Re: [Openvpn-users] Problems setting up dual-stack OpenVPN server on a Windows 10 host

[Daryl M. <dar...@te...>]

Hi JJK,

 

Thanks for your reply.

 

Based on your suggestion, I disabled ICS and went back to RRAS. With RRAS
enabled, the client and server will not even connect with ipv4 only, let
alone pass any traffic. (I enabled "allow callers to access my local
network" for ipv4 and ipv6 and I entered the /64 prefix.) If you (or anyone
else) know of specific RRAS settings that work, please post them.

 

WRT NATting  /masquerading, I have no specific requirement for how it works,
only that it passes traffic. The way it worked for ipv4 (using the ISP
assigned WAN address) is fine.

 

Thanks.

 

From: Jan Just Keijser [mailto:ja...@ni...] 
Sent: Friday, November 18, 2016 3:16 AM
To: Daryl Morse <dar...@te...>; ope...@li...
Subject: Re: [Openvpn-users] Problems setting up dual-stack OpenVPN server
on a Windows 10 host

 

Hi,


as  Gert already pointed out, running OpenVPN as a server on Windows is not
often done, so you will be hard-pressed to find lots of support for it.
I'd not use ICS , however, as ICS turns your (tap) adapter into a statically
configured device , and sets up a DHCP server on this device. It *is*
possible to run OpenVPN in such a configuration but it is very non-standard.

If you want to use NATting/masquerading for your clients then I'd suggest to
use the Windows RRAS service, which will do NATting in a much nicer manner.

Having said that, you'll probably be better off to run a pre-configuration
Linux VM inside your Windows box ; this VM can then run the openvpn server
and do all the networking and NATting for you, including IPv4 and IPv6.

HTH,

JJK

On 14/11/16 19:05, Daryl Morse wrote:

I'm trying to set up a dual-stack OpenVPN server on a windows 10 host. I'm
also using a windows 10 host as the client. I have two dual-stack networks,
both using pfsense. One is pfsense 2.3.2_1 with a hurricane electric tunnel.
The other is pfsense 2.4 (beta) with native ipv6. Both of these networks use
the same modem, which is 50 mbps down / 10 mbps up, but are otherwise
completely separate. Both networks are working properly according to
ipv6-test.com and test-ipv6.com. The speed and latency are the same on the
native network and the ipv6 stack is around 10% slower than the ipv4 stack
on the network using the tunnel. Both networks have a /64 prefix for ipv6.
On the router for the native ipv6 network, I have two separate /64 prefixes
from a /56 prefix on two separate interfaces.

 

I was initially using the openvpn-install-2.3.12-I601-x86_64 release. I have
also tried the openvpn-install-2.3.13-I601-x86_64 release and the
openvpn-install-2.4_alpha2-I601-x86_64 release. There was no noticeable
difference between the different versions.

 

I used the how-to and the example client and server configurations to set up
the pki and the client and server. The pki works properly. I can get the
client and server connected and I can ping the client from the server and
the server from the client using both ipv4 and ipv6. The majority of the
difficulty I've encountered has been getting traffic from the vpn to the
gateway on the server. I've found that the how-to covers pki and client /
server settings very thoroughly, but it leaves a lot of unanswered questions
about setting up the server, aside from OpenVPN itself. It would be very
helpful if someone from the development community who is working on the
windows version would confirm what the intended configuration is for the
server and document it in the how-to.

 

I wasn't making any progress getting dual-stack working so I decided to try
to get ipv4 working first. Since my networks and hosts are set up to use
dual-stack, I disabled ipv6 on the client and server ethernet interfaces and
tap adapters. I got the server to work using internet connection sharing
(ICS), with no other windows configuration changes. (Over on the forum,
there are a variety of other recommended settings that I found either didn't
make any difference or didn't work at all.) I also found what appears to be
a problem with the tap adapter. After enabling ICS, the settings on the tap
adapter get changed from "Obtain an ip address automatically" to use
192.168.137.1 address and 255.255.255.0 subnet with blank gateway and from
"Obtain dns server address automatically" to use blank dns addresses. Here
<https://dl.dropboxusercontent.com/u/61356231/tap%20settings.PNG>  is a link
to a screen capture. With these settings, the server will not route vpn
traffic to the gateway. I've found that by resetting the tap adapter to
obtain ip address and dns server addresses automatically it works properly -
for a while. The vpn connects and stays connected, but after a while, if the
server is disconnected or if the host is rebooted, the tap adapter settings
get switched back to the settings above and the server won't route vpn
traffic again unless the settings are returned to automatic. I've tried this
using only one network interface as well as using two network interfaces but
the behaviour is the same.

 

I would appreciate if someone would confirm if ICS is the intended way to
configure the server and if there is an alternate configuration that does
not have the problem that I've described above. If someone would like to see
log files or any other information, I would be happy to provide it.

 

I will provide a follow-up on the ipv6 configuration.

 

Here is the client configuration: 

 

client

dev tun

proto udp

remote 50.98.86.223 1194

resolv-retry infinite

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

remote-cert-tls server

cipher AES-256-CBC

comp-lzo

verb 3

block-outside-dns

 

Here is the server configuration:

 

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

key server.key

dh dh2048.pem

server 10.8.0.0 255.255.255.0

push "block-outside-dns"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 10.8.0.1"

keepalive 10 120

cipher AES-256-CBC

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3