openvpn & win10 vpn
Ernie Luzar
luzar722 at gmail.com
Fri Dec 8 01:02:24 UTC 2017
Steve O'Hara-Smith wrote:
> On Thu, 07 Dec 2017 17:33:49 +0800
> Ernie Luzar <luzar722 at gmail.com> wrote:
>
>> On my home 11.1 server I have installed the pkg version of openvpn and
>> configured it to use certificates. On my windows 10 laptop I have
>> installed the openvpn client and configured it. I copied the client ca,
>> crt, and key generated on the host to win10. When I connect the win10
>> openvpn client the log shows everything is connected ok.
>>
>> It's my understanding that everything I do on the laptop will pass
>> through the vpn tunnel to the host and then access the internet using
>> the ip address of the host.
>
> That depends on the configuration, the openvpn server can be
> configured to push a default route in which case (if the client doesn't
> decline the push) then all traffic will go across the VPN, but it doesn't
> have to be configured that way.
>
> To find out you can either read the client and server config files
> carefully or (do this) point your laptop browser at somewhere like myip.com
> and find out what IP address you're using - if it isn't the one you want to
> be using then you will have to look at those config files and fix them (feel
> free to post them for help).
>
>> Secure Connection Failed
>>
>> The connection to www.hulu.com was interrupted while the page was
>> loading.
>
> That doesn't sound like a VPN problem - not sure what it is though.
>
I took your advice and used myip.com to verify the IP address being used
by my laptop, without vpn running and with it running.
Without vpn connection from my laptop, myip.com shows the IP address of
the foreign country,
with vpn connection from my laptop, myip.com shows the IP address of my
server in the USA that the openvpn server is running on.
Based on these results I think a closer look at the server config file
and the win vpn client config file is needed.
#################################################
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
#port 1194
port 6094
# TCP or UDP server?
#proto tcp
proto udp4
# "dev tun" will create a routed IP tunnel,
#dev tap
dev tun
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/host-vpn-server.crt
key /usr/local/etc/openvpn/host-vpn-server.key
# Diffie hellman parameters.
dh /usr/local/etc/openvpn/dh.pem
# Network topology
# Should be subnet (addressing via IP)
# Defaults to net30 (not recommended)
topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.60.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.60.0.1.
server 10.60.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
#duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
#tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
#cipher BF-CBC # Blowfish (default)
#cipher AES-128-CBC # AES
#cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
#comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 4
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
#user nobody
#group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
#log-append /var/log/openvpn.log
log /var/log/openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
#mute 20
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
#push "dhcp-option DNS 208.67.222.222"
#push "dhcp-option DNS 208.67.220.220"
## DNS servers provided by Google
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
## DNS servers provided by my time warner isp
push "dhcp-option DNS 209.18.47.61"
push "dhcp-option DNS 209.18.47.62"
# FBSD Host DNS server provided by unbound
#push "dhcp-option DNS 10.0.10.2"
##############################################
# client-side OpenVPN 2.0 config #
# file for connecting to multi-client server.#
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
dev tun
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto udp4
# The hostname/IP and port of the server.
remote home-fbsd.host.xxxxxxx.com 6094
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
#resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
#mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert win-vpn-client.crt
key win-vpn-client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
#remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
#tls-auth ta.key 1
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
mute 20
More information about the freebsd-questions
mailing list