020 3355 9222
Existing clients

OpenVPN Windows HowTo

OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.

Although originally developed for Linux, OpenVPN is now widely used for providing VPN services for Windows clients. This document describes how we install and configure OpenVPN to work in a Microsoft Windows only environment.

Prerequisites

This how to assumes that you have various things already set up:

OpenVPN Server

You need a Windows system to act as the OpenVPN server. This can be a Windows 2000/2003 Server or 2000/XP Professional system.

OpenVPN Clients

One or more OpenVPN client systems. These should be Windows 2000/XP Professional, although 2000/2003 server should work equally well.

Networking

The OpenVPN server system needs to be publically reachable on UDP port 1194 (you can use another port if required but this is the standard port for OpenVPN). If the server is behind a NAT router then this will require address/port forwarding.

It's preferable for the server IP address to be static as this makes things more stable. If your server has a dynamic IP address then you will need to use a dynamic DNS service to provide a fixed hostname.

All systems should have an unfiltered Internet connection, or at least one that allows communication on UDP port 1194. It is possible to run OpenVPN through through more restrictive connections (e.g. a proxy server), but this is outside the scope of this article.

Names and addresses

The names and addresses used in this how to are examples only and should be changed to suit your environment.

  • Company Name: Acme Corp.
  • Public Domain Name: acme.com
  • Private (Windows) Domain Name: acme.com.local
  • Server Hostname: widget
  • LAN address: 192.168.0.0/24
  • Server public address: 1.2.3.4
  • Server private address: 192.168.0.1
  • VPN address: 10.8.0.0/24

Software

OpenVPN

We generally use the OpenVPN GUI package on Windows systems rather than the stock package, as this provides a system tray icon for controlling the application:

http://openvpn.se/download.html

Server Configuration

Install OpenVPN

OpenVPN GUI can be installed with default options (certificate wizard is not needed). Near the end of the install it will add a TAP-Win32 virtual adapter that is not signed, you need to tell Windows to install this as requested.

Once the installation is complete, you will need to create additional TAP-Win32 virtual adapters using the shortcut in the OpenVPN program group. One adapter is needed for each concurrent VPN user. Rename these adapters to "OpenVPN #n" where n is the adapter number. This is cosmetic only but helps identification.

Configure OpenVPN

Create the server configuration file in the OpenVPN config folder (c:\program files\openvpn\config\)

## server.ovpn ##
port 1194
proto udp
dev tun
ca ca.crt
cert widget.crt
key widget.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option WINS 192.168.0.1"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN acme.com.local"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3

Values in italics should be changed to suit your environment.

In this example the max-clients has been set to 4, which would require 3 additional TAP-Win32 virtual adapters to be created.

Set up a Certificate Authority (CA)

You need a Certificate Authority (CA) to sign your client and server certificates. The easy-rsa scripts make this pretty straightforward.

First we need to initialise easy-rsa. You should only do this once as it will wipe out any existing certificates, keys and settings.

C:\Program Files\OpenVPN\easy-rsa> init-config

Next edit vars.bat and change the "KEY_" settings at the bottom of the file.

set KEY_COUNTRY=GB
set KEY_PROVINCE=London
set KEY_CITY=London
set KEY_ORG=Acme
set KEY_EMAIL=hostmaster@acme.com

Finally create the keys folder and the root certificate itself.

C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> clean-all
C:\Program Files\OpenVPN\easy-rsa> build-ca

You will be asked to enter some details for the root certificate. Most of these will default to the values that you entered into vars.bat, but you will need to choose a "Common Name" for the certificate.

Common Name (eg, your name or your server's hostname) []:Administrator

Keys and certificates are created in the keys subfolder. The ca.crt file (root certificate) should be copied to the OpenVPN config folder.

C:\Program Files\OpenVPN\easy-rsa> copy keys\ca.crt ..\config\

Important: Key files (.key) are very sensitive and should be kept safe and never sent over insecure (unencrypted) channels. The Certificate Authority key (ca.key) is particularly important - if it is lost or comprimised then you will have to replace all your keys and certificates.

Set up server key and certificate

Once the CA has been set up, we can generate a key and certificate for the server.

C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> build-key-server widget

Executing the vars.bat is not necessary if you do this straight after creating the CA because the environment will still be set (but it doesn't hurt).

As with generating the root certificate, most of the details will default to the correct values but you will need to enter a "Common Name". This is best set to the hostname of the server.

Common Name (eg, your name or your server's hostname) []:widget.acme.com.local

You can leave the challange password and optional company name blank.

The server also needs Diffie Hellman parameters.

C:\Program Files\OpenVPN\easy-rsa> build-dh

This may take a while...

Finally copy the key, certificate and DH file to the OpenVPN config folder.

C:\Program Files\OpenVPN\easy-rsa> copy keys\widget.crt ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy keys\widget.key ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy keys\dh1024.pem ..\config\

Setup VPN routing

Routing on the server should be enabled by enabling LAN routing in the Routing and Remote Access service, however we've found that this causes problems with the OpenVPN service so I would not recommend it. Instead use regedit to set the IPEnableRouter registry key to 1.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

To allow VPN clients to communicate with systems on the LAN (other than the VPN server), you need to add the VPN network to your router(s) configuration. For a simple stub network you would do this by adding a static route to the default gateway to direct traffic for 10.8.0.0/24 to the server.

Network: 10.8.0.0
Subnet Mask: 255.255.255.0
Next Hop Address: 192.168.0.1

To do this with on an IPCop firewall, add a line to the /etc/rc.d/rc.local file.

 #!/bin/sh
/sbin/route add -net 10.8.0.0/24 gw 192.168.0.1

You can also add this route at the command line to avoid rebooting the router.

root@ipcop:~ # route add -net 10.8.0.0/24 gw 192.168.0.1

Finishing touches

We like to create a batch file called restartvpn.cmd in the OpenVPN config folder (and desktop shortcut) to restart the OpenVPN service in case it gets stuck.

net stop openvpnservice
net start openvpnservice
Configure the OpenVPN service to start automatically on boot using the services applet, and then start the service.

Client Configuration

Install OpenVPN

Again the OpenVPN GUI can be installed with default options.

I like to rename the TAP-Win32 (in Network connections) adapter to "OpenVPN". This is cosmetic only but helps identification.

Configure OpenVPN

Create the client configuration file in the OpenVPN config folder (c:\program files\openvpn\config\).

## acme.ovpn ##
client
proto udp
dev tun
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert fred.crt
key fred.key
comp-lzo
verb 3

Values in italics should be changed to suit your environment.

In this example we assume that the name of the client is "Fred".

Set up client key and certificate

We will generate client keys and certificates on the server, which means you have to be careful to securely transport the client key to the client machine. To avoid this you could generate the key on the client along with a Certificate Signing Request (CSR) which can then be transported to the server where it is signed to create the certificate, however this is beyond the scope of this document.

Generate the client key and certificate on the OpenVPN server machine.

C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> build-key fred

Then copy the client key and certificate along with the root certificate securely to the config folder on the client machine. The simplest way of doing this is to just put the files on a USB key (or floppy disk).

C:\Program Files\OpenVPN\easy-rsa> copy keys\fred.crt a:\
C:\Program Files\OpenVPN\easy-rsa> copy keys\fred.key a:\
C:\Program Files\OpenVPN\easy-rsa> copy keys\ca.crt a:\

Then on the client machine

C:\Program Files\OpenVPN\easy-rsa> copy a:\fred.crt ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy a:\fred.key ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy a:\ca.crt ..\config\

Test

Right click the OpenVPN tray icon and select "Connect". It will open a status window showing the connection progress, and if everything is working ok then the status window should close and the icon should turn green.

To test the connection, try pinging 10.8.0.1 (the server VPN IP address), 192.168.0.1 (the server LAN IP address), the address of a PC on the remote LAN (e.g. 192.168.0.123), and then try pinging devices by name.

c:\> ping 10.8.0.1
c:\> ping 192.168.0.1
c:\> ping 192.168.0.123
c:\> ping widget

hi Jamie,did you try setup a

hi Jamie,did you try setup a routing modem openvpn server on windows with signel nic only?

Not entirely sure what you

Not entirely sure what you mean...can you clarify?

Hi Jamie I have a windows

Hi Jamie

I have a windows 2003 server setup as an open VPN server and I can connect to it no problem.

I cannot however ping the server's ip address e.g. 10.8.0.1 or 192.168.88.54

To rule out the machine I re-installed the openVPN server on another Windows 2003 server with the same result.

Neither server has a local firewall.

I've set this up on XP Professional with no problems.

The weird thing is that I can telnet 10.8.0.1 or 192.168.88.54 on port 25, 110 but not on anything else.

Is it possible that there is a security policy on the Windows 2003 Server that I'm missing or that could be fitering certain ports. I've double-checked with the firewall engineer and I agree that once the tunnel is established there is not much else the firewall can do seeing it is an encrypted tunnel.

Hope this makes sense

Norbert

The most common problem that

The most common problem that I've had with 2k3 is that the routing and remote access service seems to get in the way of OpenVPN configuring the routing properly. This could be related to that, but the fact that you can telnet into open ports on the server means that it's unlikely.

Look at the routing table (route print) on the server and see if there is a route to the vpn network (10.8.0.0/255.255.255.0). If there's not then there's a routing problem and you should try disabling routing and remote access service.

It could be a security policy, but I'd imagine you would know if it was, cause you would have had to set it up. Are these servers fresh installs? If not then try a fresh install with no other software on to see if you can replicate the problem.

Let me know how you get on.

 

Anyway of getting around

Anyway of getting around Routing and Remote access?

I have to have Routing and Remote Access running but have found that if Routing and Remote access runs before openvpn service does that it tends to bugger openvpn up. The solution is to then stop routing and remote access, restart openvpn service, start routing and remote access and then it works. Just wondering if there is any kind of hack/fix for this?

Haven't found one that works

Haven't found one that works yet. There's an option in OpenVPN that determines how the routes are added, but this seems to have no effect.

Try creating a batch script to restart the VPN at boot (or any other time). Something like this:

net stop RemoteAccess
net stop OpenVPNService
net start OpenVPNService
ping -n 10 127.0.0.1
net start RemoteAccess

I have similar problem. I am

I have similar problem. I am trying to make a tunnel with my roadcomputer and the newtwork home. Everything connects, but I can't ping server's VPN nor server local address. Funny is that I can telnet on port 25 and 110.
I am using Windows XP on both computers.

Roadcomputer: 192.168.3.0/255.255.255.0
Homecomputer: 192.168.2.0/255.255.255.0
VPN:10.1.1.0/255.255.255.0

I can see that on road computer route for 192.168.2.0 is added, but I can't see any route for 192.168.3.0 on home computer. Is this OK?

What can be wrong?

If you are running the

If you are running the OpenVPN client on Roadcomputer then the only reason to have a route on Homecomputer for 192.168.3.0 is so that Homecomputer can reach other clients on network 192.168.3.0. This is probably not what you want.

So just to be clear, when the VPN is connected you can telnet to ports on Homecomputer's LAN (192.168.2.x) and VPN (10.1.1.x) addresses, but you can't ping them? If that's the case then I suspect that there's some kind of packet filtering going, probably on Homecomputer, that is blocking the ICMP (Ping) packets.

I'm running a win2k server

I'm running a win2k server and have the following:
server ip: 192.168.0.99
server LAN: 192.168.0.xxx subnet 255.255.255.0

tap interface IP: 10.8.0.1

when the client remotely connects, they can ping the server at 192.168.0.99 but they cannot see any other machines on the server LAN. between the server and the internet is a router with port forwarding of the VPN port to the server. do i edit the hardware router's table, the server's route table, and what command do i want to use?

Does this tutorial work for

Does this tutorial work for a routing OpenVPN server on WindowsXP Pro with a single physical NIC only?

Yes, and as I understand

Yes, and as I understand it's actually a bit easier than 2000/2003 server (no Routing and Remote Access service to get in the way)

Great, thanks. I'll try it

Great, thanks. I'll try it asap.

I been working with OpenVPN

I been working with OpenVPN for a few days now. I setup my server to use routing instead of bridging. I found that if you are using the dun tap you will need to make some adjustments to the router (i.e. Netgear/Linksys/Dlink) static tables to enable the client to see other machines in the network.

In my server configuration file I have the following entry for the server: "server 192.168.10.0 255.255.255.128"

The local ip is: "local 192.168.2.10"

Now, in my Netgear static routes I added the following:

Destination : 192.168.10.0
IP Subnet Mask: 255.255.255.252
Gateway IP : 192.168.2.10
Metric : 10

I don't know why I needed to use the 255.255.255.128 on the server IP, nor do I knew why I needed to use the 255.255.255.252 in the Netgear static route. However, I found more light in the FAQ from OpenVPN. It is a compatibility thing with Windows connecting as clients. Anyway, the last time I tested the connection I was able to logon to my NAS, Router Admin Pages, and see all computers remotely (VNC and RDP).

Hope this helps.

http://openvpn.net/faq.html
Why does OpenVPN's "ifconfig-pool" option use a /30 subnet (4 private IP addresses per client) when used in TUN mode?

Excelente tutorial.. todo

Excelente tutorial.. todo funciona bastante bien.. solo que al final hay que hacer caso del comentario sobre la modificacion de los parámetros del router.

Saludos

thanks for the excellent

thanks for the excellent tutorial, was able to set up OpenVPN just fine :)

First of all Thanks, then a

First of all Thanks, then a question. How can i connect multiple clients on the same server. It is enough to create certificates and to set up clients or i have to do something else.
10x

I have a very similar setup,

I have a very similar setup, and with it the same issues.. If you've come up with a solution please, do tell.

Yep, create certificates,

Yep, create certificates, set up clients (and make sure you have enough OpenVPN TAP-Win32 adapters in Network connections to handle the maximum number of concurrent connections.

I just disabled the Remote

I just disabled the Remote Access service--now it works fine...

Thanks, guys!

first, thanks for this

first, thanks for this tutorial.
I've got some troubles with setting up an openvpn between two LANs, I've followed many tutorials and howtos (less usefull for me than this one), unfortunatly I'am still in troubles, i suspect the fact that each LAN has its own firewall (MS ISA2004), the openvpn server is on the isa box LAN (a) and the client is behind an other isa box LAN (b), I tryed many times to establish a connection betwwen'em with no result till now, the openvpn server when launched turn green pick an address 10.3.0.1
the client can't pick an address when i try to connect turn yellow even i tryed to reconnect several times it doesnt change.
I created some rules to allow the connection on UDP port 1194 on both ISAs.
actual situation is simply:
no connection with openvpn (server and client)
no ping on the 10.3.0.1
no access to no any lan ressources
falks, plz any help any suggestions or any simillar experience with openvpn which succed are welcome.

First thanks for this

First thanks for this tutorial
I've a question about openvpn on MS isa2004 box. I want to use openvpn between two LANs each LAN has its own firewall MS ISA2004 as a SITE TO SITE VPN.
I tryed to setting up a vpn connection without any success till now.
any help or suggestions are wellcome.

Great tutorial and up to

Great tutorial and up to date.

I was hoping you could write another for Ethernet-Bridged mode?
I would really appreciate some server and client sample configuration
files for Ethernet-Bridged mode. I can't get mine working. I'm using
a single NIC adapter through my Netgear DG843Gv4 (latest firmware) router.
I've forwarded the ports for IPSEC, PPTP and L2TP and 1194 for OpenVPN but
clients still cannot connect to me. Also, I can't access local host from
Firefox and the DynDNS port tool reports that 1194 'times out' (along with
any other port I try). Help appreciated!
Che.Fisher@gmail.com

Thank You, Thank You ! You

Thank You, Thank You ! You made my day, this is the easiest guide to OpenVPN for Windows I've read. After few days of trials and errors my OpenVPN experience is successful!

Some observations after

Some observations after having set up openVPN 2.1 on Windows Server 2003 behind a firewall:
- I couldn't connect anything at first because I needed to rename the adapter and set that to match in the server config file
- Then I could ping the server only, but nothing behind the server
a) I had to turn on IP forwarding as shown above, and then started the RRAS service (did not use the config wizard).
b) Firewall/ICS service had to be ON for some reason, even if I deactivated it in the firewall settings control panel

Hi, I'm trying to set up an

Hi,
I'm trying to set up an openvpn-server.
with just one client connected everything
works fine, but if more then one clients
try to connect, the all get the same ip
assigned.So how to setup DHCP for only one client when connect on many computer.

Thanks

what to do when you need

what to do when you need more client certs and keys
I need to add more certs due to an increase in number of clients without changing the ca.cert.

Thanks

Hi! I have done and working

Hi!
I have done and working but i can not ping LAN IP address. pls help me
Thanks
Best Regard,

Without more information I

Without more information I couldn't tell you, however I recommend to most people to use OpenVPN 2.1_rc7 these days, especially if using Vista as I've seen a similar problem to what you describe using the older versions recently.
Just make sure you save your keys and install the newer OpenVPN over the top.

Hello to all and thanks for

Hello to all and thanks for wirting this guide... i have one singles question.. i have 2 windows xp pc's connected each other through open vpn, but now I want to one of them (10.8.0.1) to access the network of the other (10.8.0.6) which is based on 192.168.1.xxx ip range.. can someone plz tell me how can i do that? thanks in advance

Hi! I followed all the steps

Hi!
I followed all the steps and evertything seems to work fine. But, when i'm connected to the server, i lose the internet connection. I think the client is trying to get to the internet through the server default gateway. Don`t know how to fix it though.
Hope you can help!

Thanks

Hi Neil, I have installed

Hi Neil,

I have installed OpenVPN on Windows 2003 server.

I have DHCP configured on that. And also Link Sys Router.

My Configuration is as Follows:

Server WAN ip : 192.168.0.1

Server Local LAN ip : 192.168.1.100(Also DHCP Configured for private network)

I have done forwarding on LInk SYs router and also open the 1194 port on Router.

Forwarding on ROuter is as follows:

Destination Address: 10.8.0.1
Mask: 255.255.255.252
Default Gateway: 192.168.0.1

Ip address for Router is 192.168.0.254

My Open VPN Server ip is 10.8.0.1

Now i can Connect to SErver Open VPN. But wen i try to connect from client it gives me error

Like below:

Tue Jul 29 10:09:06 2008 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jul 29 10:09:06 2008 TLS Error: TLS handshake failed
Tue Jul 29 10:09:06 2008 TCP/UDP: Closing socket

I have check there is no issue of Windows Firewall

I have updated IP Enable ROuter Key in Registry also.

I have Got Routing and Remote Access already configured on my server .. I am not sure wat is blocking OPen VPN.

Do i have to do any changes in ROuting and Remote Access..

Thanks & Regards

Mohsin Memon

I am trying to set up

I am trying to set up OpenVPN in a Windows (MojoPac) based virtual machine running on a USB flash drive.

Is there some way to include the TAP-Win32 driver start-up in a config or batch file so that when OpenVPN GUI starts, just before it does so, it starts the TAP driver?

I can’t find a news group or forum in which to ask this question. If any of you guys can help me solve this one I would be very grateful.

The problem is that I although can manually start the TAP-Win32 driver each time, with the batch file OpenVPN installed (and then OpenVPN GUI will run and connect), the TAP virtual adapter does not start by itself, and when I restart the USB drive I have to go through the same process again as nothing has been written to the registry of course.

Also, when the TAP installs, it requires a click OK acceptance since. I am assuming that if there is a way to do this automagically in a batch or config file, there will also be a an automagic acceptance variable.

Many thanks,

Terence.

Please note, I've not tried

Please note, I've not tried this and I've not used MojoPac.

Under "Notes -- Manual Install/Update/Uninstall of the TAP-Win32 kernel driver"
Shows you the command line to install.

The "automagically acceptance" for the TAP driver is a tricky one as Windows is deliberately wanting you to manually accept an unsigned driver.
I imagine that using VBScript or AutoHotkey you could send the key presses needed to accept the driver, but it may be down to the individual PC configuration as to whether it will work.

When trying to run openVPN

When trying to run openVPN client on Windows Server 2003 and you are receiving multiple warnings that route(s) could not be initialized/applied like the following:

C:\WINDOWS\system32\route.exe ADD 10.x.x.x MASK 255.x.x.x 10.x.x.x
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe

...then check the following:

1) Make sure the openVPN service is running.
2) Disable or stop the "Routing and remote access" service, which provides VPN and similar services on its own.

2) might be the cause for openVPN not being able to add or alter network routes.

Additionally, if your Windows Server 2003 also acts as a DNS server, you should make sure that it only listens and serves on its primary IP address - not automatically on all IP addresses, which would include (often) automatically assigned IP addresses of openVPN connections. Having the Windows Server 2003 DNS service listen on those addresses, too, can break the IP resolution for openVPN connections. However, after connecting to a remote network using openVPN on Windows Server 2003, you can determine the IP of the remote DNS server and add it to the DNS servers forward list in your DNS server configuration. Your Windows DNS server will then try to resolve a IP via those servers if it cannot be resolved by your default gateway(s).

If the following warning is issued during connecting to the remote site:

ROUTE: route addition failed using CreateIpForwardEntry: Access denied. [status=65 if_index=65540]

...then you are probably trying to establish an openVPN connection as a regular user. However, openVPN client needs administrative privileges to add or alter routing for its virtual network interfaces.

ROUTE: route addition failed

ROUTE: route addition failed using CreateIpForwardEntry: Access denied. [status=65 if_index=65540]

I have find this solution in Local Users of the computer
The user must member of Network Confuguration Operator group in the Loacal computer.

Then run OpenVPN succeusful. :)

Best regards, Senol.

I have OpenVPn runnning and

I have OpenVPn runnning and clients can successfully connect however none of the Internet traffic goes over the VPN. The server is running on Windows 2003 and the client is a Mac (Tunnelbrick). Any help or suggestions would be appreciated.

##Server##
port 1194
proto udp
dev tun
ca ca.crt
cert win2003.crt
key win2003.key
dh dh1024.pem
server 10.5.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.0.0"
push "dhcp-option WINS 10.0.0.7"
push "dhcp-option DNS 10.0.0.7"
push "dhcp-option DOMAIN bashore.local"
keepalive 10 120
comp-lzo
max-clients 2
persist-key
persist-tun
status openvpn-status.log
verb 3

##client##
client
proto udp
dev tun
remote my.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.mine.crt
cert miami.crt
key miami.key
comp-lzo
verb 3

#####This is the log data#####
Wed 10/22/08 10:35 PM: IMPORTANT: OpenVPN's default port number is now 1194
Wed 10/22/08 10:35 PM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed 10/22/08 10:35 PM: LZO compression initialized
Wed 10/22/08 10:35 PM: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed 10/22/08 10:35 PM: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed 10/22/08 10:35 PM: Local Options hash (VER=V4): '41690919'
Wed 10/22/08 10:35 PM: Expected Remote Options hash (VER=V4): '530fdded'
Wed 10/22/08 10:35 PM: UDPv4 link local: [undef]
Wed 10/22/08 10:35 PM: UDPv4 link remote: my.ser.er.ip:1194
Wed 10/22/08 10:35 PM: TLS: Initial packet from my.sev.er.ip:1194
Wed 10/22/08 10:35 PM: VERIFY OK: depth=1
Wed 10/22/08 10:35 PM: VERIFY OK: depth=0
Wed 10/22/08 10:35 PM: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed 10/22/08 10:35 PM: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed 10/22/08 10:35 PM: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed 10/22/08 10:35 PM: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed 10/22/08 10:35 PM: Control Channel: TLSv1
Wed 10/22/08 10:35 PM: [win2003.bashore.local] Peer Connection Initiated with 69.136.89.8:1194
Wed 10/22/08 10:35 PM: SENT CONTROL [win2003.bashore.local]: 'PUSH_REQUEST' (status=1)
Wed 10/22/08 10:35 PM: PUSH: Received control message: 'PUSH_REPLY
Wed 10/22/08 10:35 PM: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: topology (2.0.9)
Wed 10/22/08 10:35 PM: OPTIONS IMPORT: timers and/or timeouts modified
Wed 10/22/08 10:35 PM: OPTIONS IMPORT: --ifconfig/up options modified
Wed 10/22/08 10:35 PM: OPTIONS IMPORT: route options modified
Wed 10/22/08 10:35 PM: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed 10/22/08 10:35 PM: gw 10.0.0.1
Wed 10/22/08 10:35 PM: TUN/TAP device /dev/tun1 opened
Wed 10/22/08 10:35 PM: /sbin/ifconfig tun1 delete
Wed 10/22/08 10:35 PM: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Wed 10/22/08 10:35 PM: /sbin/ifconfig tun1 10.5.0.6 10.5.0.5 mtu 1500 netmask 255.255.255.255 up
Wed 10/22/08 10:35 PM: /sbin/route add -net 10.0.0.0 10.5.0.5 255.255.0.0
Wed 10/22/08 10:35 PM: /sbin/route add -net 10.5.0.1 10.5.0.5 255.255.255.255
Wed 10/22/08 10:35 PM: Initialization Sequence Completed

Hello guys I have a very

Hello guys I have a very strange problem i can not find anything about it in google. So i want to ask here can someone help me. I have installed and configured everything as i should lzo and openvpn are installed. I have generated all the keys for the server and i have done the server.conf file like this:
dev tun
proto tcp
port 1194

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

user nobody
group nogroup
server 10.8.0.0 255.255.255.0

persist-key
persist-tun

#status openvpn-status.log
#verb 3
client-to-client

push “redirect-gateway def1″

#log-append /var/log/openvpn
comp-lzo

my crt and key files are in the same directory as my config file. but when i do
]# openvpn –config server.conf
Options error: Unrecognized option or missing parameter(s) in server.conf:5: ca (2.0.9)
Use –help for more information.

I get this unusual error and i can not find out why it this happening whats wrong with ca ca.crt line
Please help me.

I have a problem running

I have a problem running OpenVPN, using Windows 2003 Server, with multiple clients using Windows Xp.

For every computer, I created a .bat file to run OpenVPN-GUI and connect the VPN automatically at Windows startup.

The problem: all clients connect to the server, but can't ping to it.
Only after I restart the connection at the server, then everything works fine.

Does anybody knows what's the cause and how to solve this?

Configuration for the server:

proto udp
dev tun
tls-server
keepalive 10 60
ping-timer-rem
comp-lzo
persist-key
persist-tun
server 10.0.0.0 255.255.255.0
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
ifconfig-pool-persist ipp.txt
float

———

Configuration for one of the clients:

remote nonamed.no-ip.org
proto udp
client
pull
dev tun
tls-client
comp-lzo
keepalive 10 60
ping-timer-rem
persist-key
persist-tun
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key
ns-cert-type server
float

Thank you for your attention.

The best OpenVPN article I

The best OpenVPN article I have ever read! Excellent!

I am using Open vpn as

I am using Open vpn as client and i have some problems to use it...
it is about password , when i put on a password i can't delete it...
I want to use it without password
help me for that, please...

I don't understand. Be

I don't understand. Be precise please.

Any Chance you could tell me

Any Chance you could tell me what to do different if I want to Ethernet Bridge to allow NetBios?
-Justin Bowen, IIP Promotions's web-tech section

Hi There, I dont know where

Hi There,

I dont know where im going wrong but maybe someone can help me..

I have set up everything i can connect to my server i can ping my VPN server and the server can ping my client back, but i cannot connect to any other machine on my network.. MY setup is as follows..

Open VPN server is set up on a windows 2003 domain controller which is also my DNS server..
And my client is on windows XP

I use a netgear FVX538 firewall and have added the following static route in there..

Destination IP address : 192.168.10.0 (VPN address)
Subnet mask : 255.255.255.252
Interface : LAN
IP Address : 192.168.109.1 (Router IP address)

My server Config is as follows :

## server.ocpn ##

port 1194

proto udp

dev tap

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

mode server

tls-server

server 192.168.10.0 255.255.255.128

push "route 192.168.109.0 255.255.255.0"

push "route 192.168.109.1 255.255.255.0"

push "dhcp-option WINS 192.168.109.2"

push "dhcp-option DNS 192.168.109.2"

keepalive 10 120

comp-lzo

max-clients 20

persist-key

persist-tun

status openvpn-status.log

verb 3

""

My client Config Is

##

client

proto udp

dev tap

remote x.y.z.q 1194

resolv-retry infinate

route-method exe

route-delay 2

nobind

persist-key

persist-tun

ca ca.crt

cert robert.crt

key robert.key

comp-lzo

verb 3
##

The routing tbale from my laptop when im connected via VPN

ketplaner-Miniport
===========================================================================
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Anzahl
0.0.0.0 0.0.0.0 90.186.156.67 90.186.156.70 1
90.186.156.64 255.255.255.248 90.186.156.70 90.186.156.70 30
90.186.156.70 255.255.255.255 127.0.0.1 127.0.0.1 30
90.255.255.255 255.255.255.255 90.186.156.70 90.186.156.70 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 90.186.156.70 90.186.156.70 20
192.168.10.0 255.255.255.128 192.168.10.2 192.168.10.2 30
192.168.10.2 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.10.255 255.255.255.255 192.168.10.2 192.168.10.2 30
192.168.109.0 255.255.255.0 192.168.10.1 192.168.10.2 1
224.0.0.0 240.0.0.0 90.186.156.70 90.186.156.70 30
224.0.0.0 240.0.0.0 192.168.10.2 192.168.10.2 30
255.255.255.255 255.255.255.255 90.186.156.70 90.186.156.70 1
255.255.255.255 255.255.255.255 192.168.10.2 3 1
255.255.255.255 255.255.255.255 192.168.10.2 2 1
255.255.255.255 255.255.255.255 192.168.10.2 10007 1
255.255.255.255 255.255.255.255 192.168.10.2 192.168.10.2 1
Standardgateway: 90.186.156.67
===========================================================================

and finally the log file from the client.

Thu Aug 06 14:54:39 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Thu Aug 06 14:54:39 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Aug 06 14:54:39 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Aug 06 14:54:39 2009 LZO compression initialized
Thu Aug 06 14:54:39 2009 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Aug 06 14:54:39 2009 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Aug 06 14:54:39 2009 Local Options hash (VER=V4): 'd79ca330'
Thu Aug 06 14:54:39 2009 Expected Remote Options hash (VER=V4): 'f7df56b8'
Thu Aug 06 14:54:39 2009 UDPv4 link local: [undef]
Thu Aug 06 14:54:39 2009 UDPv4 link remote: x.y.z.q:1194
Thu Aug 06 14:54:40 2009 TLS: Initial packet from x.y.z.q:1194, sid=e72f77ae 046684c6
Thu Aug 06 14:54:42 2009 VERIFY OK: depth=1, /C=DE/ST=BB/L=Berlino/O=EDV/CN=administrator/emailAddress=edv@arinnaag.com
Thu Aug 06 14:54:42 2009 VERIFY OK: depth=0, /C=DE/ST=BB/O=EDV/CN=server/emailAddress=edv@arinnaag.com
Thu Aug 06 14:54:46 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 06 14:54:46 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 06 14:54:46 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 06 14:54:46 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 06 14:54:46 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Aug 06 14:54:46 2009 [server] Peer Connection Initiated with x.y.z.q:1194
Thu Aug 06 14:54:48 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Aug 06 14:54:48 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.109.0 255.255.255.0,route 192.168.109.1 255.255.255.0,dhcp-option WINS 192.168.109.2,dhcp-option DNS 192.168.109.2,route-gateway 192.168.10.1,ping 10,ping-restart 120,ifconfig 192.168.10.2 255.255.255.128'
Thu Aug 06 14:54:48 2009 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 06 14:54:48 2009 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 06 14:54:48 2009 OPTIONS IMPORT: route options modified
Thu Aug 06 14:54:48 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 06 14:54:48 2009 TAP-WIN32 device [LAN-Verbindung 4] opened: \\.\Global\{8922E7CE-B8FE-4DB3-ADA0-B2FA4B7EE99A}.tap
Thu Aug 06 14:54:48 2009 TAP-Win32 Driver Version 8.4
Thu Aug 06 14:54:48 2009 TAP-Win32 MTU=1500
Thu Aug 06 14:54:48 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.10.2/255.255.255.128 on interface {8922E7CE-B8FE-4DB3-ADA0-B2FA4B7EE99A} [DHCP-serv: 192.168.10.0, lease-time: 31536000]
Thu Aug 06 14:54:48 2009 Successful ARP Flush on interface [4] {8922E7CE-B8FE-4DB3-ADA0-B2FA4B7EE99A}
Thu Aug 06 14:54:50 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Thu Aug 06 14:54:50 2009 route ADD 192.168.109.0 MASK 255.255.255.0 192.168.10.1
Thu Aug 06 14:54:50 2009 route ADD 192.168.109.1 MASK 255.255.255.0 192.168.10.1
Hinzufgen der Route fehlgeschlagen: Der angegebene Maskenparameter ist ungltig. (Ziel & Maske) != Ziel.
Thu Aug 06 14:54:50 2009 Initialization Sequence Completed

I really need to get this sorted out ASAP and would be very greatfull if someone could help me out here.

Regards

Rob

Hi, I'am running OpenVPN in

Hi,

I'am running OpenVPN in my router Linksys WRT610N with DD-wRT firmware.
Now I use the OpenVPN client to build a vpntunnel to my router.
Can I use another client that I can run from a USB stick or via webinterface to build a vpntunnel?
If so which client is best to use?

Thanks,

Hans

How about OpenVPN Portable ?

How about OpenVPN Portable ?