OpenVPN up and running, now try to get Windows7 to actually use it
-
G'morning ;D
Could I perhaps waste some of your time by asking yet another noob question?
My wife will be travelling abroad. To assure some privacy when she uses the hotel WIFI, I thought I'd set up OpenVPN. I used this youtube tutorial and went exactly the same way (including the problem at the end in that tutorial ;D): https://www.youtube.com/watch?v=VdAHVSTl1ys.
This all worked. In status OpenVPN is running, and my Windows 7/64 wired client appears connected to it using the OpenVPN/windows client software (I told OpenVPN to use 192.168.19.0/24, apparently the Windows 7 client was assigned 192.168.19.6).
However: my W7 computer is not using that connection; it is using my normal wired 192.168.1.x address. Which I concluded since I did a speedtest.net test, and I still get the same up/down speeds, which I think should not be the case (as the OpenVPN connection will use my uplink speed (meaning: the '2' out of my VDSL 30/2), yet when connected with OpenVPN my speedtest.net result is still 25, which is the 'normal' speed of my VDSL without OpenVPN.
Status/OpenVPN however does show a connection and bytes transferred, per the attached screenshot.
I've been googling for ours, and I even added:
push "dhcp-option DNS 192.168.19.6" ```to the server settings (screenshot) In the config file here in W7 I added:redirect-gateway def1
I restarted the W7 OpenVPN client, it connects again, yet my W7 connection does not go through OpenVPN. Now I am lost, and Google does not appear to be my friend in this matter :-[ Would anybody perhaps know how I can fix this? Because if I can get it to work, and it is fast enough for my wife, I can save myself the trouble of going through an external VPN-provider for now. Thank you very much in advance for any help :P Bye,     -
EDIT: One step further in trying to find out what is doing what: ipconfig and then W7-network connections. It has no internet connection ??? I added an extra screenshot.
-
A couple of things here. I am no expert, but I do successfully run open vpn on my phones, laptops and to connect different isolated networks.
In my experiences the ip address on the local card will still remain as the ip address of the network its connected to. Thats basically how its routing/connected. If it changed that, you would be kicked off of the local network/wouldn't be able to route out.
The VPN will assign its ip thats inside that secure connection. So for example, my cell phone right now connected to hotspot has a 192.168.1.15 address, but my assigned ip from vp is 192.168.22.6. All of my traffic is being routed through my vpn and I can confirm that client side and server side in the logs.
I too have redirect-gateway def1 added in the push section of my vpn so all clients get it as I want all traffic when connected to vpn to route through it and not doing a split tunnel scenario.One problem that i see is that you are pushing push "dhcp-option DNS 192.168.19.6" and that should be an address to your internal dns server within the vpn. If not, you may not be able to resolve any urls as that is not a valid dns server. This will make your connection show as no internet connection since it cant resolve. I have my vpn push my internal dns server address and as a fall back my isps in case there is a something wrong.
I am not sure what client you are using and if you really want to make sure all is routed through vpn, enable route all traffic through vpn which would disable any split tunneling that you may be experiencing.
I am using the opensource securepoint open vpn client for my laptops and featvpn for my android phones as well as open vpn on my ipad via cydia. They all route through the vpn soley with no issues.
Now I have done speed tests and its limited to my maximum home upload speed (50/10 home connection). When I connect from my wifi at home which I have to vpn to get to my isolated server network, it will go my full speed at home since its truly not using my upload but using the internal network. So I am not sure how you have run the speed test. VPN via local network or one not connected to your home setup>
-
Maybe I misunderstand. For the test, you seem to have the wife's laptop actually on your own internal network. In that case, the OpenVPN client connect is going direct to your pfSense WAN port and doesn't need to got out to the internet and back. Assuming your pfSense has CPU to spare, it will happily process the OpenVPN encryption etc at speeds faster than your WAN link, and then route out your WAN link. So the performance will look very much the same as if the data went straight out from your LAN to WAN and internet. A traceroute should be able to confirm if the data takes the path via the OpenVPN.
It really needs the laptop to be on another network (data dongle, friend's home network,…) to see the effects for real.
Or did I miss something? -
I would like to thank the both of you very much for your insightful, helpful, reply: thank you ;D
Before reading it, I was at my friends house to test it from there (so, Phil, no, you were not missing something, but I was - as happens a lot, in my life ;D). It appears for some reason it now does work, although the Windows firewall, 'though in 'learning mode' (I use Tinywall for it, a utility that wraps around the native W7 firewall with some additional comfortable features that MS once again decided to leave out), appears to blocking some connections from the VPN-ip to the VPN-ip. I made screenshots of that, but, stupid as I am, I left my friends house forgetting the laptop ( I often wonder: was I born retarded ??? ;D :P :D). So I will pick it up tomorrow, and then I have the screenshots here. I will also install Comodo firewall on the laptop, to see if that also blocks this kind of traffic. If so, I will humbly come back here if Google again decided it will not be my friend, to ask if you would know what the problem is.
For the record: I tried to convince my wife to let me install PC-BSD 9.1 on it, but she refuses, since she can't play her game on the computer then. I told her I could do that in Virtualbox with W7 in it, but she only looked at me with a 'ah, so you can cook meals yourself, right?'. As I can not cook I just crawled back to my place and decided there will not be another way out of this for me than to give her majesty the W7-laptop :-X
( ;D No, only kidding, we are together for decades and she is still as sweet as she was when I met her. Although, of course, it goes without saying, she is 'da boss' in 'da house' (I get to choose the cars, 'though. Which she then decides are better for her to drive than for me, so I get her old car and she drives my new car) ;D.
Kilthro, could I ask: my 'push dhcp', in your opinion, what should I add in there then? I have 4 DNS-servers setup in System/General setup, is there a way to tell the server to 'push' these to the OpenVPN-server (as they are already defined in PFsense)?
-
Yes If you have these dns lists already identified in PFSENSE (setup area) then just check mark the box on openvpn to provide the list of dns servers. Its in your screen shot.
Thats what i did. PFSense has the dns servers in the order i want them so I just have the vpn server provide them by enabling that option.
-
The biggest problems I've ever had with Win7 and Vista were this:
At install of openvpn, you really MUST right click the file and install as admin.
Then after that, I locate the openvpn connect icon on desktop and right click and change its compatibility to run as admin.
Then I am usually all good. If you didn't install as admin on windows, uninstall and reinstall as admin. The be sure the vpn is run as admin each time you run it. I suspect your issue will go away.
-
The pfSense DNS forwarder will listen on the OpenVPN adapter address so you can just push that,
192.168.19.5in your case. That's what I'm doing and it works fine.
I see that your Win7 box lists the VPN adapter as TAP. Shouldn't that be TUN? :-\Steve
Edit: Now I come to verify my settings I'm less sure. I'm pushing 192.168.20.1 for DNS on a 192.168.20.0/24 tunnel.
-
At install of openvpn, you really MUST right click the file and install as admin.
Then after that, I locate the openvpn connect icon on desktop and right click and change its compatibility to run as admin.
I use the Windows install bundle that has OpenVPN Manager included in it. It makes an install package directly from pfSense. A non-admin (or admin) user can start OpenVPN Manager and the OpenVPN connection without needing admin privs.
Of course, the initial software install needs to be run with admin privs. -
This is EXACTLY the behavior you get when using openvpn on a windows machine that wasn't installed as admin and isn't running as admin. Thats why I mentioned it. Try using the older version of the openvpn client for windows and doing all the admin privs as I described. Other than wasting some of your time, it can't hurt anything. Also, If you have been using any other sort of vpn tech like hotspot shield or anything else like that, uninstall those first, then uninstall anything remotely associated with any sort of tunneling or vpn and only then reinstall openvpn client.
If that doesn't work, then we have absolutely for sure found out what your problem isn't…
-
Thank you all for your reply ;D
(I am working my **tt off to get the laptop ready for her majesty my wife, I had to cleanly reinstall everything, which is quite a time sucking nightmare under W7 & Lenovo: the Lenovo update directory alone is 6GB …:-X).
As to using OpenVPN as administrator, I did that from the start, and I also used the Pfense created installer (in the end), as it turned out the official OpenVPN-installer kept on hanging during install (and I even used the 'hidden administrator'-account in W7 (so the 'real-real'-administrator). To no avail. Of course, the Pfsense-created openvpn-installer worked marvelously, which is no surprise, as it is FreeBSD + Pfsense-teams that do this :-*
Stephen, if I may:
The pfSense DNS forwarder will listen on the OpenVPN adapter address so you can just push that, 192.168.19.5 in your case. That's what I'm doing and it works fine.
I see that your Win7 box lists the VPN adapter as TAP. Shouldn't that be TUN? UndecidedSteve
Edit: Now I come to verify my settings I'm less sure. I'm pushing 192.168.20.1 for DNS on a 192.168.20.0/24 tunnel
You striked-through the 192.168.19.5, so does that mean if I provide the DNS-servers per Kilthro's post I can remove that complete line of 'push'?
The TAP versus TUN: you ask me ??? You are the guru ;D
This is the config file the Pfsense installer created:
dev tun persist-tun persist-key cipher AES-128-CBC tls-client client resolv-retry infinite remote somebodiesgottodoit.hopto.org 45117 udp tls-remote goaway auth-user-pass pkcs12 pfsense-udp-45117-goaway.p12 tls-auth pfsense-udp-45117-goaway-tls.key 1 comp-lzo redirect-gateway def1It says 'tun' there, but you are right: Windows 7 says 'TAP' (there is also a short cut in the start menu: TAP-Windows, in which you can create a new 'TAP' or delete all 'TAPS'). Not that I even know what TAP and TUN is; I am only trying to give my wife a relatively safe way to work when she is on the other side of the world (yesterday, I spent 2 hours in the supermarket finding 17 magnetron meals for me to cook while she is away :-X - ;D).
Could I perhaps please ask one final, but for me very important, question?
Given that the OpenVPN-connection will be on a different subnet than our own LAN, does this mean she can not connect to the normal LAN? So no connections possible from 192.168.19.x to 192.168.1.x? Because I don't want that to be possible. The reason is that I don't trust the hotels she will be staying in, and even 'though she will be using OpenVPN, if they manage to, some way or the other, sniff her uid and password (to the OpenVPN-connection), they could be able to access my private LAN, in which my NAS-ses reside, on which extremely valuable information resides (the videos and pictures of all our current and already gone dogs, to name just one). I don't want to risk any chance of a 'hacker' to get in there, and delete it, 'just for the fun of it'.
So she will be using OpenVPN only to browse the internet via a connection (our own) I trust more than the average 'free Wifi' in a hotel, and she should be blocked out of our own trusted LAN.
Given the standard OpenVPN I set up (the youtube clip), given that I have (thus) different subnets, does that mean she can not go into 192.168.1.x from her OpenVPN-192.168.19.x, or do I explicitly need to create a firewall rule for this? And if so, could I very noobish (I apologize :-[) ask for what rule I need to create then?
I once again would like to thank you all very, very, much for your help ;D
Bye,
(PS I dived into the deepness of Snort: this is an amazing tooling, I managed to block everything, everywhere, except for google.com. No idea how I did that :P).
-
If you firewall the subnet you are using in openvpn for here away from your LAN then openvpn will not allow access to your LAN. This would mean going into your LAN Firewall rules and adding one line to block anything from 192.168.19.0/24 going to LAN Subnet. Otherwise, someone would be able to ping your LAN from the VPN tunnel or even to manually enter the IP addresses of computers on your LAN to see any files, printers or other resources you may be sharing on the LAN. Make sure that block rule is above the allow rules.
Its an easy fix.
-
If you firewall the subnet you are using in openvpn for here away from your LAN then openvpn will not allow access to your LAN. This would mean going into your LAN Firewall rules and adding one line to block anything from 192.168.19.0/24 going to LAN Subnet. Otherwise, someone would be able to ping your LAN from the VPN tunnel or even to manually enter the IP addresses of computers on your LAN to see any files, printers or other resources you may be sharing on the LAN. Make sure that block rule is above the allow rules.
Its an easy fix.
Thank you very much Kejianshi ;D
Could I ask if the following I just did then is what I am supposed to do? (Screenshots attached).
And, could I perhaps also ask some more noob questions:
- Why is it that, when I select 'Source: Type = LAN subnet, I am not allowed to enter a CIDR-notation ??? Because the 'Address' field then is greyed-out ???' So I now selected 'Network' as a Type, so I am at least allowed to enter something, but I don't feel I understand it. I thought 'LAN-subnet' would be the place to enter a CIDR-notation.
- I now added the rule to the 'LAN' tab, but should'nt I be also (or just?) be adding it to the OpenVPN-tab?
- I have been struggling to move that rule to the top; it appears I first had to select all the rules and then say 'move these down'. Wouldn't it be easier to only select my new rule and tell PFS to 'move it to the top'? (Per your message that it should be the first rule in the list)?
Once again, thank you for helping me out –- very, very much ;D
PS I admit and constantly apologizing write that I am a complete noob on these matters, but I could help people with economics, my line of education. And contrary to popular - and understandable - belief, not all economists are crooks, even 'though we have a hard time to convince people of that, given the last 5 years :-\
-
Hmm, the forum is telling me I can only post 1 attachment, since otherwise the attachments would be too big. This one was meant to be next.
-
Honestly if you have setup your openvpn to require username/pass as well as client certificate, you should be good. I wouldn't worry about someone trying to hijack access… Without the certificate, they still will not be able to connect if they some how got the username/password which would be difficult if its encrypted. (this is how i have mine setup.) Also credentials must match certificate acct or no access will be given if someone tries a different username and password with wrong certificate installed.
If you enable the option to provide the dns list to clients it will do so and you can remove that line in the additional settings.
I see that you have route all traffic through vpn enabled. I know in the past I have seen people having trouble accessing other networks/sub nets behind the firewall with that on as it blocks them from accessing them. I know I don't have that enabled but I have this added in advanced settings.
push "redirect-gateway def1"
This way i know all traffic is routed through vpn and I still still have access to the computers behind the firewall for remote desktop etc.I also enabled the option to make my other networks available to vpn clients. I didn't have to push them in the advanced settings. If none of that is enabled, (advanced settings or make networks available option) then they should be locked into the virtual network of the vpn. I am not 100% on that haven't tested but that's how it should work.
I also did not mess with any firewall rules. You could set up rules to block the vpn subnet access to certain ips if you wanted to so you don't have to worry about gaining access to certain systems if you are worried.
Again, I am no expert, just speaking from my experiences with it.
-
Ah, and this I also had to add: while testing OpenVPN at my friend's house, the Windows 7 firewall reported these blockings from the OpenVPN-IP (192.168.19.x), which I really don't understand why (as it was in 'learning mode') ???
-
When you select LAN subnet, the 192.168.1.0/24 is implyed since that is the subnet for the LAN. Basically, its automatically doing what you did manually. Either way should work fine, but selecting LAN subnet seems less fuss and sure fire to me. VERY important here (I think). I would go back into that rule and select "interface - openvpn" not LAN since this rule needs to match for traffic on the openvpn interface. That should move the rule over to the openvpn tab.
Another user noted that you can enable or disable access to network from inside openvpn server config.
I always enable it and then set up firewall rules to allow and disallow what I want, but to disallow everything to local network his suggestion should also work although I've not tested it. -
Windows firewalls… Yuck.
Looks like its blocking DNS - fabulous.
I would allow openvpn in windows firewall or allow 192.168.119.0/24.
Windows firewall is a blunt instrument. -
Thank you again for your help :P
I've made the changes recommended here, and it appears to be working correctly now (although PFS didn't remember the block rule for my local LAN, which I added to the OpenVPN-rules in the firewall; very strange, I had to enter the rule 4 times ???).
Well, it has to be working anyway, since her majesty has left the house and is on her way to the airport, so I can't do anything about it anymore right now. And I am on my way to the kitchen, to learn how to prepare food for myself :D
Thank you again for your help ;D
(And yes, Windows firewall = yuck. As is Windows. But she wouldn't allow me to put PC-BSD on the laptop :-).
