Unidentified Network Win10
-
Hi all im having a bit of a problem,
I use windows 10 and im getting unidentified Network on my OpenVPN connection,Im under a school firewall, they block HTTPS sites like facebook, and i have a homeServer with OpenVPN under PFSense Firewall, sometimes i can connect to facebook on the school, but sometimes it wont work because the traffic is being routed to school firewall.
Here is what works:
_- Can ping my local computers like my file server etc… at home.- My IP is my Home Server IP on school under OpenVPN Tunnel_
What doesnt work:
Routing probably ?here is my routing:
Interface List 3...00 1d ba 83 5c 98 ......Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller 6...00 ff 55 e8 ba ed ......TAP-Windows Adapter V9 8...00 16 ea 43 1e 92 ......Intel(R) WiFi Link 5100 AGN 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.164 25 0.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 20 84.91.204.249 255.255.255.255 192.168.43.1 192.168.43.164 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 20 192.168.1.0 255.255.255.0 192.168.2.5 192.168.2.6 20 192.168.2.0 255.255.255.0 192.168.2.5 192.168.2.6 20 192.168.2.4 255.255.255.252 On-link 192.168.2.6 276 192.168.2.6 255.255.255.255 On-link 192.168.2.6 276 192.168.2.7 255.255.255.255 On-link 192.168.2.6 276 192.168.43.0 255.255.255.0 On-link 192.168.43.164 281 192.168.43.164 255.255.255.255 On-link 192.168.43.164 281 192.168.43.255 255.255.255.255 On-link 192.168.43.164 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.43.164 281 224.0.0.0 240.0.0.0 On-link 192.168.2.6 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.43.164 281 255.255.255.255 255.255.255.255 On-link 192.168.2.6 276
My PFsense config:
Pfsense IP: 192.168.1.2
OpenVPN tunnel: 192.168.2.0/24
OpenVPN client example IP: 192.168.2.10
DNS that i pass to the tunnel: 192.168.1.2 / 209.244.0.3 / 209.244.0.4Since i pass those DNS it should work on School to acess HTTPS sites since it should be routing to my tunnel to home server?
I am sure that i have a routing problem, but im not sure what to do ?
thanks in advnce! -
Do you send all traffic through your tunnel?
Try to only use your private IP DNS server as the others can be resolved locally (and could be blocked there). -
If your Win10 machine is 192.168.2.6 and your pfsense is 192.168.2.5, then you should have the ipv4 routing setup because of these two routes:
0.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 20 128.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 20
I'm not sure what these are but they're probably ok
192.168.2.4 255.255.255.252 On-link 192.168.2.6 276 192.168.2.6 255.255.255.255 On-link 192.168.2.6 276 192.168.2.7 255.255.255.255 On-link 192.168.2.6 276
Anyways, it could be that the school offers IPv6 and you have a split tunnel. Your IPv6 traffic doesn't go through your VPN unless you've done some extra work.
Try pinging 192.168.2.6. Make sure that works first. Next ping an external IPv4 address 8.8.8.8 for example. Make sure they're going through the VPN with tracert.
Now try pinging facebook.com. Try forcing IPv6 with the -6 option. See what happens. If those don't work, post the tracert.
Like johonix said, try not to use the school's DNS as they might be altering the responses to block things that way. G/L.
-
Almost forgot, make sure you have a firewall rule for the openvpn adapter to be lenient enough for your vpn client. Sounds like you have that if you can ping your server but you didn't mention it.
Also, if you're using manual outbound nat rules, then make sure you have a proper outbound nat rule for your openvpn subnet. If you're using automatic, then I'm not sure what you do.
-
Hi all, thanks for answering!
I have allowed in firewall the OpenVPN exe outbound and inbound!
IPv6 doesnt work, so it might be disabled or not in use:C:\Windows\system32>tracert -6 8.8.8.8 Unable to resolve target system name 8.8.8.8.
IPv4 seems not going trought my VPN… i think that i need to change the route?
C:\Windows\system32>tracert 8.8.8.8 Tracing route to google-public-dns-a.google.com [8.8.8.8] over a maximum of 30 hops: 1 21 ms 25 ms 22 ms 192.168.2.1 2 23 ms 25 ms 35 ms ipfirewall.redespro [192.168.0.1] 3 33 ms 40 ms 36 ms 10.2.0.1 4 31 ms 28 ms 44 ms pa1-84-91-0-105.netvisao.pt [84.91.0.105] 5 57 ms 31 ms 30 ms pa1-84-91-1-13.netvisao.pt [84.91.1.13] 6 77 ms 75 ms * pa1-84-91-0-137.netvisao.pt [84.91.0.137] 7 77 ms 85 ms 59 ms 209.85.242.173 8 47 ms 33 ms 35 ms google-public-dns-a.google.com [8.8.8.8]
The IPfire is the school firewall, it doesnt seem to go trought my tunnel, i still can acess my machines at home and have my home IP as o see on myip website!
I can acess my PFsense so here is my NAT outbound rules, they are set auto:
And here my OpenVpn Server Settings:
Thanks again for your time!
-
I have allowed in firewall the OpenVPN exe outbound and inbound!
I was referring to the pfsense firewall. If you go to firewall->rules, there's a tab for floating, wan, lan, and openvpn. Make sure the rules in the openvpn tab are lenient enough.
Make sure your openvpn log (both on Win10 and pfsense) say "Initialization Sequence Completed".
When you did tracert -6 8.8.8.8, you were trying to do an IPv6 traceroute to an IPv4 address. This cannot work. I just wanted to see if your school had IPv6 but this might be moot if you're not routing IPv4 properly. You could do tracert -6 www.google.com to see if your school has ipv6. Or if they let you go here: http://test-ipv6.com/
Based on your Win10 routing table, I'd expect this to work. Not sure what's missing at this point. Maybe posting the openvpn logs would help?
-
Hi again and thank you,
As i said before it works sometimes, this time i used school wifi, and the traffic flows trough the tunnel,
here is trace route:
C:\Windows\system32>tracert 8.8.8.8 Tracing route to google-public-dns-a.google.com [8.8.8.8] over a maximum of 30 hops: 1 21 ms 27 ms 24 ms 192.168.2.1 2 23 ms 23 ms 20 ms 192.168.0.1 3 33 ms 54 ms 47 ms 10.2.0.1 4 38 ms 26 ms 36 ms pa1-84-91-0-105.netvisao.pt [84.91.0.105] 5 28 ms 35 ms 30 ms pa1-84-91-1-13.netvisao.pt [84.91.1.13] 6 34 ms 35 ms 48 ms pa1-84-91-0-137.netvisao.pt [84.91.0.137] 7 46 ms 45 ms 33 ms 209.85.242.173 8 34 ms 29 ms 35 ms google-public-dns-a.google.com [8.8.8.8] Trace complete.
As you can see here 192.168.2.1 is the Subnet Created by OpenVPN
192.168.0.1 is my ISP Modem at least at home, and netvisao is my ISP so on….And here is the Route Print:
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.24.1 192.168.29.198 25 0.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 20 84.91.204.249 255.255.255.255 192.168.24.1 192.168.29.198 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 20 192.168.0.0 255.255.0.0 On-link 192.168.29.198 281 192.168.1.0 255.255.255.0 192.168.2.5 192.168.2.6 20 192.168.2.0 255.255.255.0 192.168.2.5 192.168.2.6 20 192.168.2.4 255.255.255.252 On-link 192.168.2.6 276 192.168.2.6 255.255.255.255 On-link 192.168.2.6 276 192.168.2.7 255.255.255.255 On-link 192.168.2.6 276 192.168.29.198 255.255.255.255 On-link 192.168.29.198 281 192.168.255.255 255.255.255.255 On-link 192.168.29.198 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.2.6 276 224.0.0.0 240.0.0.0 On-link 192.168.29.198 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.2.6 276 255.255.255.255 255.255.255.255 On-link 192.168.29.198 281 ===========================================================================
Here is the IPConfig:
Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::51de:4dfe:e6c3:9b64%6 IPv4 Address. . . . . . . . . . . : 192.168.2.6 Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . : Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : localdomain Link-local IPv6 Address . . . . . : fe80::f84d:75f:9fe7:5d5e%8 IPv4 Address. . . . . . . . . . . : 192.168.29.198 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 192.168.24.1 C:\Windows\system32>
It doesnt show a gateway in TAP or OPEN VPN
Heres the log of the OPenVPN
And Rules of the OpenVPN in the Firewall
-
It could be that the VPN is unstable enough that windows falls back to the original route through the school. I think windows does this automatically.
In your config you should have a line "redirect-gateway def1". This is what adds these routes:
0.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 20 128.0.0.0 128.0.0.0 192.168.2.5 192.168.2.6 20
These are supposed to be preferred by Windows over this one:
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.164 25
Try removing the "def1" from "redirect-gateway def1" in your Windows config. See the following for details on redirect-gateway.
https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.htmlEdit: If you don't have redirect-gateway in your config it's because it's being pushed by pfsense. Turn off the "Redirect Gateway" check box in pfsense and add "redirect-gateway" to your windows config.