Join Log in
Score:0
Han Moe Htet avatar Server

OpenVPN Server in Windows Server not changing IP address

ru flag
Han Moe Htet

I am new to OpenVPN. I have been stuck with configuring OpenVPN Server for my Windows Server 2019 datacenter for over a week. I have also configured NAT in Routing and Remote Access and Firewall too. The client device is also Windows. I don't know what is missing because client's IP address is not changing. I have attached some info about the server and client. Can I get some help? Thanks.

server.ovpn

port 1194  
proto udp4  
dev tun  
ca ca.crt  
cert server.crt  
dh dh2048.pem  
server 10.8.0.0 255.255.255.0  
ifconfig-pool-persist ipp.txt  
push "redirect-gateway def1 bypass-dhcp"  
push "dhcp-option DNS 10.8.0.1"  
keepalive 10 120  
cipher AES-256-CBC  
persist-key  
persist-tun  
status openvpn-status.log  
verb 3  
explicit-exit-notify 1

client.opvn

client  
dev tun  
proto udp4  
remote <my_windows_server_ip_address> 1194  
resolv-retry infinite  
nobind  
persist-key  
persist-tun  
ca ca.crt  
cert bgp_vpn.crt  
key bgp_vpn.key  
remote-cert-tls server  
cipher AES-256-CBC  
verb 3

My client and server logs are here. Client logs

2023-01-21 10:11:17 TCP/UDP: Preserving recently used remote address: [AF_INET]<my_server_ip_address>:1194
2023-01-21 10:11:17 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-01-21 10:11:17 UDPv4 link local: (not bound)
2023-01-21 10:11:17 UDPv4 link remote: [AF_INET]<my_server_ip_address>:1194
2023-01-21 10:11:17 MANAGEMENT: >STATE:1674272477,WAIT,,,,,,
2023-01-21 10:11:17 MANAGEMENT: >STATE:1674272477,AUTH,,,,,,
2023-01-21 10:11:17 TLS: Initial packet from [AF_INET]<my_server_ip_address>:1194, sid=a2d611d2 e4c72ba2
2023-01-21 10:11:17 VERIFY OK: depth=1, CN=bagyiphyo.online
2023-01-21 10:11:17 VERIFY KU OK
2023-01-21 10:11:17 Validating certificate extended key usage
2023-01-21 10:11:17 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-21 10:11:17 VERIFY EKU OK
2023-01-21 10:11:17 VERIFY OK: depth=0, CN=server
2023-01-21 10:11:17 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-21 10:11:17 [server] Peer Connection Initiated with [AF_INET]<my_server_ip_address>:1194
2023-01-21 10:11:17 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2023-01-21 10:11:17 OPTIONS IMPORT: timers and/or timeouts modified
2023-01-21 10:11:17 OPTIONS IMPORT: --ifconfig/up options modified
2023-01-21 10:11:17 OPTIONS IMPORT: route options modified
2023-01-21 10:11:17 OPTIONS IMPORT: peer-id set
2023-01-21 10:11:17 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-01-21 10:11:17 OPTIONS IMPORT: data channel crypto options modified
2023-01-21 10:11:17 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-01-21 10:11:17 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21 10:11:17 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21 10:11:17 interactive service msg_channel=644
2023-01-21 10:11:17 open_tun
2023-01-21 10:11:17 tap-windows6 device [OpenVPN TAP-Windows6] opened
2023-01-21 10:11:17 TAP-Windows Driver Version 9.24 
2023-01-21 10:11:17 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {60A13B47-B75C-4508-9173-9A33FCEB4040} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
2023-01-21 10:11:17 Successful ARP Flush on interface [39] {60A13B47-B75C-4508-9173-9A33FCEB4040}
2023-01-21 10:11:17 MANAGEMENT: >STATE:1674272477,ASSIGN_IP,,10.8.0.6,,,,
2023-01-21 10:11:17 IPv4 MTU set to 1500 on interface 39 using service
2023-01-21 10:11:22 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
2023-01-21 10:11:22 MANAGEMENT: >STATE:1674272482,ADD_ROUTES,,,,,,
2023-01-21 10:11:22 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
2023-01-21 10:11:22 Route addition via service succeeded
2023-01-21 10:11:22 Initialization Sequence Completed
2023-01-21 10:11:22 MANAGEMENT: >STATE:1674272482,CONNECTED,SUCCESS,10.8.0.6,<my_server_ip_address>,1194,,

Server logs

2023-01-21 10:41:16 103.94.68.42:17589 TLS: Initial packet from [AF_INET]103.94.68.42:17589, sid=2a442a2b 77d1aabf
2023-01-21 10:41:16 103.94.68.42:17589 VERIFY OK: depth=1, CN=bagyiphyo.online
2023-01-21 10:41:16 103.94.68.42:17589 VERIFY OK: depth=0, CN=client_vpn
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_VER=2.5.8
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_PLAT=win
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_PROTO=6
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_NCP=2
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_LZ4=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_LZ4v2=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_LZO=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_COMP_STUB=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_COMP_STUBv2=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_TCPNL=1
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-01-21 10:41:16 103.94.68.42:17589 peer info: IV_SSO=openurl,crtext
2023-01-21 10:41:16 103.94.68.42:17589 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-01-21 10:41:16 103.94.68.42:17589 [client_vpn] Peer Connection Initiated with [AF_INET]103.94.68.42:17589
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 MULTI: Learn: 10.8.0.6 -> client_vpn/103.94.68.42:17589
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 MULTI: primary virtual IP for client_vpn/103.94.68.42:17589: 10.8.0.6
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-21 10:41:16 client_vpn/103.94.68.42:17589 SENT CONTROL [client_vpn]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)

For all logs, https://drive.google.com/file/d/1wxvWMbmChDAJYHgcw4fZRAsplptJfZgg/view?usp=sharing

Here's tracert from client while connected to the server

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

  1     2 ms     2 ms     1 ms  gpon.net [192.168.1.1]
  2     *        5 ms     *     10.69.32.1 [10.69.32.1]
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     3 ms     3 ms     3 ms  203.215.63.237
  6    59 ms    60 ms    59 ms  15169.sgw.equinix.com [27.111.228.150]
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9    60 ms    61 ms    60 ms  dns.google [8.8.8.8]

Trace complete.

Client's routing table

===========================================================================
Interface List
 38...........................Wintun Userspace Tunnel
 39...00 ff 60 a1 3b 47 ......TAP-Windows Adapter V9
  6...e0 d0 45 47 5b b8 ......Microsoft Wi-Fi Direct Virtual Adapter
 16...e2 d0 45 47 5b b7 ......Microsoft Wi-Fi Direct Virtual Adapter #2
  9...e0 d0 45 47 5b b7 ......Intel(R) Wi-Fi 6 AX201 160MHz
 10...e0 d0 45 47 5b bb ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.225     35
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link     192.168.1.225    291
    192.168.1.225  255.255.255.255         On-link     192.168.1.225    291
    192.168.1.255  255.255.255.255         On-link     192.168.1.225    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.1.225    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.1.225    291
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  9    291 fe80::/64                On-link
  9    291 fe80::f770:dd5d:92f3:c17a/128
                                    On-link
  1    331 ff00::/8                 On-link
  9    291 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
618
1 + 4
vpn
nat
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
If you're talking about in-VPN address, you've configured it so it will attempt to always assign the same IP to the same client (if it's not currently assigned to anybody else). This is what `ifconfig-pool-persist` option for (I suppose you've read `man openvpn` and can explain for every option why you used it in your configuration, didn't you?). What does this have to do with your route tracing anyway?
0
Reply
Han Moe Htet avatar
ru flag
Han Moe Htet
Yes I have read about options in the config from README.txt. My client can connect to the server. But the client's public ip is not changing. Tracert (traceroute in linux) shows if my client used my server's public ip. I think you are misunderstanding between public and openvpn assigned ips.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Client IP doesn't change due to connection to the VPN. Probably you mean you tried to route traffic through the VPN and NAT it there into another IP, but it's not a good thing to refer to that as to "client IP change". If you wanted to talk about that, you have to say it like that, "client routing wasn't changed", and nobody will misunderstood you. Well, could you please put your logs in a way that we don't need to download and unpack file ourselves to see them? Preferably find out what's relevant and put it directly into the question. And show the routing table on the client.
0
Reply
Han Moe Htet avatar
ru flag
Han Moe Htet
Hello @NikitaKipriyanov, client's routing has been changed now . I exited OpenVPN GUI and I disabled NAT and re-enabled it. Then started OpenVPN GUI as administrator and now it is working. I think I needed to start OpenVPN GUI after NAT config and not before that.
1
Reply
Score:0
Han Moe Htet avatar Server
ru flag
Han Moe Htet

Ok, it's weird but I think the problem is related to how Windows handle Network config. First, exit OpenVPN GUI or related processes. Then disable NAT config in "Routing and Remote Access" if enabled before. Re-enable NAT. Then start OpenVPN GUI as administrator. Now client connection uses the server's public ip successfully. Previously, I was doing NAT config after I had started OpenVPN GUI.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.