Doing something wrong with OpenVPN client on Windows... but works on Android. Help please.

[Frankenscript]

Hi folks,

When I switched out my older Asus router for the newer one, I also changed from PTPP VPN Server to allow remote connections, to the OpenVPN Server implementation. I set up the client on my phone, and all was well. Now I'm trying to connect in via my laptop (while I'm out of town), and it no workie.

I've got OpenVPN server running on my Asus AX92U Router; its firmware is up to date. Months ago I generated the client.ovpn credential file and imported it to the OpenVPN app on my Android phone; after connecting (when my phone is away from my LAN, using either cellular data or a wifi hotspot), I've got a fine connection to my LAN and for example I can access cameras through my Blue Iris app, or use a Remote Desktop app on the phone. All resources from the LAN are available on my phone as long as I've got the OpenVPN VPN running.

However, when I've installed the OpenVPN Connect client on my relatively boring i5 laptop in Windows 10, and imported the client.ovpn file, although the OpenVPN client software reports connection established, I'm not able to access any resources on my LAN; the main things I want to do are remote desktop (via MS RDP) into various servers there, or occasionally print something to the printer there. Or sometimes access BI; I generally do that on the phone though. Nothing works. Remote Desktop doesn't see any of the computers on the LAN, nor is the printer seen.

I've tried:
1. Rebooting the remote client laptop computer (

)
2. Reinstalling OpenVPN and re-importing the client.ovpn credential
3. Changing my client's assessment of the wifi internet connection from public to private
4. Briefly turning off firewall for private connections (after this didn't fix anything, I turned it back on)
5. Connecting my laptop computer to my phone hotspot instead of a wifi hotspot, just to try a different source internet connection and to avoid conflict with both my home LAN being 192.168.1.xxx and the remote LAN my laptop is on also being a 192.168.1.xxx address
6. I have access to another windows PC where I am, so tried installing the OpenVPN client on it and attempting connection. The connection is established just like on my laptop, but no access to anything on my LAN. This makes me think it's not something unique to my laptop; probably some form of user error.

None of these has enabled me to remote into my PCs or access any resources at the home LAN. I'm guessing I've missed some sort of basic step in setup or usage and would appreciate any insights for setting things right.

I'm perplexed that it worked so smoothly on my phone, but refuses to on PCs. I must be missing something. It's just odd that I can't get my laptop to connect to any resources on the LAN; this worked fine with the prior VPN (PTPP) I was using to connect to my LAN. Of course that used the built-in VPN connect tool in Windows rather than a separate client piece of software.

Thanks all for any thoughts.

 

[gwminor48]

I hope someone is able to help you. Installed OpenVPN on my BI pc some time back, I remember it was an absolute pain in the ass, hopefully it's not so bad putting in on a router. I can't do that because I have AT&T fiber and unless something has changed you can't put their unit in bridge mode.

 

[sebastiantombs]

I hate to ask this question, but did you export and install the Windows client on the PC or use the Android client?

Another question is are you attempting to connect using OpenVPN with the PV on your LAN? That won't work.

 

[Techhead]

Are you using the router for DHCP on the LAN?
Does the client laptop pull a LAN IP from the VPN subnet?

 

[looney2ns]

It's possible the network you're using at your location is blocking the VPN, some Wi-Fi networks public and otherwise will actually block the VPN and there's really not any way to get around it. About the only solution you have is use your Wi-Fi hotspot to get around it.

 

[Frankenscript]

Good questions guys. Let me get into some more detail to answer them.

So, the OpenVPN server is on the Asus router itself. It's configured as follows:


The above is a screen capture I did on my phone; using the OpenVPN Android App I was able to connect to the LAN and log into the router to grab the settings.

About my setup: I've got Metronet fiber, and pay extra for a static IP. So I don't have to mess with DDNS or anything like that. The fiber optical network terminal is well-behaved and is effectively just a bridge to my main self-provided router which does all the work. The router (ASUS AX92U) which is running the OpenVPN server is also the DHCP provider for my LAN. It serves IP addresses to devices on the LAN (which happens to include the BI computer among other things, but not the cameras). The LAN addresses are the plain vanilla 192.168.1.xxx subnet variety.

One interesting thing, that I hadn't considered before, is that OpenVPN as I have it configured is giving out 10.8.0.xxx addresses with a 255.255.255.0 mask. Could this be the culprit? Should I change the subnet for OpenVPN to match the subnet (192.168.1.xxx) I'm using for my LAN? If so, it's weird that everything works fine on my phone.


OK, on to specifics:

@sebastiantombs :

I hate to ask this question, but did you export and install the Windows client on the PC or use the Android client?
--Not sure I'm tracking. I installed the windows client from the OpenVPN site here: OpenVPN Client Connect For Windows | OpenVPN
Once it was installed on the PC, I used a copy of the credential file (client.ovpn) that the router generated, so that the PC would know how to connect. It handshakes fine and tells me I'm connected; this creates a network adapter visible in the Network Connections control panel.
On my phone, I had downloaded the OpenVPN Connect app for Android, gave it a copy of the client.ovpn, and it "just worked" fine from there.

Another question is are you attempting to connect using OpenVPN with the PV on your LAN? That won't work.
Right, I'm remote now, so not currently on my LAN.Maybe I'm misunderstanding "PV" in this context?

@Techhead
My router handles DHCP. With me "connected" (remotely) with the VPN engaged, the OpenVPN connect reports a private IP of 10.8.0.6 as would be expected based on the image above. I'm thinking that may be my issue; that I'm having subnet mismatch crisis going on. Still not sure why it would be a problem on PC not Android.

 

[Frankenscript]

It's possible the network you're using at your location is blocking the VPN, some Wi-Fi networks public and otherwise will actually block the VPN and there's really not any way to get around it. About the only solution you have is use your Wi-Fi hotspot to get around it.

Good thought, but my phone which is also connected to the wifi here at this apartment, is connecting fine to my home LAN through OpenVPN. It's uncanny how smooth it is on my phone.

Also, I tried disconnecting my laptop from the apartment wifi, and connected instead to my LTE-based mobile data hotspot on my phone, and experience the same inability to use the VPN on my laptop that I saw when using the apartment Wifi (provided by Spectrum).

I'll note that the apartment wifi serves 192.168.1.x local private IP addresses; I had some concern that maybe it was an issue that both my actual wifi connection and my home LAN over VPN were on the same 192.168.1.x subnet causing a problem. But, it works fine on the android... and I didn't have this problem last year when using a PTPP VPN before my switch to OpenVPN when I traveled to my Dad's place and his place was also 192.168.1.x.

But I get what you are saying. Back in the day my first broadband provider (the @Home network!) blocked IPSEC packets and my work VPN wouldn't work. Fortunately they fixed that at some point shortly after I got broadband.

 

[Mike A.]

One interesting thing, that I hadn't considered before, is that OpenVPN as I have it configured is giving out 10.8.0.xxx addresses with a 255.255.255.0 mask. Could this be the culprit? Should I change the subnet for OpenVPN to match the subnet (192.168.1.xxx) I'm using for my LAN? If so, it's weird that everything works fine on my phone.

Always does that (by default at least). Shouldn't have to change it unless maybe you're coming into a 10.8.x.x network. It gets routed from the 10.8.x.x address at the TUN interface to a 192.168.1.x address locally.

When the good connection is made via VPN, can you ping another 192.168.1.x address on your net?

It's been forever since I set up my Surface to do that. Let me pull it out and try connecting over my hotspot and see if I can see anything special or remember having to change. Don't think so though. Having a static IP helps cut that out and you know you're making the connection at least.

 

[sebastiantombs]

The "PV" was a typo for "PC". I just wanted to cover the obvious questions first.

 

[Frankenscript]

Always does that (by default at least). Shouldn't have to change it unless maybe you're coming into a 10.8.x.x network. It gets routed from the 10.8.x.x address at the TUN interface to a 192.168.1.x address locally.

When the good connection is made via VPN, can you ping another 192.168.1.x address on your net?

Can't ping anything on my LAN. I've tried using explicit IP addresses as well as PC names. Everything times out. Here's an example. Note that my client PC I'm using is the 192.168.1.35 address.

Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.35: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.

 

[Mike A.]

OK, I just re-did mine. Initially had problems but my own and not relevant.

Didn't have to change anything. Created a new client file. Imported and works fine.

I cannot ping inside hosts either. Not sure why but ignore that for now. RDP does work.

Differences vs yours above:

Port is different and needs to match but that should be exported in the config file.

Respond to DNS​	Yes (not critical)
Advertise DNS to clients​	Yes (You don't seem to have in your firmware but not critical)

Encryption cipher​	Default

Username / Password Auth. Only​	Yes

Direct clients to redirect Internet traffic​	Yes (not critical)

 

[Frankenscript]

When I get home Sunday I can try to re setup from scratch and see if it works.

Sent from my ONEPLUS A6013 using Tapatalk

 

[Frankenscript]

So, in some spare time this evening while still traveling, I logged onto the router and re-exported a new .ovpn file, and tried that on my laptop. No dice, same problems. Anything more than this would risk screwing up the more critical stuff that's actually working on my phone, so I'm not going to screw with it until Sunday.

Step 1 will be reboot the router and see if that fixes it. Step 2 will be to apply the small changes per Mike A. and then generate a new config file.

If neither of those work I'll need to dig into it more deeply, but from all my reading, it really should be working fine right now. This is perplexing. At home I have more devices to screw around with that I can use as test beds.

Once I sort this out, I will definitely post an "router-based OpenVPN for dummies" how-to. While this is annoying the crap out of me, the fact that I can't remotely diagnose and fix it tells me that I need to learn more about this stuff. Some things I just never learned, and others I've learned and forgotten, and it's time to sharpen the saw.

Thanks for your help, folks!

 

[Frankenscript]

Oh, I tried one last "simple thing" and sort of fixed it.

I figured the problem was that there was a gateway configuration problem or conflict. So I went into the TAP adapter and manually configured a gateway (it was blank). It objected a few times, asking me to confirm the gateway (192.168.1.1) being on a different subnet than my 10.8.0.6 local IP address. But I entered it and after that I could do most things including remote desktop.

See below; it remembered an old address I tried to configure (192.168.1.202), but that's ignored. The main thing is that the gateway got entered, and that makes all the difference. Will dig more on Sunday but actually this works:

 

[Mike A.]

Yours should work as you have it above. Really the better way to do. Don't recall now why I took mine down to more basic authorization. Thought that I had it set up about the same as yours.

Anyway, take a look at the log on the Asus and on your client. The server side should show the connection process in more detail. Maybe post that and the OpenVPN config file w/ IP and cert sections redacted if you can't get it. Also, make sure which config file you're working with. Should be the one under the client subdirectory by default. Delete any others to avoid confusion.

Edit: Posted the above before I saw your post. Good deal. At least you're in now. I know that I didn't have to do that but I'm pulling an address from DHCP which provides the gateway. Using static on yours, I guess you didn't have unless entered. Not sure why you'd need that but if it works, it works.

 

[Frankenscript]

So I'm home now and gave it a whirl. I made the changes Mike mentioned above and exported a new .ovpn file. Tried it on another computer not messed with at all before (it's actually my Win 11 test platform), using my phone wifi hotspot as an external internet source. Worked fine on the first go.

The new credential also works fine on my laptop, though I can't say for sure if it was just the the certificate or lingering effects from when I hard-coded the TAP adapter gateway.

So, if anyone has issues with the OpenVPN connect, I recommend configuring with the DNS stuff set to on. If that doesn't clear it up, investigate why the gateway isn't being properly set up. That's where the problem lies, and it could be caused by any number of things.