OpenVPN
[Windows] 2.7-rc on server with DCO breaks client-to-client
Hi,
I have a working subnet configuration for all my Windows 11 computers. I've upgraded all my client from 2.6.x to 2.7rc3 with success (they were already usin dco driver).
My server currently run 2.6.17 with witun drivers and all works fine:
- ✅ client <> server
- ✅ client <> client
When I upgrade server to 2.7rc3 (changing adapter from wintun to dco and with windows-driver wintun removed) without any other configuration changes, I have:
- ✅ client <> server working
- 🔴 client <> client ⏩ unable to communicate between them (ping, tracert, smb)
Same issue with 2.7rc2 and 2.7rc1.
I didn't see any error or output change in client and server logs explaining this point.
Here are my configurations:
Server
port 5000
proto udp4
dev tun
dev-type tun
# commented for 2.7
windows-driver wintun
mode server
tls-server
ping-timer-rem
keepalive 10 120
dh none
auth none
cipher AES-128-GCM
data-ciphers AES-128-GCM
allow-compression no
topology subnet
push "topology subnet"
ifconfig 192.168.2.1 255.255.255.0
server 192.168.2.0 255.255.255.0
# for each client, I have: 'ifconfig-push 192.168.2.xxx 255.255.255.0'
client-config-dir ./ccd
ccd-exclusive
client-to-client
max-clients 25
sndbuf 524288
rcvbuf 524288
tun-mtu 1500
push "tun-mtu 1500"
explicit-exit-notify 1
Client
client
dev tun
proto udp
remote mydomain.com 5000
resolv-retry infinite
reneg-sec 0
nobind
pull
persist-tun
remote-random
tls-client
mute-replay-warnings
remote-cert-tls server
cipher AES-128-GCM
auth none
verb 3
mute 10
script-security 2
auth-nocache
sndbuf 524288
rcvbuf 524288
explicit-exit-notify 1
pull-filter ignore redirect-gateway
route-nopull
route 192.168.2.0 255.255.255.0 vpn_gateway 300
Does I missed something or is that an issue?
Thx!
With DCO, the forwarding of packets client-to-client is done differently than with wintun (or tap6) - packets are routed by the system kernel. So this explains why there are differences.
On your actual question, I'm not sure if there is anything special that needs to be enabled on windows to make client-to-client work (on a Linux system, you'd need to turn on IP forwarding). @lstipakov ?
(This said: there is lots of cruft in your client config files which does not really make sense - sndbuf/rcvbuf setting isn't needed, cipher is ignored, nobind and pull are implied by client, and the route is not needed for the subnet that is configured with ifconfig(-push). I don't think either of them are harmful, but configs full of... things... make understanding what is intended harder)
Many Thx @cron2 for your explanations!
route is not needed for the subnet
I've added route 192.168.2.0 255.255.255.0 vpn_gateway 300 in client config to set the metric to 300 as explained https://forums.openvpn.net/viewtopic.php?t=8759
cipheris ignored
Removing it on client cause this log message: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. E.g. --data-ciphers DEFAULT:BF-CBC
So, here is my sanitized client config according to your feedback:
client
dev tun
proto udp
remote mydomain.com 5000
resolv-retry infinite
reneg-sec 0
persist-tun
remote-random
tls-client
mute-replay-warnings
remote-cert-tls server
cipher AES-128-GCM
auth none
verb 3
mute 10
script-security 2
auth-nocache
explicit-exit-notify 1
pull-filter ignore redirect-gateway
route-nopull
route 192.168.2.0 255.255.255.0 vpn_gateway 300
Regardless of the client to client routing issue, please feel free to tell me if you see any other useless or improvable elements in my client & server configurations :wink:
Hi @lstipakov
have you enabled IP routing in Windows?
No HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter = 0