Home / server / Questions / 339191
In Process
AndiDog
Asked: 2011-12-09 14:40:21 +0800 CST

OpenVPN client connected, but cannot ping inside VPN address range

  • 772

I set up OpenVPN 2.1.3 on Windows 7 following the OpenVPN Easy Windows Guide. The client (another computer) can connect without problems and gets the desired IP x.x.x.6/255.255.255.252 in the VPN IP range. The server itself is x.x.x.1/255.255.255.252.

In my scenario, I only have clients which need to connect securely to that one server (which also runs the OpenVPN server).

But the client and server cannot ping each other (on their VPN IP addresses). What's wrong here?

On the server, I set "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter=1" to enable IP forwarding (and restarted of course).

(EDIT: I must add that ping works when I use TAP device, but how about TUN?)

Server config:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 192.169.0.0 255.255.255.0 # OpenVPN seems to change this to x.x.x.252
ifconfig-pool-persist ipp.txt
client-to-client # not sure if I need this, just tried
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

Client config:

client
dev tun
proto udp
remote 192.168.1.197 1194 # That's the server's physical address on my wifi
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

EDIT 2

Here are the routes created by both modes:

route print on client with TUN

192.169.0.0     255.255.255.0      192.169.0.9     192.169.0.10     30
192.169.0.8   255.255.255.252         On-link      192.169.0.10    286
192.169.0.10  255.255.255.255         On-link      192.169.0.10    286
192.169.0.11  255.255.255.255         On-link      192.169.0.10    286

route print on server with TUN

192.169.0.0     255.255.255.0      192.169.0.2     192.169.0.1     30
192.169.0.0   255.255.255.252         On-link      192.169.0.1    286
192.169.0.1   255.255.255.255         On-link      192.169.0.1    286
192.169.0.3   255.255.255.255         On-link      192.169.0.1    286

route print on client with working TAP

192.169.0.0    255.255.255.0         On-link       192.169.0.8    286
192.169.0.8  255.255.255.255         On-link       192.169.0.8    286

route print on server with working TAP

192.169.0.0    255.255.255.0         On-link       192.169.0.1    286
192.169.0.1  255.255.255.255         On-link       192.169.0.1    286
openvpn windows-7

2 Answers

  1. Try running openvpn-gui with Administrator privileges. Without them it couldn't write proper routes. Also try playing with --ip-win32 config option. And please show output of route print in cases of working TAP connection and non-working TUN connection.

    • 7

  2. Your server config file says server 192.169.0.0 255.255.255.0, which means your server will be assigned 192.169.0.1.

    I do this for server config:

    port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"

client-config-dir ccd
route 10.8.0.0 255.255.255.0
route 10.8.1.0 255.255.255.0

client-to-client
comp-lzo

    And this for the clients:

    client
dev tun
proto udp
remote YOURHOST 1194
resolv-retry infinite
nobind
comp-lzo

;routing tweak for winblowz client
;route-method exe
;route-delay 10
;ping-restart 60

;logging settings
mute-replay-warnings
mute 10
verb 4
log-append /var/log/vpnclient.log

;certificates / keypairs
ca ca.crt
cert cert.crt
key key.key

    I have push "route 192.168.0.0 255.255.255.0" because my severs LAN is that subnet.

    Good luck!

    • 2