Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 30 November 2024, 01:18:00 pm

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  Windows 7 OpenVPN
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] 2  All Go Down Print
Author Topic: Windows 7 OpenVPN  (Read 50297 times)
razametal
Full Member
***
Offline Offline

Posts: 15


« on: Friday 16 April 2010, 01:46:57 am »

Hi,

I'm using OpenVPN 2.0.9 with windows xp SP3 and windows7 clientes.

The connection from windows xp works fine, I can ping the hosts on the pushed networks through the vpn, but with windows7 I only ping the firewall green ip address.

There is any configuration issue with windows7 clientes ?

Regards,
Logged
StephanSch
Full Member
***
Offline Offline

Gender: Male
Posts: 57


« Reply #1 on: Friday 16 April 2010, 05:48:57 am »

You have to use the latest release (2.1.1) on your client. I had to.
I think it worked with a 2.1 beta, not before.
Logged
razametal
Full Member
***
Offline Offline

Posts: 15


« Reply #2 on: Friday 16 April 2010, 08:51:41 am »

Thank  you for the response, I'll be trying with the latest version.

Regards,
Logged
raneesh
Jr. Member
*
Offline Offline

Posts: 7


« Reply #3 on: Saturday 17 April 2010, 08:16:12 pm »

download the windows installer and try

go to openvpn.net/index.php/open-source/downloads.html
Logged
Pluimers
Jr. Member
*
Offline Offline

Posts: 8


« Reply #4 on: Wednesday 11 August 2010, 03:12:02 am »

bump: I'm having the same problem as the original poster.
Anyone who can help, please?

More specifics on the Endian configuration (tried both 2.2 and 2.4, both fail):

red=192.168.100.25;192.168.71.25
green=176.16.41.1
orange=176.16.141.1

It basically runs as an OpenVPN server, serving at red, providing access to green.

Using Windows XP and an OpenVPN 2.1.1 client runs fine.
It can ping machines inside the green network.

Using Windows 7 x64 and an OpenVPN 2.1.1 client running as Administrator (yes, with the UAC dialogs confirmed) does not run fine.
It can only ping the green gateway, but no other machines.

I have tried various Windows XP and Windows 7 machines, all XP machines succeed, all Widows 7 machines fail.
But why?


Windows 7 log:

Code:
Tue Aug 10 18:50:15 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Tue Aug 10 18:50:23 2010 WARNING: No server certificate verification method has been enabled.  See http ://openvpn.net/howto.html#mitm for more info.
Tue Aug 10 18:50:23 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Aug 10 18:50:24 2010 LZO compression initialized
Tue Aug 10 18:50:24 2010 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Aug 10 18:50:24 2010 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Aug 10 18:50:24 2010 Local Options hash (VER=V4): '31fdf004'
Tue Aug 10 18:50:24 2010 Expected Remote Options hash (VER=V4): '3e6d1056'
Tue Aug 10 18:50:24 2010 Attempting to establish TCP connection with 192.168.71.25:1194
Tue Aug 10 18:50:24 2010 TCP connection established with 192.168.71.25:1194
Tue Aug 10 18:50:24 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Aug 10 18:50:24 2010 TCPv4_CLIENT link local: [undef]
Tue Aug 10 18:50:24 2010 TCPv4_CLIENT link remote: 192.168.71.25:1194
Tue Aug 10 18:50:24 2010 TLS: Initial packet from 192.168.71.25:1194, sid=165d50de 52c0ecba
Tue Aug 10 18:50:24 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Aug 10 18:50:24 2010 VERIFY OK: depth=1, /C=IT/O=efw/CN=efw_CA
Tue Aug 10 18:50:24 2010 VERIFY OK: depth=0, /C=IT/O=efw/CN=127.0.0.1
Tue Aug 10 18:50:24 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 10 18:50:24 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 10 18:50:24 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 10 18:50:24 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 10 18:50:24 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Aug 10 18:50:24 2010 [127.0.0.1] Peer Connection Initiated with 192.168.71.25:1194
Tue Aug 10 18:50:26 2010 SENT CONTROL [127.0.0.1]: 'PUSH_REQUEST' (status=1)
Tue Aug 10 18:50:27 2010 PUSH: Received control message: 'PUSH_REPLY,ifconfig 172.16.41.209 255.255.255.0,dhcp-option DOMAIN pluimers.com,ping-restart 30,ping 8,route-gateway 172.16.41.1,route-gateway 172.16.41.1'
Tue Aug 10 18:50:27 2010 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 10 18:50:27 2010 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 10 18:50:27 2010 OPTIONS IMPORT: route-related options modified
Tue Aug 10 18:50:27 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Aug 10 18:50:27 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{F3F5E8A1-1797-4FA8-902E-3895A2163148}.tap
Tue Aug 10 18:50:27 2010 TAP-Win32 Driver Version 9.6
Tue Aug 10 18:50:27 2010 TAP-Win32 MTU=1500
Tue Aug 10 18:50:27 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.41.209/255.255.255.0 on interface {F3F5E8A1-1797-4FA8-902E-3895A2163148} [DHCP-serv: 172.16.41.0, lease-time: 31536000]
Tue Aug 10 18:50:27 2010 Successful ARP Flush on interface [34] {F3F5E8A1-1797-4FA8-902E-3895A2163148}
Tue Aug 10 18:50:32 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Tue Aug 10 18:50:32 2010 Initialization Sequence Completed

Windows 7 routing table:

Code:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.71.1   192.168.71.160     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link   169.254.100.145    276
  169.254.100.145  255.255.255.255         On-link   169.254.100.145    276
  169.254.255.255  255.255.255.255         On-link   169.254.100.145    276
      172.16.41.0    255.255.255.0         On-link     172.16.41.209    286
    172.16.41.209  255.255.255.255         On-link     172.16.41.209    286
    172.16.41.255  255.255.255.255         On-link     172.16.41.209    286
     192.168.71.0    255.255.255.0         On-link    192.168.71.160    276
   192.168.71.160  255.255.255.255         On-link    192.168.71.160    276
   192.168.71.255  255.255.255.255         On-link    192.168.71.160    276
    192.168.237.0    255.255.255.0         On-link     192.168.237.1    276
    192.168.237.1  255.255.255.255         On-link     192.168.237.1    276
  192.168.237.255  255.255.255.255         On-link     192.168.237.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.71.160    276
        224.0.0.0        240.0.0.0         On-link   169.254.100.145    276
        224.0.0.0        240.0.0.0         On-link     192.168.237.1    276
        224.0.0.0        240.0.0.0         On-link     172.16.41.209    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.71.160    276
  255.255.255.255  255.255.255.255         On-link   169.254.100.145    276
  255.255.255.255  255.255.255.255         On-link     192.168.237.1    276
  255.255.255.255  255.255.255.255         On-link     172.16.41.209    286
===========================================================================

(you can ignore these routes, as the are from VMware workstation running on the same machine:
- 192.168.237.0/24
- 169.254.0.0/16
)

Windows XP log:

Code:
Tue Aug 10 19:01:04 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Tue Aug 10 19:01:06 2010 WARNING: No server certificate verification method has been enabled.  See http ://openvpn.net/howto.html#mitm for more info.
Tue Aug 10 19:01:06 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Aug 10 19:01:07 2010 LZO compression initialized
Tue Aug 10 19:01:07 2010 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Aug 10 19:01:07 2010 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Aug 10 19:01:07 2010 Local Options hash (VER=V4): '31fdf004'
Tue Aug 10 19:01:07 2010 Expected Remote Options hash (VER=V4): '3e6d1056'
Tue Aug 10 19:01:07 2010 Attempting to establish TCP connection with 192.168.71.25:1194
Tue Aug 10 19:01:07 2010 TCP connection established with 192.168.71.25:1194
Tue Aug 10 19:01:07 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Aug 10 19:01:07 2010 TCPv4_CLIENT link local: [undef]
Tue Aug 10 19:01:07 2010 TCPv4_CLIENT link remote: 192.168.71.25:1194
Tue Aug 10 19:01:07 2010 TLS: Initial packet from 192.168.71.25:1194, sid=983b94eb 87732d38
Tue Aug 10 19:01:07 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Aug 10 19:01:07 2010 VERIFY OK: depth=1, /C=IT/O=efw/CN=efw_CA
Tue Aug 10 19:01:07 2010 VERIFY OK: depth=0, /C=IT/O=efw/CN=127.0.0.1
Tue Aug 10 19:01:07 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 10 19:01:07 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 10 19:01:07 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Aug 10 19:01:07 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Aug 10 19:01:07 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Aug 10 19:01:07 2010 [127.0.0.1] Peer Connection Initiated with 192.168.71.25:1194
Tue Aug 10 19:01:09 2010 SENT CONTROL [127.0.0.1]: 'PUSH_REQUEST' (status=1)
Tue Aug 10 19:01:10 2010 PUSH: Received control message: 'PUSH_REPLY,ifconfig 172.16.41.201 255.255.255.0,dhcp-option DOMAIN pluimers.com,ping-restart 30,ping 8,route-gateway 172.16.41.1,route-gateway 172.16.41.1'
Tue Aug 10 19:01:10 2010 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 10 19:01:10 2010 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 10 19:01:10 2010 OPTIONS IMPORT: route-related options modified
Tue Aug 10 19:01:10 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Aug 10 19:01:10 2010 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{C4752F65-93BA-4DED-A1FE-2633F1481ABF}.tap
Tue Aug 10 19:01:10 2010 TAP-Win32 Driver Version 9.6
Tue Aug 10 19:01:10 2010 TAP-Win32 MTU=1500
Tue Aug 10 19:01:10 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.41.201/255.255.255.0 on interface {C4752F65-93BA-4DED-A1FE-2633F1481ABF} [DHCP-serv: 172.16.41.0, lease-time: 31536000]
Tue Aug 10 19:01:10 2010 Successful ARP Flush on interface [2] {C4752F65-93BA-4DED-A1FE-2633F1481ABF}
Tue Aug 10 19:01:15 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue Aug 10 19:01:15 2010 Route: Waiting for TUN/TAP interface to come up...
Tue Aug 10 19:01:18 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Tue Aug 10 19:01:18 2010 Initialization Sequence Completed

The XP routing table:

Code:
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.237.2  192.168.237.128      10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      172.16.41.0    255.255.255.0    172.16.41.201   172.16.41.201       30
    172.16.41.201  255.255.255.255        127.0.0.1       127.0.0.1       30
   172.16.255.255  255.255.255.255    172.16.41.201   172.16.41.201       30
    192.168.237.0    255.255.255.0  192.168.237.128  192.168.237.128      10
  192.168.237.128  255.255.255.255        127.0.0.1       127.0.0.1       10
  192.168.237.255  255.255.255.255  192.168.237.128  192.168.237.128      10
        224.0.0.0        240.0.0.0    172.16.41.201   172.16.41.201       30
        224.0.0.0        240.0.0.0  192.168.237.128  192.168.237.128      10
  255.255.255.255  255.255.255.255    172.16.41.201   172.16.41.201       1
  255.255.255.255  255.255.255.255  192.168.237.128  192.168.237.128      1
Default Gateway:     192.168.237.2
===========================================================================

Anyone having an idea why it goes wrong?

--jeroen
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #5 on: Thursday 12 August 2010, 01:33:39 am »

Can you put the output of a traceroute. It's better than ping to track down network problems.

I have a Windows 7 machine, works great, as WinXP
Logged
Pluimers
Jr. Member
*
Offline Offline

Posts: 8


« Reply #6 on: Thursday 12 August 2010, 07:02:08 am »

Thx for wanting to look into this.

I have the idea the Endian is not giving the Windows 7 machine enough routing information (and XP can do without the extra routing info).

The traceroute:
Code:
C:\Users\jeroenp>tracert 172.16.41.10

Tracing route to 172.16.41.10 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  SpeedTouch.pluimers.com [192.168.71.1]
  2    15 ms    14 ms    14 ms  195.190.241.11
  3  42.ge-2-1-0.xr4.1d12.xs4all.net [194.109.5.105]  reports: Destination net unreachable.

The log:
Code:
Wed Aug 11 22:54:37 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Wed Aug 11 22:54:43 2010 WARNING: No server certificate verification method has been enabled.  See http ://openvpn.net/howto.html#mitm for more info.
Wed Aug 11 22:54:43 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Aug 11 22:54:43 2010 LZO compression initialized
Wed Aug 11 22:54:43 2010 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Aug 11 22:54:43 2010 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Aug 11 22:54:43 2010 Local Options hash (VER=V4): '31fdf004'
Wed Aug 11 22:54:43 2010 Expected Remote Options hash (VER=V4): '3e6d1056'
Wed Aug 11 22:54:43 2010 Attempting to establish TCP connection with 192.168.71.25:1194
Wed Aug 11 22:54:43 2010 TCP connection established with 192.168.71.25:1194
Wed Aug 11 22:54:43 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Aug 11 22:54:43 2010 TCPv4_CLIENT link local: [undef]
Wed Aug 11 22:54:43 2010 TCPv4_CLIENT link remote: 192.168.71.25:1194
Wed Aug 11 22:54:43 2010 TLS: Initial packet from 192.168.71.25:1194, sid=a8e8e633 5af97fd5
Wed Aug 11 22:54:43 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Aug 11 22:54:43 2010 VERIFY OK: depth=1, /C=IT/O=efw/CN=efw_CA
Wed Aug 11 22:54:43 2010 VERIFY OK: depth=0, /C=IT/O=efw/CN=127.0.0.1
Wed Aug 11 22:54:44 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Aug 11 22:54:44 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 11 22:54:44 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Aug 11 22:54:44 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 11 22:54:44 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Aug 11 22:54:44 2010 [127.0.0.1] Peer Connection Initiated with 192.168.71.25:1194
Wed Aug 11 22:54:46 2010 SENT CONTROL [127.0.0.1]: 'PUSH_REQUEST' (status=1)
Wed Aug 11 22:54:46 2010 PUSH: Received control message: 'PUSH_REPLY,ifconfig 172.16.41.209 255.255.255.0,dhcp-option DOMAIN pluimers.com,ping-restart 30,ping 8,route-gateway 172.16.41.1,route-gateway 172.16.41.1'
Wed Aug 11 22:54:46 2010 OPTIONS IMPORT: timers and/or timeouts modified
Wed Aug 11 22:54:46 2010 OPTIONS IMPORT: --ifconfig/up options modified
Wed Aug 11 22:54:46 2010 OPTIONS IMPORT: route-related options modified
Wed Aug 11 22:54:46 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Aug 11 22:54:46 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{F3F5E8A1-1797-4FA8-902E-3895A2163148}.tap
Wed Aug 11 22:54:46 2010 TAP-Win32 Driver Version 9.6
Wed Aug 11 22:54:46 2010 TAP-Win32 MTU=1500
Wed Aug 11 22:54:46 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.41.209/255.255.255.0 on interface {F3F5E8A1-1797-4FA8-902E-3895A2163148} [DHCP-serv: 172.16.41.0, lease-time: 31536000]
Wed Aug 11 22:54:46 2010 Successful ARP Flush on interface [25] {F3F5E8A1-1797-4FA8-902E-3895A2163148}
Wed Aug 11 22:54:51 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Wed Aug 11 22:54:51 2010 Initialization Sequence Completed

The routing table:

Code:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.71.1   192.168.71.160     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link   169.254.100.145    276
  169.254.100.145  255.255.255.255         On-link   169.254.100.145    276
  169.254.255.255  255.255.255.255         On-link   169.254.100.145    276
      172.16.41.0    255.255.255.0         On-link     172.16.41.209    286
    172.16.41.209  255.255.255.255         On-link     172.16.41.209    286
    172.16.41.255  255.255.255.255         On-link     172.16.41.209    286
     192.168.71.0    255.255.255.0         On-link    192.168.71.160    276
   192.168.71.160  255.255.255.255         On-link    192.168.71.160    276
   192.168.71.255  255.255.255.255         On-link    192.168.71.160    276
    192.168.237.0    255.255.255.0         On-link     192.168.237.1    276
    192.168.237.1  255.255.255.255         On-link     192.168.237.1    276
  192.168.237.255  255.255.255.255         On-link     192.168.237.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.71.160    276
        224.0.0.0        240.0.0.0         On-link     172.16.41.209    286
        224.0.0.0        240.0.0.0         On-link   169.254.100.145    276
        224.0.0.0        240.0.0.0         On-link     192.168.237.1    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.71.160    276
  255.255.255.255  255.255.255.255         On-link     172.16.41.209    286
  255.255.255.255  255.255.255.255         On-link   169.254.100.145    276
  255.255.255.255  255.255.255.255         On-link     192.168.237.1    276
===========================================================================
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #7 on: Friday 13 August 2010, 12:15:49 am »

It seems a routing problem.

The tracert shouldn't go by outside the VPN tunnel. It should only have 1 hop, test it in WinXP and you'll see only 1 hop.

From OpenVPN readme:

IMPORTANT NOTE FOR VISTA USERS

Note that on Windows Vista, you will need to run the OpenVPN
GUI with administrator privileges, so that it can add routes
to the routing table that are pulled from the OpenVPN server.
You can do this by right-clicking on the OpenVPN GUI
desktop icon, and selecting "Run as administrator".


Did you do that way? UAC maybe is blocking the routing command.
Logged
Pluimers
Jr. Member
*
Offline Offline

Posts: 8


« Reply #8 on: Friday 13 August 2010, 01:01:25 am »

The tracert in my XP is indeed 1 hop, that's why I already suspected a routing problem.

From my original message:
Quote
Using Windows 7 x64 and an OpenVPN 2.1.1 client running as Administrator (yes, with the UAC dialogs confirmed) does not run fine.
It can only ping the green gateway, but no other machines.

So: yes I did go through UAC, so I think the route went all right.
Below are two logs from Windows 7: with UAC and without UAC.

How can I found which routing statement should be executed?

Difference in the logs:

With UAC:
Code:
...
Thu Aug 12 16:49:35 2010 TLS: Initial packet from 192.168.71.25:1194, sid=ded44876 ba8dd229
...
Thu Aug 12 16:49:38 2010 Successful ARP Flush on interface [25] {F3F5E8A1-1797-4FA8-902E-3895A2163148}
...

Without UAC:
Code:
...
Thu Aug 12 16:51:13 2010 TLS: Initial packet from 192.168.71.25:1194, sid=e3aed1ba cd50b65c
...
Thu Aug 12 16:51:16 2010 NOTE: FlushIpNetTable failed on interface [25] {F3F5E8A1-1797-4FA8-902E-3895A2163148} (status=5) : Access is denied.  
...

Complete logs:

With UAC:
Code:
Thu Aug 12 16:49:28 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Thu Aug 12 16:49:34 2010 WARNING: No server certificate verification method has been enabled.  See http ://openvpn.net/howto.html#mitm for more info.
Thu Aug 12 16:49:34 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Aug 12 16:49:35 2010 LZO compression initialized
Thu Aug 12 16:49:35 2010 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Aug 12 16:49:35 2010 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Aug 12 16:49:35 2010 Local Options hash (VER=V4): '31fdf004'
Thu Aug 12 16:49:35 2010 Expected Remote Options hash (VER=V4): '3e6d1056'
Thu Aug 12 16:49:35 2010 Attempting to establish TCP connection with 192.168.71.25:1194
Thu Aug 12 16:49:35 2010 TCP connection established with 192.168.71.25:1194
Thu Aug 12 16:49:35 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Aug 12 16:49:35 2010 TCPv4_CLIENT link local: [undef]
Thu Aug 12 16:49:35 2010 TCPv4_CLIENT link remote: 192.168.71.25:1194
Thu Aug 12 16:49:35 2010 TLS: Initial packet from 192.168.71.25:1194, sid=ded44876 ba8dd229
Thu Aug 12 16:49:35 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 12 16:49:35 2010 VERIFY OK: depth=1, /C=IT/O=efw/CN=efw_CA
Thu Aug 12 16:49:35 2010 VERIFY OK: depth=0, /C=IT/O=efw/CN=127.0.0.1
Thu Aug 12 16:49:35 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 12 16:49:35 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 12 16:49:35 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 12 16:49:35 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 12 16:49:35 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Aug 12 16:49:35 2010 [127.0.0.1] Peer Connection Initiated with 192.168.71.25:1194
Thu Aug 12 16:49:38 2010 SENT CONTROL [127.0.0.1]: 'PUSH_REQUEST' (status=1)
Thu Aug 12 16:49:38 2010 PUSH: Received control message: 'PUSH_REPLY,ifconfig 172.16.41.209 255.255.255.0,dhcp-option DOMAIN pluimers.com,ping-restart 30,ping 8,route-gateway 172.16.41.1,route-gateway 172.16.41.1'
Thu Aug 12 16:49:38 2010 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 12 16:49:38 2010 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 12 16:49:38 2010 OPTIONS IMPORT: route-related options modified
Thu Aug 12 16:49:38 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 12 16:49:38 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{F3F5E8A1-1797-4FA8-902E-3895A2163148}.tap
Thu Aug 12 16:49:38 2010 TAP-Win32 Driver Version 9.6
Thu Aug 12 16:49:38 2010 TAP-Win32 MTU=1500
Thu Aug 12 16:49:38 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.41.209/255.255.255.0 on interface {F3F5E8A1-1797-4FA8-902E-3895A2163148} [DHCP-serv: 172.16.41.0, lease-time: 31536000]
Thu Aug 12 16:49:38 2010 Successful ARP Flush on interface [25] {F3F5E8A1-1797-4FA8-902E-3895A2163148}
Thu Aug 12 16:49:43 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Thu Aug 12 16:49:43 2010 Initialization Sequence Completed

Without UAC:
Code:
Thu Aug 12 16:51:04 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Thu Aug 12 16:51:13 2010 WARNING: No server certificate verification method has been enabled.  See http ://openvpn.net/howto.html#mitm for more info.
Thu Aug 12 16:51:13 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Aug 12 16:51:13 2010 LZO compression initialized
Thu Aug 12 16:51:13 2010 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Aug 12 16:51:13 2010 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Aug 12 16:51:13 2010 Local Options hash (VER=V4): '31fdf004'
Thu Aug 12 16:51:13 2010 Expected Remote Options hash (VER=V4): '3e6d1056'
Thu Aug 12 16:51:13 2010 Attempting to establish TCP connection with 192.168.71.25:1194
Thu Aug 12 16:51:13 2010 TCP connection established with 192.168.71.25:1194
Thu Aug 12 16:51:13 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Aug 12 16:51:13 2010 TCPv4_CLIENT link local: [undef]
Thu Aug 12 16:51:13 2010 TCPv4_CLIENT link remote: 192.168.71.25:1194
Thu Aug 12 16:51:13 2010 TLS: Initial packet from 192.168.71.25:1194, sid=e3aed1ba cd50b65c
Thu Aug 12 16:51:13 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 12 16:51:13 2010 VERIFY OK: depth=1, /C=IT/O=efw/CN=efw_CA
Thu Aug 12 16:51:13 2010 VERIFY OK: depth=0, /C=IT/O=efw/CN=127.0.0.1
Thu Aug 12 16:51:13 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 12 16:51:13 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 12 16:51:13 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 12 16:51:13 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 12 16:51:13 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Aug 12 16:51:13 2010 [127.0.0.1] Peer Connection Initiated with 192.168.71.25:1194
Thu Aug 12 16:51:16 2010 SENT CONTROL [127.0.0.1]: 'PUSH_REQUEST' (status=1)
Thu Aug 12 16:51:16 2010 PUSH: Received control message: 'PUSH_REPLY,ifconfig 172.16.41.209 255.255.255.0,dhcp-option DOMAIN pluimers.com,ping-restart 30,ping 8,route-gateway 172.16.41.1,route-gateway 172.16.41.1'
Thu Aug 12 16:51:16 2010 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 12 16:51:16 2010 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 12 16:51:16 2010 OPTIONS IMPORT: route-related options modified
Thu Aug 12 16:51:16 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 12 16:51:16 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{F3F5E8A1-1797-4FA8-902E-3895A2163148}.tap
Thu Aug 12 16:51:16 2010 TAP-Win32 Driver Version 9.6
Thu Aug 12 16:51:16 2010 TAP-Win32 MTU=1500
Thu Aug 12 16:51:16 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.41.209/255.255.255.0 on interface {F3F5E8A1-1797-4FA8-902E-3895A2163148} [DHCP-serv: 172.16.41.0, lease-time: 31536000]
Thu Aug 12 16:51:16 2010 NOTE: FlushIpNetTable failed on interface [25] {F3F5E8A1-1797-4FA8-902E-3895A2163148} (status=5) : Access is denied.  
Thu Aug 12 16:51:21 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Thu Aug 12 16:51:21 2010 Initialization Sequence Completed

--jeroen
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #9 on: Friday 13 August 2010, 03:45:16 am »

I know that you run with UAC dialogs, but there is a way to check an application to run as Administrator. This way might be different rather than with UAC dialogs.

http://www.sevenforums.com/tutorials/11841-run-administrator.html
Try Option 3 or 4
Logged
danielcsgomes
Full Member
***
Offline Offline

Gender: Male
Posts: 23


« Reply #10 on: Friday 13 August 2010, 03:54:38 am »

Quote
I know that you run with UAC dialogs, but there is a way to check an application to run as Administrator. This way might be different rather than with UAC dialogs.

Yesterday i was looking for a way to elevate progams to Run As Administrator, and i make the option 3 and it's ok. But there is my problem:

All users have standard accounts so when it elevates prompt for Admin password, so it's a big problem to me because i want that application to run as administrator but i would like enter and save the Administrador credentials to the user enter the program without calling me to put the administrator password.

There is any solution to that?
Logged

Best regards,

Daniel Gomes
Pluimers
Jr. Member
*
Offline Offline

Posts: 8


« Reply #11 on: Friday 13 August 2010, 08:17:00 am »

(I had to remove the URL from the quote, somehow I'm not allowed to include those in my posts)

I know that you run with UAC dialogs, but there is a way to check an application to run as Administrator. This way might be different rather than with UAC dialogs.

www .sevenforums.com/tutorials/11841-run-administrator.html
Try Option 3 or 4

I always do such things doing option 4 (shortcut, advanced options, run as administrator).

So that part is correct.

Now the routing part: how can I see what routing statement should have been sent from Endian to the OpenVPN client?

Is there someone willing to help me trace this through (for instance by using TeamViewer)?

Many thanks!

--jeroen
Logged
Pluimers
Jr. Member
*
Offline Offline

Posts: 8


« Reply #12 on: Friday 13 August 2010, 08:18:45 am »

Quote
I know that you run with UAC dialogs, but there is a way to check an application to run as Administrator. This way might be different rather than with UAC dialogs.

Yesterday i was looking for a way to elevate progams to Run As Administrator, and i make the option 3 and it's ok. But there is my problem:

All users have standard accounts so when it elevates prompt for Admin password, so it's a big problem to me because i want that application to run as administrator but i would like enter and save the Administrador credentials to the user enter the program without calling me to put the administrator password.

There is any solution to that?

I don't think there is a solution to this: UAC is specifically meant to verify that the user can in fact use his/her administrative token.
So the user need either be an admistrator, or have an administrator user/password combination to elevate to.

--jeroen
Logged
danielcsgomes
Full Member
***
Offline Offline

Gender: Male
Posts: 23


« Reply #13 on: Friday 13 August 2010, 08:30:09 am »

Quote
I know that you run with UAC dialogs, but there is a way to check an application to run as Administrator. This way might be different rather than with UAC dialogs.

Yesterday i was looking for a way to elevate progams to Run As Administrator, and i make the option 3 and it's ok. But there is my problem:

All users have standard accounts so when it elevates prompt for Admin password, so it's a big problem to me because i want that application to run as administrator but i would like enter and save the Administrador credentials to the user enter the program without calling me to put the administrator password.

There is any solution to that?

I don't think there is a solution to this: UAC is specifically meant to verify that the user can in fact use his/her administrative token.
So the user need either be an admistrator, or have an administrator user/password combination to elevate to.

--jeroen

This is something i'm stucked for a long time. The point is, the users with standard level can work without problems but if there is an update to the application or need remote assistance the program will prompt for admin user/password.
My office is small (12 machines) and i can go to the machines and take care of the problem, but when you have 1000 machines there was to be a way to do that,  or you give to your users admin level on machines to them install everything they want?
Logged

Best regards,

Daniel Gomes
Pluimers
Jr. Member
*
Offline Offline

Posts: 8


« Reply #14 on: Friday 13 August 2010, 08:35:02 am »


This is something i'm stucked for a long time. The point is, the users with standard level can work without problems but if there is an update to the application or need remote assistance the program will prompt for admin user/password.
My office is small (12 machines) and i can go to the machines and take care of the problem, but when you have 1000 machines there was to be a way to do that,  or you give to your users admin level on machines to them install everything they want?


I think this is something you should as at either SuperUser.com or ServerFault.com

--jeroen
Logged
Pages: [1] 2  All Go Up Print 
« previous next »
Jump to:  

Page created in 0.253 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com