How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Syseng Your Own Question
Syseng
Syseng, Computer Systems Engineer
Category: Networking
Satisfied Customers: 6745
Experience:  Cisco and Microsoft certified with over 20 years experience in system design, integration and development
13852270
Type Your Networking Question Here...
Syseng is online now

Configuration of OpenVPN (Windows 10) to enable to browse

Customer Question

configuration of OpenVPN (Windows 10) to enable to browse BOTH SERVER AND CLIENT connected devices via Browser, from the SERVER end of the tunnel...... I can currently view Server devices (as normal) but would like the tunnel to work BOTH ways.
Submitted: 3 months ago.
Category: Networking
Customer: replied 3 months ago.
Client PC is based in UK
Server is based in Thailand.
I can connect sucessfully from Client to Server.
I can browse Server connected devices from Client End e.g. Cable Router (192.168.0.1) Printer Web Page (192.168.0.20)
HOWEVER, I would like to be able to view Client connected devices from the SERVER END e.g. Router (192.168.1.1) I would like the tunnel to work BOTH Ways. I have tried MANY configurations, but can only get it to work Client to Server (1 Way)
Customer: replied 3 months ago.
I had tried to see if 'Bridging' would have enabled me to achieve this...but i was not successful....
looking at OpenVPN sites has taken me days to figure out and yet no answer..... CAN THIS BE done?Thanks, Robert
Customer: replied 3 months ago.
Oh... i thought perhaps 'PUSHING ROUTES' was a possible way... but this only works from Server to Client?
Customer: replied 3 months ago.
if only there was SOME way to make CLIENT LAN connected devices visible when using PC Browser at the SERVER END?
Customer: replied 3 months ago.
Part of Server.Conf File :server 10.8.0.0 255.255.255.0#server-bridge 192.168.1.100 255.255.255.0 192.168.1.200 192.168.1.254ifconfig 10.8.0.1 10.8.0.2# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.0"
#push "route 10.8.0.0 255.255.255.0"#push route 192.168.1.0 255.255.255.0
#push "route 192.168.0.0 255.255.255.0"#push "route 192.168.1.111 255.255.255.0"
#push "route 192.168.1.1 255.255.255.0"# Add route to Client routing table for the OpenVPN Subnet#push "route 192.168.1.0/24 255.255.255.0"
#push "route 192.168.1.1 255.255.255.0"# your local subnet
push "route 192.168.0.1 255.255.255.0"
push "route 192.168.0.18 255.255.255.0"
push "route 192.168.0.20 255.255.255.0"ifconfig-pool-persist ipp.txt# push "redirect-gateway def1 bypass-dhcp"push "redirect-gateway def1 bypass-dhcp"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 192.168.1.1"push "dhcp-option DNS 10.8.0.1"# push "dhcp-option DNS 208.67.222.222"
# push "dhcp-option DNS 208.67.220.220"
Customer: replied 3 months ago.
Posted by JustAnswer at customer's request) Hello. I would like to request the following Expert Service(s) from you: Secure Remote Assistance.
Customer: replied 3 months ago.
Let me know if you need more information, or send me the service offer(s) so we can proceed.
Expert:  Syseng replied 3 months ago.

Hello,

My name is David.

There are a couple of methods that can be used to get this configuration to work. Perhaps the quickest, simplest way is to use the bridging feature in Windows to bridge the local connection to the OpenVPN TAP connector. If you would like remote assistance to help with the configuration please let me know.

Thanks,

David.

Customer: replied 3 months ago.
David Indeed, I did try bridging..... can you give me example of how my server.config should look for this.... I need working example of server.config using bridging....ORCan this be achieved without bridging, if so, can you give me a working (server.conf) example using the correct network topology , please.David, I have spent days looking at openVPN Community website......Please explain the other method in some more detail.... (you spoke of two ways ?)Kind Regards,Robert
Expert:  Syseng replied 3 months ago.

Yes - here is an example of the server configuration file for bridging using the Windows OS bridging feature:

lport 5000
dev tap
tls-server
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
mode server
ifconfig 192.168.0.1 255.255.255.0
ifconfig-noexec
ifconfig-pool 192.168.0.110 192.168.0.119
local 192.168.0.10
push "route 10.0.0.1 255.255.255.0 192.168.39.1"
duplicate-cn #use this for testing only
client-to-client
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
verb 4

Here is the matching client config:

remote <IP.Address.or.DNS.Name.of.OpenVPN.Server>
port 5000
dev tap
nobind
tls-client
ca ca.crt
cert client.crt
key client.key
pull
verb 4

Expert:  Syseng replied 3 months ago.

Note that to make this work your local area connection settings (the network adapter bridged to the OpenVPN TAP connector) must be the same as the settings for the OpenVPN TAP connector because once bridged the adapters work like a single adapter.

Customer: replied 3 months ago.
OK...so do I bridge adapters at both Server and Client PCs?
Do i forget about the ifconfig (10.8.0.1 / 10.8.0.2)?
Customer: replied 3 months ago.
See part Server.conf in notes..
Customer: replied 3 months ago.
David can you explain this line a bit more?
push "route 10.0.0.1 255.255.255.0 192.168.39.1"Thanks, Robert
Expert:  Syseng replied 3 months ago.

No bridging only on the client side since the server is designed to provide local subnet network access. The ifconfig directive can remain however since you are bridging make sure the LAN on the client side also uses the same 10.8.x.x subnet.

Expert:  Syseng replied 3 months ago.

Regarding the push "route 10.0.0.1 255.255.255.0 192.168.39.1", you would not need that - it is specific to the network from which I grabbed the configuration example (I just made a quick copy so you could review how it needs to be configured).

Expert:  Syseng replied 3 months ago.

The push "route 10.0.0.1 255.255.255.0 192.168.39.1" would only be if you have other networks connected on the server side that the client cannot access without the additional route added to the client routing table. This could also be entered manually on the client side if you have a situation in which you want the client to have access to other networks (subnets) on the server side.

Customer: replied 3 months ago.
Sadly, This is where I can't relate these examples to my actual requirement...... read lots of example configurations :-((
Customer: replied 3 months ago.
i bridge only the client side... Yes?
Expert:  Syseng replied 3 months ago.

That is correct, only the client side because the server side already provides bridging access to the network on the server side through OpenVPN.

Customer: replied 3 months ago.
David, apart from the need to bridge and missing bridge mode command,.can you see anything wrong with my server.conf?
Customer: replied 3 months ago.
i.e topology
Customer: replied 3 months ago.
do i need to do anything with the server side adapter/s?
Expert:  Syseng replied 3 months ago.

I am reviewing the configuration now...just a moment...

Customer: replied 3 months ago.
Thanks DAVID...this is what I really really need. a configuration that works for ME :-))
Customer: replied 3 months ago.
addresses on Thailand server side:192.168.0.1 upwards 255.255.255.0Client UK side :192.168.1.1 upwards 255.255.255.0
Expert:  Syseng replied 3 months ago.

Notice how in the example configuration, with the exception of the "push" directive which can be ignored, both local and remote IP addresses are in the same subnet. Because you will be bridging, the devices on the client and the server side must have IP addresses that belong to the same subnet.

Expert:  Syseng replied 3 months ago.

Here is another example at the following link - in this case using a Linux machine on the client side - however the concept for subnetting is the same. Review the diagram and you will see that the only IP addresses that are not in the same subnet are the WAN IP addresses.

click here

Customer: replied 3 months ago.
can this work for my current subnet addresses / mask..or is it impossible David?
Customer: replied 3 months ago.
sorry for dumb questions
Expert:  Syseng replied 3 months ago.

No worries - please ask as many questions as needed. Bridging will work but only if you change the IP addresses so that they are in the same subnet on both client side and server side. For example, change the IP addresses so that they both use the 192.168.0.x network.

Customer: replied 3 months ago.
OK....I see...hmmm....... So if i was to reconfigure the Router, DHCP ? (addresses which it allocates) ? starting point you think?
Customer: replied 3 months ago.
Regarding gateway, should i use router's or let openvpn server, allocate it? what u think?
Expert:  Syseng replied 3 months ago.

Yes you could reconfigure DHCP on both sides to handle the same subnet however I would split the subnet so that half the subnet is handled by the client side router DHCP and half the subnet is handled by the server side router DHCP (for example, client side DHCP scope is 192.168.0.10-127, and server side DHCP scope is 192.168.0.138-254, and reserve 10 IP addresses on each side for network devices (reserve 192.168.0.1-9 on the client side and reserve 192.168.0.128-137 on the server side).

Expert:  Syseng replied 3 months ago.

Since all computers are on the same subnet when connected, they will only need the gateway address of the Internet router for accessing the Internet. As long as the OpenVPN client and OpenVPN server VPN tunnel is connected using the bridged configuration, the devices connected to the network on both sides should be able to connect to each other without a gateway since it is a bridged configuration.

Customer: replied 3 months ago.
Good David...Good.... I got lots to do.... do u think I must use bridging after I reconfigure subnets OR is there a chance the tunnel could work BOTH ways using dev Tap configuration??
Customer: replied 3 months ago.
sorry i meant dev tun...
Customer: replied 3 months ago.
is the bridging a MUST do?
Expert:  Syseng replied 3 months ago.

After you reconfigure the devices on both sides so that they are all using IP addresses in the same subnet you will have to use bridging in order for them to connect to each other.

If you want both sides to use different subnets, as is the case with your current configuration, then you will need to use a site to site configuration which may require you to change the operating system on the client side in order to get it to work although I believe we could probably get Windows 10 to route traffic. See the example configuration at the following link:

click here

An alternative would be to leave the subnets the way they are and add a router on the client side network that would serve as a gateway to the devices on the server side where the router receives traffic destined for the server side network and forwards the traffic through the bridged VPN tunnel configured on the client.

Syseng and 3 other Networking Specialists are ready to help you
Customer: replied 3 months ago.
OK David..... Think changing subnet is best...Last Question, can you explain this line for example :
I need to get to grips with this :ifconfig-pool 192.168.0.110 192.168.0.119
local 192.168.0.10
Customer: replied 3 months ago.
oh thought i had lost you....David
Expert:  Syseng replied 3 months ago.

The ifconfig-pool configures the server to provide a DHCP address to clients that connect. In your case, since only one client will connect, you should configure the pool to one or two IP addresses like this:

ifconfig-pool 192.168.0.253 192.168.0.254

Customer: replied 3 months ago.
Thanks David.... Lots to do .....I appreciate your help...sorry for stupid questions, forgive me
Expert:  Syseng replied 3 months ago.

Never a stupid question - those are all good questions! And glad I could help!