[Openvpn-users] Problems setting up dual-stack OpenVPN server on a Windows 10 host

[Daryl M. <dar...@te...>]

I'm trying to set up a dual-stack OpenVPN server on a windows 10 host. I'm
also using a windows 10 host as the client. I have two dual-stack networks,
both using pfsense. One is pfsense 2.3.2_1 with a hurricane electric tunnel.
The other is pfsense 2.4 (beta) with native ipv6. Both of these networks use
the same modem, which is 50 mbps down / 10 mbps up, but are otherwise
completely separate. Both networks are working properly according to
ipv6-test.com and test-ipv6.com. The speed and latency are the same on the
native network and the ipv6 stack is around 10% slower than the ipv4 stack
on the network using the tunnel. Both networks have a /64 prefix for ipv6.
On the router for the native ipv6 network, I have two separate /64 prefixes
from a /56 prefix on two separate interfaces.

 

I was initially using the openvpn-install-2.3.12-I601-x86_64 release. I have
also tried the openvpn-install-2.3.13-I601-x86_64 release and the
openvpn-install-2.4_alpha2-I601-x86_64 release. There was no noticeable
difference between the different versions.

 

I used the how-to and the example client and server configurations to set up
the pki and the client and server. The pki works properly. I can get the
client and server connected and I can ping the client from the server and
the server from the client using both ipv4 and ipv6. The majority of the
difficulty I've encountered has been getting traffic from the vpn to the
gateway on the server. I've found that the how-to covers pki and client /
server settings very thoroughly, but it leaves a lot of unanswered questions
about setting up the server, aside from OpenVPN itself. It would be very
helpful if someone from the development community who is working on the
windows version would confirm what the intended configuration is for the
server and document it in the how-to.

 

I wasn't making any progress getting dual-stack working so I decided to try
to get ipv4 working first. Since my networks and hosts are set up to use
dual-stack, I disabled ipv6 on the client and server ethernet interfaces and
tap adapters. I got the server to work using internet connection sharing
(ICS), with no other windows configuration changes. (Over on the forum,
there are a variety of other recommended settings that I found either didn't
make any difference or didn't work at all.) I also found what appears to be
a problem with the tap adapter. After enabling ICS, the settings on the tap
adapter get changed from "Obtain an ip address automatically" to use
192.168.137.1 address and 255.255.255.0 subnet with blank gateway and from
"Obtain dns server address automatically" to use blank dns addresses. Here
<https://dl.dropboxusercontent.com/u/61356231/tap%20settings.PNG>  is a link
to a screen capture. With these settings, the server will not route vpn
traffic to the gateway. I've found that by resetting the tap adapter to
obtain ip address and dns server addresses automatically it works properly -
for a while. The vpn connects and stays connected, but after a while, if the
server is disconnected or if the host is rebooted, the tap adapter settings
get switched back to the settings above and the server won't route vpn
traffic again unless the settings are returned to automatic. I've tried this
using only one network interface as well as using two network interfaces but
the behaviour is the same.

 

I would appreciate if someone would confirm if ICS is the intended way to
configure the server and if there is an alternate configuration that does
not have the problem that I've described above. If someone would like to see
log files or any other information, I would be happy to provide it.

 

I will provide a follow-up on the ipv6 configuration.

 

Here is the client configuration: 

 

client

dev tun

proto udp

remote 50.98.86.223 1194

resolv-retry infinite

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

remote-cert-tls server

cipher AES-256-CBC

comp-lzo

verb 3

block-outside-dns

 

Here is the server configuration:

 

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

key server.key

dh dh2048.pem

server 10.8.0.0 255.255.255.0

push "block-outside-dns"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 10.8.0.1"

keepalive 10 120

cipher AES-256-CBC

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3