OpenVPN help please

kwikbreaks

This follows on from an earlier thread where it was suggested that using VPN to access IP cameras would be more secure than having open ports.

Some time ago I setup a VPN on my Asus router and that works perfectly using OpenVPN on Android although I only use it whebn connecting to public WiFi.

I've installed OpenVPN on Windows 10 and imported the config. I can see it connects to the VPN on the home router (thanks Teamviewer) and there are no obvious errors showing on the laptop but despite it being connected the VPN isn't being used and I see the EE IP not my home IP when checking.

I've looked at umpteen helps from google search but got nowhere. Most seem to be about missing TAP adapters but one got set up for me so it isn't that.

In anticipation of being asked....
OpenVPN log

Wed Oct 05 12:13:17 2016 OpenVPN 2.3.12 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
Wed Oct 05 12:13:17 2016 Windows version 6.2 (Windows 8 or greater) 32bit
Wed Oct 05 12:13:17 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Enter Management Password:
Wed Oct 05 12:13:32 2016 UDPv4 link local: [undef]
Wed Oct 05 12:13:32 2016 UDPv4 link remote: [AF_INET](my home IP):1194
Wed Oct 05 12:13:32 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Oct 05 12:13:34 2016 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Wed Oct 05 12:13:34 2016 WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Wed Oct 05 12:13:34 2016 [DSL-AC68U] Peer Connection Initiated with [AF_INET](my home IP):1194
Wed Oct 05 12:13:36 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Oct 05 12:13:36 2016 open_tun, tt->ipv6=0
Wed Oct 05 12:13:36 2016 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{CEA3E9FC-607B-40F2-ABCB-AC891AE564DF}.tap
Wed Oct 05 12:13:36 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {CEA3E9FC-607B-40F2-ABCB-AC891AE564DF} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Oct 05 12:13:36 2016 Successful ARP Flush on interface [12] {CEA3E9FC-607B-40F2-ABCB-AC891AE564DF}
Wed Oct 05 12:13:41 2016 Initialization Sequence Completed

ipconfig /all

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\mark>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Lenovo-Laptop
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 5A-63-56-C5-4A-10
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-CE-A3-E9-FC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::45ab:27d0:a5bb:b7c3%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.8.0.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Lease Obtained. . . . . . . . . . : 05 October 2016 12:13:36
Lease Expires . . . . . . . . . . : 05 October 2017 12:13:36
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.5
DHCPv6 IAID . . . . . . . . . . . : 570490830
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-A1-AA-40-58-63-56-C5-4A-10
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8723BS Wireless LAN 802.11n SDIO Network Adapter
Physical Address. . . . . . . . . : 58-63-56-C5-4A-10
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e932:6da7:e6d2:96df%20(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 04 October 2016 22:18:41
Lease Expires . . . . . . . . . . : 06 October 2016 12:02:32
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 341336918
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-A1-AA-40-58-63-56-C5-4A-10
DNS Servers . . . . . . . . . . . : 192.168.1.1
192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 58-63-56-C5-71-20
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{CEA3E9FC-607B-40F2-ABCB-AC891AE564DF}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 4:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:889:24f2:3f57:fe9b(Preferred)
Link-local IPv6 Address . . . . . : fe80::889:24f2:3f57:fe9b%10(Preferred)
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 167772160
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-A1-AA-40-58-63-56-C5-4A-10
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{6163C237-B661-41DD-96DD-447857CEAE05}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

C:\Users\mark>

John_Gray

Probably a very silly question, but does
OpenVPN 2.3.12 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
mean you are running IPv6, or just that the VPN is capable of handling IPv6? You certainly have an interesting mixture of IPv4 and IPv6 addresses in the IPCONFIG.

kwikbreaks

It's the only current build I see for Windows and I'm assuming it just means it will support IPv6. My ISP doesn't and it connects OK to my home using IPv4. What fails is doing whatever magic is supposed to happen that routes all the connections through the VPN. With Android you just kick it off and establish the VPN then everything routes through it. I sort of assumed it would be the same with Windows. All the setup guides stop after establishing the connection.

I don't do anything with IPv6 and all that stuff you see just comes from Windows default behaviour.

AndyPix

Disable ipv6 on your machine. ( in adapter properties, take the tick out ) and give it another whizz

kwikbreaks

Thanks for the suggestion but it made no difference.

S0litaire

Are the cameras stand alone or connected to the windows machine?

kwikbreaks

No cameras are involved as yet. I just need to establish a working VPN connection between a Windows 10 laptop and the VPN server established by my router. It is a Windows/OpenVPN problem because the link works perfectly from both an Android tablet and phone.

The eventual setup would be to have no open ports for accessing my CCTV DVR but just to VPN to my home network and connect to it directly over the local network. This is no use anyway for the new breed of network cameras as they rely on third party servers so there are no ports open anyway. As virtually all new network cameras are that type now I'm guessing that they are pretty insecure as they are being blamed for being hacked and used for DoS attacks (BBC story).

baaluo

You should give HMA VPN a try, my favourite.

kwikbreaks

Useless for my needs - I need the VPN to terminate at home to be able to access the local network.

====

I have found that the error must exist in the config file produced by the router as the setup works just fine when testing with config files from FreeVPN. Strange that it works OK with Andoid. Will see if I can find anything about this with the extra info I now have.

====
I was was just using the config I produced some time back for Android clients using default settings.
I checked the advanced options for config generation in the router GUI and spotted a likely source of error ...
An option named "Direct clients to redirect Internet traffic" was defaulted to No. I changed it to Yes and exported a new config which is now working as expected. I have no idea why Android works without this or why it is defaulted to No but for me the issue is now fixed.

===
I compared the two config files and they are the same - the setting just alters he way that the server behaves because it works with either config now the server setting is changed. It still works with Android too.