[SOLVED] Can ping, but cant connect to openvpn server

[ihatemymonitor]

Goal: force all traffic through VPN only.
Client: Windows in VMware
VPN: OpenVPN

I delete the 0.0.0.0 route in Windows. I make a persistent route to the OpenVPN server with my LAN the gateway (192.168.1.1). So in theory, when I turn on OpenVPN client on windows, it would connect to OpenVPN server, which would then establish a new VPN connection. And when the VPN connection drops, all traffic stops.
However, I am unable to connect to OpenVPN server, although I can ping it. The admin openvpn portal even shows "Current Active Users: 1" when I attempt to connect, but eventually drops off. So this means I can communicate with the server, but it wont establish a connection. What am I doing wrong?

Note: I was able to replicate the same scenario in a windows VM with softether client and a third party VPN and can connect successfully.

Pics of network, note the .78 ip is the openvpn server:

https://imgur.com/zDN5gvR

View: https://i.imgur.com/zDN5gvR.png


Pics of server logs, doesnt look like anything wrong. Attempting to connect looks like a normal connection:

https://imgur.com/4E5179X

View: https://i.imgur.com/4E5179X.png

 

[ihatemymonitor]

The servers ports are open.

On the clients side (windows WM) I can also SSH in to the openvpn server using putty. The only solution so far is to add back the 0.0.0.0 192.168.1.1 route, and OpenVPN connections no problem, but that defeats the purpose as I want to force all traffic to only go through the VPN, and nothing else.

I also added a -p route for 172.16.0.0 255.255.255.255 192.168.1.1 just in case ( this is the network the VPN gateway is create on), but to no avail.

I do not understand how the openvpn cannot connect unless the 0.0.0.0 route is added. Any idea what I could do to fix this?

 

[bill001g]

In this cases it would be nice if there was a standard vpn client that works the same. So many tiny details in a vpn client configuration that can go wrong and every client seems to be different.

It appears you have better knowledge than many people who ask questions on this forum. If you let the vpn client run normally does it insert a second 0.0.0.0 router with a better metric. I assume if you run tracert to random ip addresses the traffic actually does use the vpn rather than bypass it?

What most vpn do is insert a 0.0.0.0 route when they come up and then manipulate the routing table. What happens if you put in a 0.0.0.0 route to some IP that is not your router rather than delete it.

 

[ihatemymonitor]

In this cases it would be nice if there was a standard vpn client that works the same. So many tiny details in a vpn client configuration that can go wrong and every client seems to be different.

It appears you have better knowledge than many people who ask questions on this forum. If you let the vpn client run normally does it insert a second 0.0.0.0 router with a better metric. I assume if you run tracert to random ip addresses the traffic actually does use the vpn rather than bypass it?

What most vpn do is insert a 0.0.0.0 route when they come up and then manipulate the routing table. What happens if you put in a 0.0.0.0 route to some IP that is not your router rather than delete it.

When I conntact to the VPN it adds a new 0.0.0.0 route through the tunnel that it created with a higher metric. My IP changes to the VPN however. But this defeats the purpose, even if the VPNs metric is lower, if the VPN connection drops, my real IP will leak (which I cannot allow to happen).

So on OpenVPN admin page, I created a static VPN network (10.1.100.0/24), and gave my client a static IP 10.1.100.5. It appears that deleting route 0.0.0.0 and creating a static route to both the public VPN server and the VPN tunnel (10.1.110.1) it will not be able to establish a connection and that I must have a 0.0.0.0 0.0.0.0 192.168.0.1 route enabled.


I have the exact same scenario running on a different windows VMware machine, however the client is running softether, and the VPN provider is a third party (I pay by the month). I have the 0.0.0.0 route deleted, with the only persisent route being to my public VPN address. This accomplishes exactly what I require (traffic only goes through VPN, and if the VPN drops so does the traffic). To how this is possible, and not on the OpenVPN machine boggles my mind and driving me a bit up the wall lol. Comparing the route tables and ipconfig the only difference on the VMware machine with softether is additonal adapters being shown with names such as isatap and dns-suffix. See pics (they're not connected to the VPN):
Softether machine:

https://imgur.com/23euYQx

View: https://i.imgur.com/23euYQx.png
openvpn machine:

https://imgur.com/VGgqsr0

View: https://i.imgur.com/VGgqsr0.png

 

[bill001g]

This is the same frustration I had using vpn clients.....in addition to the crappy ones that would not fully uninstall.

What you describe should work perfectly fine and I have done it that way myself. It has to be some strangeness with the client. I do not know anything about that particular client. I do know it can be much worse things like cisco open connect will actually put routes back if you try to delete them...I was trying to route single address around the vpn and did not have split tunnel option turned on.

I eventually gave up and went with a router based VPN.

 

[ihatemymonitor]

Thanks for giving your input bill, this little project is sitting on my desk until I get it done or I find an alternative. I'll post this summary below for others that may be reading:


I have a persistent route to the VPN (160.50.59.40 255.255.255.255 192.168.1.1), I connect to the VPN then remove the default LAN gateway ( 0.0.0.0 0.0.0.0 192.168.1.1) so all traffic only goes through the VPN. I take a picture of this routing table.

I then restart windows with a fresh routing table (with the persistent route still) and add all these routes exactly as the seen in the picture I took, then I remove the default LAN gateway ( 0.0.0.0 0.0.0.0 192.168.1.1)... and I still cant connect.

I want to be clear here, I have have the exact same routing setup in another windows machine, with softether and a third party VPN (compared to the current windows machine with openvpn connect, and openvpn server running in oracle cloud) and I have had absolutley no problems connecting with the default LAN gateway route deleted, and just a default LAN gateway route to the VPN only. Ive been comparing both machines, their routing tables, their adapters, the software, and I cant understand how this is possible on one and not the other.

Note: Deleting the default LAN gateway ( 0.0.0.0 0.0.0.0 192.168.1.1) is to make it impossible for windows to leak your real IP if the VPN ever flakes for 2 seconds (which it will). I can also ping the VPN at anypoint because of the persitent route.

 

[bill001g]

I agree is should work... I will assume the 0.0.0.0 rather than 255.255.255.255 in the persistent route is a typo.

I have done exactly this many times.

I had a similar strange issue when I was trying out different vpn clients. I never figured out why but got desperate and reinstalled windows and can only assume that one of the vpn clients messed up some registry setting or something. I really hate windows and all the hidden stuff, linux is so much simpler I just wish more things ran on it.

What gave me a clue was I loaded wire shark and watched what traffic left the machine. I really wish you could intercept traffic before and after it goes into the vpn but I don't know if that is possible.