Re: [Openvpn-users] Problems setting up dual-stack OpenVPN server on a Windows 10 host

[Jan J. K. <ja...@ni...>]

Hi Daryl,

On 25/11/16 07:15, Daryl Morse wrote:
>
> Hi JJK,
>
> Thanks for your reply.
>
> Based on your suggestion, I disabled ICS and went back to RRAS. With 
> RRAS enabled, the client and server will not even connect with ipv4 
> only, let alone pass any traffic. (I enabled “allow callers to access 
> my local network”for ipv4 and ipv6 and I entered the /64 prefix.) If 
> you (or anyone else) know of specific RRAS settings that work, please 
> post them.
>
> WRT NATting /masquerading, I have no specific requirement for how it 
> works, only that it passes traffic. The way it worked for ipv4 (using 
> the ISP assigned WAN address) is fine.
>

I've just recreated your setup on Windows 7 Pro and also found that RRAS 
is not working. That shows that my networking knowledge of Windows 
stopped with XP, as this solution did work in windows XP (as you can 
find on the internet as well). It turns out that Microsoft 
disabled/removed NATting support in RRAS for Windows 7+: for that , they 
explicitly want you to run Windows Server 20xx.

The next step was to use ICS :
- I enabled ICS on my local ethernet adapter
- as the "home network" adapter I choose the TAP adapter
- next, start OpenVPN as a server and connect a client; note that the IP 
address of the VPN server was simply what I had configured in the config 
file (192.168.200.1)


I also enabled ip routing on my Win 7 box (using regedit 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ 
Services\Tcpip\Parameters\IPEnableRouter := 1 ) .

This setup worked for me , including restarts of the OpenVPN server 
process. I did not try to automate the process - so I don't know if this 
works after reboots, or while running OpenVPN as a service.

HTH,

JJK




> *From:*Jan Just Keijser [mailto:ja...@ni...]
> *Sent:* Friday, November 18, 2016 3:16 AM
> *To:* Daryl Morse <dar...@te...>; 
> ope...@li...
> *Subject:* Re: [Openvpn-users] Problems setting up dual-stack OpenVPN 
> server on a Windows 10 host
>
> Hi,
>
>
> as  Gert already pointed out, running OpenVPN as a server on Windows 
> is not often done, so you will be hard-pressed to find lots of support 
> for it.
> I'd not use ICS , however, as ICS turns your (tap) adapter into a 
> statically configured device , and sets up a DHCP server on this 
> device. It *is* possible to run OpenVPN in such a configuration but it 
> is very non-standard.
>
> If you want to use NATting/masquerading for your clients then I'd 
> suggest to use the Windows RRAS service, which will do NATting in a 
> much nicer manner.
>
> Having said that, you'll probably be better off to run a 
> pre-configuration Linux VM inside your Windows box ; this VM can then 
> run the openvpn server and do all the networking and NATting for you, 
> including IPv4 and IPv6.
>
> HTH,
>
> JJK
>
> On 14/11/16 19:05, Daryl Morse wrote:
>
>     I’m trying to set up a dual-stack OpenVPN server on a windows 10
>     host. I’m also using a windows 10 host as the client. I have two
>     dual-stack networks, both using pfsense. One is pfsense 2.3.2_1
>     with a hurricane electric tunnel. The other is pfsense 2.4 (beta)
>     with native ipv6. Both of these networks use the same modem, which
>     is 50 mbps down / 10 mbps up, but are otherwise completely
>     separate. Both networks are working properly according to
>     ipv6-test.com and test-ipv6.com. The speed and latency are the
>     same on the native network and the ipv6 stack is around 10% slower
>     than the ipv4 stack on the network using the tunnel. Both networks
>     have a /64 prefix for ipv6. On the router for the native ipv6
>     network, I have two separate /64 prefixes from a /56 prefix on two
>     separate interfaces.
>
>     I was initially using the openvpn-install-2.3.12-I601-x86_64
>     release. I have also tried the openvpn-install-2.3.13-I601-x86_64
>     release and the openvpn-install-2.4_alpha2-I601-x86_64 release.
>     There was no noticeable difference between the different versions.
>
>     I used the how-to and the example client and server configurations
>     to set up the pki and the client and server. The pki works
>     properly. I can get the client and server connected and I can ping
>     the client from the server and the server from the client using
>     both ipv4 and ipv6. The majority of the difficulty I’ve
>     encountered has been getting traffic from the vpn to the gateway
>     on the server. I’ve found that the how-to covers pki and client /
>     server settings very thoroughly, but it leaves a lot of unanswered
>     questions about setting up the server, aside from OpenVPN itself.
>     It would be very helpful if someone from the development community
>     who is working on the windows version would confirm what the
>     intended configuration is for the server and document it in the
>     how-to.
>
>     I wasn’t making any progress getting dual-stack working so I
>     decided to try to get ipv4 working first. Since my networks and
>     hosts are set up to use dual-stack, I disabled ipv6 on the client
>     and server ethernet interfaces and tap adapters. I got the server
>     to work using internet connection sharing (ICS), with no other
>     windows configuration changes. (Over on the forum, there are a
>     variety of other recommended settings that I found either didn’t
>     make any difference or didn’t work at all.) I also found what
>     appears to be a problem with the tap adapter. After enabling ICS,
>     the settings on the tap adapter get changed from “Obtain an ip
>     address automatically” to use 192.168.137.1 address and
>     255.255.255.0 subnet with blank gateway and from “Obtain dns
>     server address automatically” to use blank dns addresses. Here
>     <https://dl.dropboxusercontent.com/u/61356231/tap%20settings.PNG>
>     is a link to a screen capture. With these settings, the server
>     will not route vpn traffic to the gateway. I’ve found that by
>     resetting the tap adapter to obtain ip address and dns server
>     addresses automatically it works properly – for a while. The vpn
>     connects and stays connected, but after a while, if the server is
>     disconnected or if the host is rebooted, the tap adapter settings
>     get switched back to the settings above and the server won’t route
>     vpn traffic again unless the settings are returned to automatic.
>     I’ve tried this using only one network interface as well as using
>     two network interfaces but the behaviour is the same.
>
>     I would appreciate if someone would confirm if ICS is the intended
>     way to configure the server and if there is an alternate
>     configuration that does not have the problem that I’ve described
>     above. If someone would like to see log files or any other
>     information, I would be happy to provide it.
>
>     I will provide a follow-up on the ipv6 configuration.
>
>     Here is the client configuration:
>
>     client
>
>     dev tun
>
>     proto udp
>
>     remote 50.98.86.223 1194
>
>     resolv-retry infinite
>
>     persist-key
>
>     persist-tun
>
>     ca ca.crt
>
>     cert client.crt
>
>     key client.key
>
>     remote-cert-tls server
>
>     cipher AES-256-CBC
>
>     comp-lzo
>
>     verb 3
>
>     block-outside-dns
>
>     Here is the server configuration:
>
>     port 1194
>
>     proto udp
>
>     dev tun
>
>     ca ca.crt
>
>     cert server.crt
>
>     key server.key
>
>     dh dh2048.pem
>
>     server 10.8.0.0 255.255.255.0
>
>     push "block-outside-dns"
>
>     push "redirect-gateway def1 bypass-dhcp"
>
>     push "dhcp-option DNS 10.8.0.1"
>
>     keepalive 10 120
>
>     cipher AES-256-CBC
>
>     comp-lzo
>
>     persist-key
>
>     persist-tun
>
>     status openvpn-status.log
>
>     verb 3
>