dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7602

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

Netgears built in VPN and Windows 7

Hi all. I have the netgear r7000 nighthawk router that has a built in VPN server. I have enabled the server and set things up on another machine to be the client, Windows 7. Installed the OpenVPN client and configs, etc.

Things connect perfectly. The problem is, no traffic is routed through the VPN. It just continues to pass traffic through whatever internet connection I am on (neighbors wifi for example). So the VPN remains connected and presumably idle because there is no traffic being sent through it.

Looking at the TAP-Windows Adapter V9 which i had to rename to "NETGEAR-VPN" per the instructions it shows the status as "Unidentified network" and the connectivity as "no network access". Why, since I am indeed connected to the VPN successfully is there no connectivity? Anyone have an idea for a fix? Thanks.
swintec

swintec

Premium Member

No one has any idea?

I dont think it is a problem with the VPN itself, but something on the client side. Something in Windows 7 causing grief.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to swintec

MVM

to swintec
said by swintec:

I have the netgear r7000 nighthawk router that has a built in VPN server.

Netgear with stock firmware, or Netgear with alt firmware (tomato,DDWRT,etc) loaded?
said by swintec:

I have enabled the server and set things up on another machine to be the client, Windows 7. Installed the OpenVPN client and configs, etc.

Please clarify how the traffic is flowing and/or exactly what you want to do?

From internet -> your Netgear + VPN -> your LAN (ie. a remote access VPN setup), or

your LAN + VPN client software -> your Netgear -> the internet -> something else (ie. VPN passthrough setup)

your LAN -> your Netgear + VPN -> the Internet -> something else + VPN (ie. site to site VPN)?

...and where is your Windows 7 box in relation to all this? The LAN side of the Netgear, or the WAN side?

My 00000010bits

Regards

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by HELLFIRE:

Netgear with stock firmware, or Netgear with alt firmware (tomato,DDWRT,etc) loaded?

This is with the stock netgear firmware that came installed. I was actually fairly impressed with it from the get go so i never bothered changing it.
said by HELLFIRE:

Please clarify how the traffic is flowing and/or exactly what you want to do?

I want to be able to connect to the VPN from any other location. I was in a hotel the past couple of days which got me to start playing with things.

Windows 7 is on my laptop. So:

My laptop -> Hotels Wifi (or any other connection in the world) -> Connect to VPN at my home -> browse the internet and appear as if I am at home on that connection, regardless of where I am in the world which naturally will give me the security a VPN offers especially on public wifi.

As of now, OPenVPN shows it connects successfully but that is it. It does not appear any traffic is sent out over it.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to swintec

MVM

to swintec
Okay, thanks for clarifying. For starters, what direction(s), if any, did you follow in setting this up?
I'm looking for some documentation on the R7000 that says it can do what you say it can
said by swintec:

My laptop -> Hotels Wifi (or any other connection in the world) -> Connect to VPN at my home -> browse the internet and appear as if I am at home on that connection, regardless of where I am in the world which naturally will give me the security a VPN offers especially on public wifi.

Also wondering what debugging / troubleshooting can be done -- I don't own a R7000 myself, but that's a question
I'd put to Netgear.

My immediate though, what's a "ipconfig /all" and "route print" show from your Windows 7 machine when it's
VPN'd into the R7000? Also when you launch a web browser and go to whatismyipaddress.com or ipchicken.com
while on the VPN, does it register as the public IP address of what's on your R7000?

My 00000010bits

Regards

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by HELLFIRE:

Okay, thanks for clarifying. For starters, what direction(s), if any, did you follow in setting this up?

There really isnt much setting up to do. I clicked the checkbox to "Enable VPN Service" then followed the simple steps:

To install VPN client on your client devices:

Step 1: Select the Enable VPN Service check box and click the Apply button.
Step 2: Download the client utility from »openvpn.net/index.php/do ··· ads.html and install it on the devices where you want to run the VPN client.
Currently iOS and Android clients are not supported.
Step 3: Click the proper button below to download the configuration files for your VPN clients.
Step 4:Unzip the configuration files you have just downloaded and copy them to the folder where the VPN client is installed on your device. For a client device with Windows64-bit
system, the VPN client is installed at "C:\Program files\OpenVPN\config\" by default.
Step 5: For a client device with Windows, you need to modify the VPN interface name to "NETGEAR-VPN". The VPN interface usually has a Device Name as "TAP-Windows Adapter".
Step 6: Client utility must be installed and run by a user who has administrative privileges.


The only configuration one can do is:
Note: if you want to make any change in Advanced Configurations section, please make the changes before you download the configuration files in Step 3.

Advanced Configurations
Service Type UDP TCP
Service Port:
Clients will use this VPN connection to access: "All sites on the Internet & Home" or "Home Network only" or "Auto"
swintec

swintec to HELLFIRE

Premium Member

to HELLFIRE
said by HELLFIRE:

My immediate though, what's a "ipconfig /all" and "route print" show from your Windows 7 machine when it's
VPN'd into the R7000? Also when you launch a web browser and go to whatismyipaddress.com or ipchicken.com
while on the VPN, does it register as the public IP address of what's on your R7000?

No. Despite saying connected to the VPN, everything still appears as though I am on the hotels wifi, with the hotels IP address, not my IP from home.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to swintec

MVM

to swintec
said by swintec:

There really isnt much setting up to do. I clicked the checkbox to "Enable VPN Service" then followed the simple steps:

There is Netgear's user manual here -- Section 12.
Doesn't offer much in the way of troubleshooting.

If this were any other piece of gear, I'd suggest getting onto the device itself and confirming there is a connection between
your Win7 on the hotel's wifi and the Netgear itself. I also don't know if there's any status indicators and/or logs available
from the OPENVPN client itself. As I said, that's questions I'd put to Netgear myself at this point.

As a question, what does the "ipconfig /all" and "route print" show while supposedly VPN'd in?

My 00000010bits

Regards

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by HELLFIRE:

If this were any other piece of gear, I'd suggest getting onto the device itself and confirming there is a connection between
your Win7 on the hotel's wifi and the Netgear itself.

Actually, Ive been playing with this again tonight and looked at the routers logs:

[OpenVPN, connection successfully]IP address:-snipped- Tuesday, Sep 23,2014 21:20:39

So, it shows me connecting to the router successfully from my tethered sprint connection just fine.

Trace routes show the traces going out over the normal connection despite being connected to the VPN.
swintec

swintec

Premium Member

Here is the OpenVPN client log for debugging:

Tue Sep 23 21:27:38 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 7 2014
Tue Sep 23 21:27:38 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Tue Sep 23 21:27:38 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Sep 23 21:27:39 2014 Need hold release from management interface, waiting...
Tue Sep 23 21:27:39 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Sep 23 21:27:39 2014 MANAGEMENT: CMD 'state on'
Tue Sep 23 21:27:39 2014 MANAGEMENT: CMD 'log all on'
Tue Sep 23 21:27:39 2014 MANAGEMENT: CMD 'hold off'
Tue Sep 23 21:27:39 2014 MANAGEMENT: CMD 'hold release'
Tue Sep 23 21:27:39 2014 WARNING: No server certificate verification method has been enabled. See »openvpn.net/howto.html#mitm for more info.
Tue Sep 23 21:27:40 2014 LZO compression initialized
Tue Sep 23 21:27:40 2014 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Sep 23 21:27:40 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Sep 23 21:27:40 2014 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Sep 23 21:27:40 2014 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Sep 23 21:27:40 2014 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Sep 23 21:27:40 2014 Local Options hash (VER=V4): 'b498be7c'
Tue Sep 23 21:27:40 2014 Expected Remote Options hash (VER=V4): '26e19fc0'
Tue Sep 23 21:27:40 2014 UDPv4 link local: [undef]
Tue Sep 23 21:27:40 2014 UDPv4 link remote: [AF_INET]XX.XXX.XX.XXX:xxxxx
Tue Sep 23 21:27:40 2014 MANAGEMENT: >STATE:1411522060,WAIT,,,
Tue Sep 23 21:27:40 2014 MANAGEMENT: >STATE:1411522060,AUTH,,,
Tue Sep 23 21:27:40 2014 TLS: Initial packet from [AF_INET]XX.XXX.XX.XX:xxxxx, sid=e98c6a6c 0ee98158
Tue Sep 23 21:27:42 2014 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
Tue Sep 23 21:27:42 2014 VERIFY OK: depth=0, C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
Tue Sep 23 21:27:44 2014 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Sep 23 21:27:44 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 21:27:44 2014 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Sep 23 21:27:44 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 21:27:44 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Sep 23 21:27:44 2014 [netgear] Peer Connection Initiated with [AF_INET]XX.XXX.XX.XXX:xxxxx
Tue Sep 23 21:27:45 2014 MANAGEMENT: >STATE:1411522065,GET_CONFIG,,,
Tue Sep 23 21:27:47 2014 SENT CONTROL [netgear]: 'PUSH_REQUEST' (status=1)
Tue Sep 23 21:27:47 2014 PUSH: Received control message: 'PUSH_REPLY,route 172.XX.XX.X 255.255.252.0,redirect-gateway,route-gateway dhcp,ping 10,ping-restart 120'
Tue Sep 23 21:27:47 2014 OPTIONS IMPORT: timers and/or timeouts modified
Tue Sep 23 21:27:47 2014 OPTIONS IMPORT: route options modified
Tue Sep 23 21:27:47 2014 OPTIONS IMPORT: route-related options modified
Tue Sep 23 21:27:47 2014 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Tue Sep 23 21:27:47 2014 OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.XX.X.XX
Tue Sep 23 21:27:47 2014 open_tun, tt->ipv6=0
Tue Sep 23 21:27:47 2014 TAP-WIN32 device [NETGEAR-VPN] opened: \\.\Global\{888AFE88-1471-4AED-8A26-CA2EB08C3C20}.tap
Tue Sep 23 21:27:47 2014 TAP-Windows Driver Version 9.21
Tue Sep 23 21:27:47 2014 TAP-Windows MTU=1500
Tue Sep 23 21:27:47 2014 Successful ARP Flush on interface [20] {888AFE88-1471-4AED-8A26-CA2EB08C3C20}
Tue Sep 23 21:27:52 2014 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Tue Sep 23 21:27:52 2014 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
Tue Sep 23 21:27:52 2014 Initialization Sequence Completed
Tue Sep 23 21:27:52 2014 MANAGEMENT: >STATE:1411522072,CONNECTED,SUCCESS,,XX.XX.XX.XX
Tue Sep 23 21:29:47 2014 [netgear] Inactivity timeout (--ping-restart), restarting
Tue Sep 23 21:29:47 2014 TCP/UDP: Closing socket
Tue Sep 23 21:29:47 2014 SIGUSR1[soft,ping-restart] received, process restarting
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to swintec

MVM

to swintec
Thanks for that.
said by swintec:

Tue Sep 23 21:27:40 2014 UDPv4 link remote: [AF_INET]XX.XXX.XX.XXX:xxxxx

So guessing XX.XXX.XX.XXX is the public IP address on your R7000? If so, that confirms what you're saying, that you're connecting
to the VPN itself.

This stuff afterwards kinda worries me...
said by swintec:

Tue Sep 23 21:27:47 2014 PUSH: Received control message: 'PUSH_REPLY,route 172.XX.XX.X 255.255.252.0,redirect-gateway,route-gateway dhcp,ping 10,ping-restart 120'

So OPENVPN is pushing a route to your Win7 box, guessing the full address is something in the 172.16.x.x to the 172.31.x.x range?
said by swintec:

Tue Sep 23 21:27:47 2014 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Tue Sep 23 21:27:47 2014 OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.XX.X.XX
Tue Sep 23 21:27:52 2014 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Tue Sep 23 21:27:52 2014 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
Tue Sep 23 21:27:52 2014 Initialization Sequence Completed
Tue Sep 23 21:27:52 2014 MANAGEMENT: >STATE:1411522072,CONNECTED,SUCCESS,,XX.XX.XX.XX
Tue Sep 23 21:29:47 2014 [netgear] Inactivity timeout (--ping-restart), restarting

The rest of this reads like that after the 172.x.x.x route was pushed, either the R7000 or your Win7 couldn't process it, and therefore
didn't install it for all traffic to be tunneled back to the R7000.

Still waiting for your "ipconfig /all" and "route print" output, but I suspect you won't see a 172.x.x.x address or route present.
Offhand though, that's where you have to go next, but methinks Netgear's gonna point the finger at OpenVPN, and OpenVPN'll throw up
their hands and say "nuh-uh, we're not getting paid for this..."

Anyone (more) knowledgable with OpenVPN wanna comment?

My 00000010bits

Regards
LittleBill
join:2013-05-24

LittleBill

Member

how are you connecting to the VPN? from the native windows client?
LittleBill

LittleBill

Member

Routing all client traffic (including web-traffic) through the VPN
Overview

By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.

In certain cases this behavior might not be desirable -- you might want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing. While this type of VPN configuration will exact a performance penalty on the client, it gives the VPN administrator more control over security policies when a client is simultaneously connected to both the public internet and the VPN at the same time.
Implementation

Add the following directive to the server configuration file:

push "redirect-gateway def1"

If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:

push "redirect-gateway local def1"

Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy.

On Linux, you could use a command such as this to NAT the VPN client traffic to the internet:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This command assumes that the VPN subnet is 10.8.0.0/24 (taken from the server directive in the OpenVPN server configuration) and that the local ethernet interface is eth0.

When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example:

push "dhcp-option DNS 10.8.0.1"

will configure Windows clients (or non-Windows clients with some extra server-side scripting) to use 10.8.0.1 as their DNS server. Any address which is reachable from clients may be used as the DNS server address.

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec to LittleBill

Premium Member

to LittleBill
said by LittleBill:

how are you connecting to the VPN? from the native windows client?

No, one has to use the OpenVPN client and put the config files generated by the router into the open vpn client folder.
LittleBill
join:2013-05-24

LittleBill

Member

then i provided your solution above

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by LittleBill:

then i provided your solution above

Supposedly, and maybe I am giving Netgear to much credit, but this is supposed to work out of the box so to speak. The average user doesnt have the ability to do those modifications. The router spits out a client config and away you go, again, supposedly.
said by LittleBill:

Add the following directive to the server configuration file:

push "redirect-gateway def1"

As far as I can tell, I can't edit that. The router is the VPN server. I can edit the client config, that is only about 10 lines long.
said by LittleBill:

If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:

push "redirect-gateway local def1"

I am not on the local network..I would be away from home trying to connect from another ISP, etc.

Again, it is possible I am just misunderstanding what Netgear is doing here. If my normal web traffic is not going over the VPN, I just dont understand what they would be sending over it by default.
LittleBill
join:2013-05-24

LittleBill

Member

I upgraded to the latest firmware on my R7000 (V1.0.3.60_1.1.27) which I'm sure is a number of revs up from what slidermiike had when he posted. Then I followed the same procedure he described above:

"Changed the option at the bottom to allow vpn access not only to the local LAN traffic but also internet traffic to cross the tunnel as well.

Downloaded the windows file the router creates. Unziped the files & placed them into the subfolder of openvpn per the directions."

But... I also downloaded and installed the latest version of the OpenVPN client.

And it all works as it should which I did verify with ipchicken. Hope this helps...
Reply With Quote

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by LittleBill:

I upgraded to the latest firmware on my R7000 (V1.0.3.60_1.1.27)

Hhhmmm..the firmware I have is V1.0.3.68_1.1.31 and that was via update notification a few weeks back when i logged into the router.
LittleBill
join:2013-05-24

LittleBill

Member

i am just pulling random stuff off the internet, did you select the options that my post indicates

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by LittleBill:

i am just pulling random stuff off the internet, did you select the options that my post indicates

Yes. There is very little user configurable options on the set up side so at least that is easy.

BlueMist
join:2011-01-24
Cookeville, TN

BlueMist to swintec

Member

to swintec
When you actually start the installed OpenVPN client on the PC are you choosing "Run as administrator" or have the Icon's Compatibility tab with the option checked "Run this program as an administrator"?

If not give it a try and see if that clears the error messages in the log file and makes the things function properly.

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by BlueMist:

When you actually start the installed OpenVPN client on the PC are you choosing "Run as administrator"

Yes, but I even right click and run as admin to be safe, click yes, etc and it runs as above.

XANAVirus
Premium Member
join:2012-03-03
Lavalette, WV

1 edit

XANAVirus

Premium Member

I'm running an OpenVPN server on my home network, and it is on this server where I have access to the OpenVPN server configuration.

Do you have access to the whole server configuration file? Hopefully, there is a setting in Advanced Options to edit it.

In my configuration I have 'redirect-gateway def1 bypass-dhcp', but you have just 'redirect-gateway' - I think the problem is that your R7000 server is not properly configured and thus is not passing default gateway settings to the client.

Have you confirmed that you can ping or traceroute a PC on your local LAN while connected to the VPN? What about outwards toward the Internet, like Google.com?

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by XANAVirus:

Do you have access to the whole server configuration file? Hopefully, there is a setting in Advanced Options to edit it.

No, the GUI on the router generates the config file.
said by XANAVirus:

I think the problem is that your R7000 server is not properly configured

It is possible but there is really no options to customize / mess up. The user can configure the port, UDP / TCP and scope of access for VPN connections.
said by XANAVirus:

Have you confirmed that you can ping or traceroute a PC on your local LAN while connected to the VPN?

No. Even though it says i am "connected" any traffic still goes over the local connection of wherever I am connected (hotel wifi, coffee shop, etc)
HarryH3
Premium Member
join:2005-02-21

1 recommendation

HarryH3

Premium Member

This link »www.serverwatch.com/tuto ··· rt-1.htm points to a good reference for setting up OpenVPN with a Tomato-based router, but it also discusses configuring the client side of things. It worked great for me. Perhaps there is a golden nugget of info there that can get you going?