OpenVPN not working on Windows

Dan · February 4, 2019, 8:22am

I’m using OpenVPN GUI v11.10 on Windows 10 and try to get a connection to my Turris Omnia (up-to-date) at home.If I use another VPN service, the connection works, but not the connection to my Turris with the generated profile from Forris. In general the VPN and profiles work (e.g. from iOS or Linux’ network manager), but not with the OpenVPN GUI from Windows.

I can’t ping any IP. So something is fundamentally wrong.

Since I don’t use Windows otherwise, I’m quite helpless. Is there any experience on this in the forum?

Mon Feb 04 08:39:19 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Mon Feb 04 08:39:19 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Feb 04 08:39:19 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Mon Feb 04 08:39:19 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25356
Mon Feb 04 08:39:19 2019 Need hold release from management interface, waiting...
Mon Feb 04 08:39:20 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25356
Mon Feb 04 08:39:20 2019 MANAGEMENT: CMD 'state on'
Mon Feb 04 08:39:20 2019 MANAGEMENT: CMD 'log all on'
Mon Feb 04 08:39:20 2019 MANAGEMENT: CMD 'echo all on'
Mon Feb 04 08:39:20 2019 MANAGEMENT: CMD 'bytecount 5'
Mon Feb 04 08:39:20 2019 MANAGEMENT: CMD 'hold off'
Mon Feb 04 08:39:20 2019 MANAGEMENT: CMD 'hold release'
Mon Feb 04 08:39:20 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]A.A.A.A:1194
Mon Feb 04 08:39:20 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Feb 04 08:39:20 2019 Attempting to establish TCP connection with [AF_INET]A.A.A.A:1194 [nonblock]
Mon Feb 04 08:39:20 2019 MANAGEMENT: >STATE:1549265960,TCP_CONNECT,,,,,,
Mon Feb 04 08:39:21 2019 TCP connection established with [AF_INET]A.A.A.A:1194
Mon Feb 04 08:39:21 2019 TCP_CLIENT link local: (not bound)
Mon Feb 04 08:39:21 2019 TCP_CLIENT link remote: [AF_INET]A.A.A.A:1194
Mon Feb 04 08:39:21 2019 MANAGEMENT: >STATE:1549265961,WAIT,,,,,,
Mon Feb 04 08:39:21 2019 MANAGEMENT: >STATE:1549265961,AUTH,,,,,,
Mon Feb 04 08:39:21 2019 TLS: Initial packet from [AF_INET]A.A.A.A:1194, sid=4f2a6d68 b05d745d
Mon Feb 04 08:39:21 2019 VERIFY OK: depth=1, CN=openvpn
Mon Feb 04 08:39:21 2019 VERIFY KU OK
Mon Feb 04 08:39:21 2019 Validating certificate extended key usage
Mon Feb 04 08:39:21 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Feb 04 08:39:21 2019 VERIFY EKU OK
Mon Feb 04 08:39:21 2019 VERIFY OK: depth=0, CN=turris
Mon Feb 04 08:39:22 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Feb 04 08:39:22 2019 [turris] Peer Connection Initiated with [AF_INET]A.A.A.A:1194
Mon Feb 04 08:39:23 2019 MANAGEMENT: >STATE:1549265963,GET_CONFIG,,,,,,
Mon Feb 04 08:39:23 2019 SENT CONTROL [turris]: 'PUSH_REQUEST' (status=1)
Mon Feb 04 08:39:23 2019 PUSH: Received control message: 'PUSH_REPLY,route B.B.B.B 255.255.255.0,redirect-gateway def1,dhcp-option DNS 172.30.30.1,route 172.30.30.1,topology net30,ping 10,ping-restart 120,ifconfig 172.30.30.6 172.30.30.5,peer-id 0,cipher AES-256-GCM'
Mon Feb 04 08:39:23 2019 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 04 08:39:23 2019 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 04 08:39:23 2019 OPTIONS IMPORT: route options modified
Mon Feb 04 08:39:23 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb 04 08:39:23 2019 OPTIONS IMPORT: peer-id set
Mon Feb 04 08:39:23 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Mon Feb 04 08:39:23 2019 OPTIONS IMPORT: data channel crypto options modified
Mon Feb 04 08:39:23 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb 04 08:39:23 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 04 08:39:23 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 04 08:39:23 2019 interactive service msg_channel=720
Mon Feb 04 08:39:23 2019 ROUTE_GATEWAY 192.168.72.1/255.255.248.0 I=10 HWADDR=36:d5:84:a6:0b:11
Mon Feb 04 08:39:23 2019 open_tun
Mon Feb 04 08:39:23 2019 TAP-WIN32 device [VPN-TAP] opened: \\.\Global\{3E448147-A6D4-4CE0-8620-21722928F384}.tap
Mon Feb 04 08:39:23 2019 TAP-Windows Driver Version 9.21 
Mon Feb 04 08:39:23 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.30.30.6/255.255.255.252 on interface {3E448147-A6D4-4CE0-8620-21722928F384} [DHCP-serv: 172.30.30.5, lease-time: 31536000]
Mon Feb 04 08:39:23 2019 Successful ARP Flush on interface [9] {3E448147-A6D4-4CE0-8620-21722928F384}
Mon Feb 04 08:39:23 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Feb 04 08:39:23 2019 MANAGEMENT: >STATE:1549265963,ASSIGN_IP,,172.30.30.6,,,,
Mon Feb 04 08:39:28 2019 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Mon Feb 04 08:39:28 2019 C:\WINDOWS\system32\route.exe ADD A.A.A.A MASK 255.255.255.255 192.168.72.1
Mon Feb 04 08:39:28 2019 Route addition via service succeeded
Mon Feb 04 08:39:28 2019 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.30.30.5
Mon Feb 04 08:39:28 2019 Route addition via service succeeded
Mon Feb 04 08:39:28 2019 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.30.30.5
Mon Feb 04 08:39:28 2019 Route addition via service succeeded
Mon Feb 04 08:39:28 2019 MANAGEMENT: >STATE:1549265968,ADD_ROUTES,,,,,,
Mon Feb 04 08:39:28 2019 C:\WINDOWS\system32\route.exe ADD B.B.B.B MASK 255.255.255.0 172.30.30.5
Mon Feb 04 08:39:28 2019 Route addition via service succeeded
Mon Feb 04 08:39:28 2019 C:\WINDOWS\system32\route.exe ADD 172.30.30.1 MASK 255.255.255.255 172.30.30.5
Mon Feb 04 08:39:28 2019 Route addition via service succeeded
Mon Feb 04 08:39:28 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Feb 04 08:39:28 2019 Initialization Sequence Completed
Mon Feb 04 08:39:28 2019 MANAGEMENT: >STATE:1549265968,CONNECTED,SUCCESS,172.30.30.6,A.A.A.A,1194,192.168.72.140,51329

A.A.A.A = static WAN (Turris Omnia)
B.B.B.B = local Subnet (NAT, Home)

172.30.30.0/24  = Tun-Subnet
192.168.72.0/23 = Subent WiFi (I'm connected to)

Dan · February 10, 2019, 4:12pm

Any ideas?

(Some placeholder text.)

anon50890781 · February 10, 2019, 4:26pm

Windows firewall? Perhaps try wireshark on the W machine to see what happens to the VPN packets.

DIKKEHENK · February 10, 2019, 10:32pm

just checked it with the latest fw, but all is well here? also win10.

Maxmilian_Picmaus · September 27, 2019, 11:53am

From my own testing in the past, i have to manually add mssfix 0 and fragment 0 to my win ovpn profile to make it working. And when tested on same lan i also add float.

Just wild guess…
As i see from log dump, push directives were applied correctly dns/dhcp/route … .So it should work. With FW switched off is it still not working ? (i think that if you have your vpn interface in “public” network type icmp/ping/route packets are rejected, in “private” it is allowed … )