Configuring an OpenVPN server on Win Server 2008 R2 Web

[Acanthus]

Hi guys, i'm currently working on a new project that requires that I get an OpenVPN server up and running.

I have a host and server already.

My problem is that the server uses a bridged 2gbit connection (2x1gbit) and i'm worried about having issues with OpenVPN over the bridged connection.

Would it be easier to split the bridge into two 1gbit connections and run 2 instances of OpenVPN?

Is there anything I should watch out for while configuring this connection?

Thanks for any advice / assistance in advance guys, as always!!

 

[CubanlB]

I've never installed OVPN on a windows machine but I guess if you're worried about packets being out of of order you could easily setup the clients to balance between the two instances.

have you tried it how you have it setup now and had issues?

 

[Acanthus]

I've never installed OVPN on a windows machine but I guess if you're worried about packets being out of of order you could easily setup the clients to balance between the two instances.

have you tried it how you have it setup now and had issues?

I honestly just don't know how openvpn will react to a bridged connection altogether.

I would hate to start the ovpn server and lose communications with the remote server because of some unforeseen issue.

 

[theevilsharpie]

Are you sure you've actually bridged your NICs and not a link-aggregated pair? Bridges NICs on a server are highly unusual.

 

[Acanthus]

Are you sure you've actually bridged your NICs and not a link-aggregated pair? Bridges NICs on a server are highly unusual.

I do not know the distinction between the two.

Broadcom Advanced Suite 4 calls it "Teams"

 

[theevilsharpie]

You've configured your NICs for link aggregation or failover, not bridging. In that case, when you created a team, your utility created a virtual network device that Windows see as a separate NIC.

I haven't used OpenVPN on a Windows server, but I've never run into a situation where a teamed connection has caused compatibility issues with software. As long as you make sure you're using the virtual NIC, OpenVPN should work fine.

 

[CubanlB]

The only issue that might be caused (I think, as I'm not an OpenVPN expert by any means) would be getting to many UDP packets out of order and the OpenVPN server think there is an issue with the link. This is much more likely to because somewhere else down the line the connection is flaky. (terrible client side wifi network comes to mind)

You should be fine, just try it out. If you have issues try TCP instead of UDP for protocol and see if that corrects the issue.

It's tough to trouble shoot an issue that has not happened yet.

As far as bridging (not the link aggregation you have described), you will either have a network that isn't part of the subnet the server is connected on (e.g. server is on 192.168.x.x and the VPN client network is 10.x.x.x and will need to be routed on the server) or will be part of the subnet (e.g. server is on 192.168.x.x and 192.168.x.10-50 will be reserved for VPN addresses and wont need to be routed after coming though the VPN).

That is my basic understanding of the addressing options for OpenVPN. They way you were using the term bridging might have lead you to be a bit confused with any OpenVPN documentation referencing "bridging".

This is just from my experience configuring OpenVPN at home on a Ubuntu server machine, so it might not be 100% correct or applicable.

 

[Acanthus]

Well i thought that I had everything configured properly, but i can't ping out when connected to the server.

I am running openvpn 2.3 beta 64-bit on both ends.

Server is running Win Server 2008 R2.
Client is Win7 Home Premium.

The "Local" address for the server is the "team" of 1gbit adapters.
The firewall is disabled for port 1194 on both TCP and UDP for the OpenVPN service.

I am running OpenVPN as a service on the server with the following configuration:

local 213.163.x.x
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
keepalive 30 120
cipher AES-256-CBC
comp-lzo
max-clients 100
verb 2
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key

-----------end---------

Client settings:

client
dev tun
proto udp
remote 213.163.x.x 1194
resolv-retry infinite
nobind
cipher AES-256-CBC
comp-lzo
status openvpn-status.log
verb 4
ca ca.crt
cert 5ghz.crt
key 5ghz.key

 

[CubanlB]

Do you have routing configured on the server?

It needs to have a default route or some other route to point the VPN clients to your default gateway/local network for further routing (which is in another network).

Edit: otherwise config looks fine. Are you trying to force all traffic though the VPN or just traffic destined for your local network?

 

[drebo]

Why are you using OpenVPN?

Just use Windows' built in Routing and Remote Access and configure SSTP. It's litterally like 8 clicks to set it up.

 

[Acanthus]

Why are you using OpenVPN?

Just use Windows' built in Routing and Remote Access and configure SSTP. It's litterally like 8 clicks to set it up.

It needs to have an encrypted connection to the server, the server has to forward all Ovpn traffic out to the internet.

This is intended to be an OpenVPN "Gateway"

 

[Acanthus]

Do you have routing configured on the server?

It needs to have a default route or some other route to point the VPN clients to your default gateway/local network for further routing (which is in another network).

Edit: otherwise config looks fine. Are you trying to force all traffic though the VPN or just traffic destined for your local network?

I do not, I can't find any documentation on how to set up routing for this particular setup.

Are we talking about the "route" and "iroute" commands within OpenVPN? Or is this configuration done at the OS level?

 

[Acanthus]

I found a solution.

I am posting a link in case someone gets this thread in a search with the same issue.

Thank you very much for pointing me in the right direction guys!

https://forums.openvpn.net/topic7806.html

 

[drebo]

It needs to have an encrypted connection to the server, the server has to forward all Ovpn traffic out to the internet.

This is intended to be an OpenVPN "Gateway"

Wait, so you're using this to proxy OpenVPN traffic out to another OpenVPN server?

Or are you using it as just a plain dial-in VPN?

If the former, good luck. If the latter, just use SSTP or L2TP (both of which are encrypted) via RRAS.

 

[CubanlB]

Yeah, you basically just installed the RRAS feature you needed, IP Routing (That hack is available on 7 as Routing and remotes access services are a Win Server Feature)

I agree with Drebo that you should have just gotten some Win VPN setup. SSTP is pretty awesome.