Re: [Openvpn-users] Problems setting up dual-stack OpenVPN server on a Windows 10 host

[Jan J. K. <ja...@ni...>]

Hi,


as  Gert already pointed out, running OpenVPN as a server on Windows is 
not often done, so you will be hard-pressed to find lots of support for it.
I'd not use ICS , however, as ICS turns your (tap) adapter into a 
statically configured device , and sets up a DHCP server on this device. 
It *is* possible to run OpenVPN in such a configuration but it is very 
non-standard.

If you want to use NATting/masquerading for your clients then I'd 
suggest to use the Windows RRAS service, which will do NATting in a much 
nicer manner.

Having said that, you'll probably be better off to run a 
pre-configuration Linux VM inside your Windows box ; this VM can then 
run the openvpn server and do all the networking and NATting for you, 
including IPv4 and IPv6.

HTH,

JJK

On 14/11/16 19:05, Daryl Morse wrote:
>
> I’m trying to set up a dual-stack OpenVPN server on a windows 10 host. 
> I’m also using a windows 10 host as the client. I have two dual-stack 
> networks, both using pfsense. One is pfsense 2.3.2_1 with a hurricane 
> electric tunnel. The other is pfsense 2.4 (beta) with native ipv6. 
> Both of these networks use the same modem, which is 50 mbps down / 10 
> mbps up, but are otherwise completely separate. Both networks are 
> working properly according to ipv6-test.com and test-ipv6.com. The 
> speed and latency are the same on the native network and the ipv6 
> stack is around 10% slower than the ipv4 stack on the network using 
> the tunnel. Both networks have a /64 prefix for ipv6. On the router 
> for the native ipv6 network, I have two separate /64 prefixes from a 
> /56 prefix on two separate interfaces.
>
> I was initially using the openvpn-install-2.3.12-I601-x86_64 release. 
> I have also tried the openvpn-install-2.3.13-I601-x86_64 release and 
> the openvpn-install-2.4_alpha2-I601-x86_64 release. There was no 
> noticeable difference between the different versions.
>
> I used the how-to and the example client and server configurations to 
> set up the pki and the client and server. The pki works properly. I 
> can get the client and server connected and I can ping the client from 
> the server and the server from the client using both ipv4 and ipv6. 
> The majority of the difficulty I’ve encountered has been getting 
> traffic from the vpn to the gateway on the server. I’ve found that the 
> how-to covers pki and client / server settings very thoroughly, but it 
> leaves a lot of unanswered questions about setting up the server, 
> aside from OpenVPN itself. It would be very helpful if someone from 
> the development community who is working on the windows version would 
> confirm what the intended configuration is for the server and document 
> it in the how-to.
>
> I wasn’t making any progress getting dual-stack working so I decided 
> to try to get ipv4 working first. Since my networks and hosts are set 
> up to use dual-stack, I disabled ipv6 on the client and server 
> ethernet interfaces and tap adapters. I got the server to work using 
> internet connection sharing (ICS), with no other windows configuration 
> changes. (Over on the forum, there are a variety of other recommended 
> settings that I found either didn’t make any difference or didn’t work 
> at all.) I also found what appears to be a problem with the tap 
> adapter. After enabling ICS, the settings on the tap adapter get 
> changed from “Obtain an ip address automatically” to use 192.168.137.1 
> address and 255.255.255.0 subnet with blank gateway and from “Obtain 
> dns server address automatically” to use blank dns addresses. Here 
> <https://dl.dropboxusercontent.com/u/61356231/tap%20settings.PNG> is a 
> link to a screen capture. With these settings, the server will not 
> route vpn traffic to the gateway. I’ve found that by resetting the tap 
> adapter to obtain ip address and dns server addresses automatically it 
> works properly – for a while. The vpn connects and stays connected, 
> but after a while, if the server is disconnected or if the host is 
> rebooted, the tap adapter settings get switched back to the settings 
> above and the server won’t route vpn traffic again unless the settings 
> are returned to automatic. I’ve tried this using only one network 
> interface as well as using two network interfaces but the behaviour is 
> the same.
>
> I would appreciate if someone would confirm if ICS is the intended way 
> to configure the server and if there is an alternate configuration 
> that does not have the problem that I’ve described above. If someone 
> would like to see log files or any other information, I would be happy 
> to provide it.
>
> I will provide a follow-up on the ipv6 configuration.
>
> Here is the client configuration:
>
> client
>
> dev tun
>
> proto udp
>
> remote 50.98.86.223 1194
>
> resolv-retry infinite
>
> persist-key
>
> persist-tun
>
> ca ca.crt
>
> cert client.crt
>
> key client.key
>
> remote-cert-tls server
>
> cipher AES-256-CBC
>
> comp-lzo
>
> verb 3
>
> block-outside-dns
>
> Here is the server configuration:
>
> port 1194
>
> proto udp
>
> dev tun
>
> ca ca.crt
>
> cert server.crt
>
> key server.key
>
> dh dh2048.pem
>
> server 10.8.0.0 255.255.255.0
>
> push "block-outside-dns"
>
> push "redirect-gateway def1 bypass-dhcp"
>
> push "dhcp-option DNS 10.8.0.1"
>
> keepalive 10 120
>
> cipher AES-256-CBC
>
> comp-lzo
>
> persist-key
>
> persist-tun
>
> status openvpn-status.log
>
> verb 3
>
>