0, lease-time: 31536000]
2024-11-04 21:47:52 Successful ARP Flush on interface [83] {3C629F95-23F0-423D-BAA0-4880B0D7CF24}
2024-11-04 21:47:52 MANAGEMENT: >STATE:1730753272,ASSIGN_IP,,192.0.0.8,,,,
2024-11-04 21:47:52 IPv4 MTU set to 1500 on interface 83 using service
2024-11-04 21:47:52 Blocking outside dns using service succeeded.
2024-11-04 21:47:52 Data Channel: cipher 'AES-128-CBC', auth 'SHA1'
2024-11-04 21:47:52 Timers: ping 3, ping-restart 10
2024-11-04 21:47:57 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
2024-11-04 21:47:57 Initialization Sequence Completed
2024-11-04 21:47:57 MANAGEMENT: >STATE:1730753277,CONNECTED,SUCCESS,192.0.0.8,xxx.xxx.xxx.xxx,xxx,,
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 12:47 am
by solo
mendoza_lt wrote: ↑Mon Nov 04, 2024 9:00 pm
Code: Select all
...PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
You have not switched to TAP mode yet. Correct it and while at it, add to .ovpn config "route-nopull" and "route xxx..." for the remote LAN.
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 6:50 am
by mendoza_lt
You have not switched to TAP mode yet
I'm a little bit confused here... isn't it if i use "blabla_openvpn_site_to_site_bridge_l2.ovpn" generated by SE vpn server manager, and there is "dev tap" entry in the file it should automatically switch to TAP?
How else can i switch to TAP?
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 8:35 am
by solo
mendoza_lt wrote: ↑Sun Nov 03, 2024 5:32 pm
If i turn on secure nat on server 1, enable dhcp and set static routing to push, and server 2 without secure nat, it works if you connect with Softether client, but it does not work with OpenVpn client (win)
Start the VPN and post
AS CODE the output of:
Code: Select all
VPN server #1:
-----------------
netstat -r
ipconfig /all
vpncmd localhost:port /server /password:*** /cmd ServerInfoGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd StatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd NatGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatStatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatHostGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd DhcpGet
//replace: port with number; *** with SE admin password; @@@ with hub name
SoftEther VPN client:
------------------------
netstat -r
ipconfig /all
ping xxx.xxx.xxx.xxx //address from the remote LAN
Next, disconnect the SoftEther VPN client and
from the same PC start OpenVPN and post
AS CODE the output of:
Code: Select all
netstat -r
ipconfig /all
ping xxx.xxx.xxx.xxx //address from the remote LAN
+ the contents of your .ovpn file
+ a fresh OpenVPN log of only the "...PUSH_REPLY..." line
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 8:51 am
by mendoza_lt
I have added this:
route-nopull
route 192.168.12.0 255.255.255.0
route-gateway 192.168.120.1
which should be same as this:
Capture.PNG
but i have this:
2024-11-05 09:26:24 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:25 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:25 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:26 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:26 Route: Waiting for TUN/TAP interface to come up...
2024-11-05 09:26:27 TEST ROUTES: 0/1 succeeded len=1 ret=0 a=0 u/d=up
2024-11-05 09:26:27 MANAGEMENT: >STATE:1730795187,ADD_ROUTES,,,,,,
2024-11-05 09:26:27 C:\WINDOWS\system32\route.exe ADD 192.168.12.0 MASK 255.255.255.0 192.168.120.1
2024-11-05 09:26:27 Warning: route gateway is not reachable on any active network adapters: 192.168.120.1
SYSTEM ROUTING TABLE
Yes, 192.168.
12.0 and 192.168.
120.1 is correct, that is not typo.
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 9:09 am
by mendoza_lt
Server #1:
Code: Select all
Edit: At the request of the original poster, this post has been modified to remove sensitive information.
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 9:25 am
by mendoza_lt
Client PC with SE VPN Connected:
Code: Select all
rs\mailt\kaka> netstat -r
Edit: At the request of the original poster, this post has been modified to remove sensitive information.
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 10:32 am
by solo
mendoza_lt wrote: ↑Tue Nov 05, 2024 8:51 am
I have added this:
route-nopull
route 192.168.12.0 255.255.255.0
route-gateway 192.168.120.1
Please remove those, start OpenVPN and post AS CODE the output of:
Code: Select all
netstat -r
ipconfig /all
ping xxx.xxx.xxx.xxx //address from the remote LAN
+ the contents of your .ovpn file
+ a fresh OpenVPN log of only the "...PUSH_REPLY..." line
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 10:49 am
by mendoza_lt
ok i will, but i will have to do that later, i am away from that PC, have only remote access... and if i connect with OpenVpn, i will loose conection...
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 1:06 pm
by solo
While waiting for your log note that if you see "PUSH_REPLY ...
ifconfig" in it, then it is not TAP mode. Your SE server is properly set up and all you have to do is use the default L2/TAP ovpn config - no need to change anything else (apart from data-ciphers, tcp/udp, etc).
"I'm a little bit confused here... isn't it if i use "blabla_openvpn_site_to_site_bridge_l2.ovpn" generated by SE vpn server manager, and there is "dev tap" entry in the file it should automatically switch to TAP? How else can i switch to TAP?"
You're making a basic mistake somewhere. You had imported configs first in v3 then in v2 and something got mixed up. OpenVPN keeps configs in a few places - fix it.
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Tue Nov 05, 2024 3:12 pm
by mendoza_lt
if you see "PUSH_REPLY ... ifconfig" in it
Code: Select all
2024-11-05 15:54:46 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
Exactly what it is... trying to look where the issue might be...
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Wed Nov 06, 2024 2:15 am
by solo
mendoza_lt wrote: ↑Tue Nov 05, 2024 3:12 pm
Code: Select all
...'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.0.0.8 255.255.255.240,block-outside-dns'
I've checked SE v4.42 source code and see no "block-outside-dns" statement in it. It is deployed by the original OpenVPN server and you are not connecting to SoftEther.
This forum topic is such a waste of time, lol.
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Wed Nov 06, 2024 6:07 am
by mendoza_lt
Oh... ok, i am very sorry about that...
Openvpn is not even installed or running in that server. I have installed it (debian) about a week or two ago... but i will check.
But anyway, thanks for your help :)
Re: OpenVpn clients access to local resources only, specific setup.
Posted: Wed Nov 06, 2024 11:25 am
by solo
mendoza_lt wrote: ↑Wed Nov 06, 2024 6:07 am
Openvpn is not even installed or running in that server. I have installed it (debian) about a week or two ago... but i will check.
Do double-check because according to your log that server is not on Debian but Windows.
Code: Select all
Product Name |SoftEther VPN Server (64 bit)
Version |Version 4.42 Build 9798 (English)
Type of Operating System |Windows NT
Product Name of Operating System|Windows 10