Windows 10 issue with OpenVPN server

[Fitz Mutch]

My Windows 10 laptop connects to the VPN, but it cannot access the remote network. When I change the LAN metric to 100 for the push route, it works! Router is RT-AC68U running Asuswrt-Merlin 380.68_4. Here's my fix:

/jffs/scripts/openvpnserver1.postconf

#!/bin/sh

push_lan_metric=100
/bin/sed -r -i 's/(^push .* vpn_gateway ).*(")/\1'${push_lan_metric}'\2/' "$1"

 

[unsynaps]

Odd. Never had this issue and I have been using the VPN from two Win10 machines a lot lately.

 

[Fitz Mutch]

Odd. Never had this issue and I have been using the VPN from two Win10 machines a lot lately.

It's only an issue when the private LAN address range (i.e. 192.168.1.0/24) is the same for both local and remote networks.

 

[martinr]

It's only an issue when the private LAN address range (i.e. 192.168.1.0/24) is the same for both local and remote networks.

Out of interest, then, what would happen, say, when not only the address range matches but the IP address does, too, eg you attempt to contact a remote device at 192.168.1.5, and there is also a device on the local network with IP address 192.168.1.5?

(Like me, I expect most people choose their home address range such that it is unlikely ever to clash with that of any remote network they might log onto and from which they intend to connect to their remote, home VPN server.)

 

[Fitz Mutch]

Out of interest, then, what would happen, say, when not only the address range matches but the IP address does, too, eg you attempt to contact a remote device at 192.168.1.5, and there is also a device on the local network with IP address 192.168.1.5?

Have a look at your IPv4 Route Table in Windows. Type 'route print'.

When my Windows laptop is connected to the router VPN, I think Windows assumes there is two different routes to the same destination network 192.168.1.0/24. So it uses the LAN metric to decide which route to take having the least cost.

If my push route for OpenVPN server is:

push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"

Then my IPv4 Route Table in Windows has these lines:

Network Destination        Netmask          Gateway       Interface  Metric  
192.168.1.0                255.255.255.0    On-link   192.168.1.185     266  
192.168.1.0                255.255.255.0    On-link        10.8.0.2     500

This confuse Windows and prevent me from accessing the remote network.

My tweak fix the problem:

Network Destination        Netmask          Gateway       Interface  Metric  
192.168.1.0                255.255.255.0    On-link        10.8.0.2     100  
192.168.1.0                255.255.255.0    On-link   192.168.1.185     266

Like me, I expect most people choose their home address range such that it is unlikely ever to clash with that of any remote network they might log onto and from which they intend to connect to their remote, home VPN server.

Yes, that's how to avoid this issue.

 

[martinr]

Have a look at your IPv4 Route Table in Windows. Type 'route print'.

When my Windows laptop is connected to the router VPN, I think Windows assumes there is two different routes to the same destination network 192.168.1.0/24. So it uses the LAN metric to decide which route to take having the least cost.

If my push route for OpenVPN server is:

push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"

Then my IPv4 Route Table in Windows has these lines:

Network Destination        Netmask          Gateway       Interface  Metric
192.168.1.0                255.255.255.0    On-link   192.168.1.185     266
192.168.1.0                255.255.255.0    On-link        10.8.0.2     500

This confuse Windows and prevent me from accessing the remote network.

My tweak fix the problem:

Network Destination        Netmask          Gateway       Interface  Metric
192.168.1.0                255.255.255.0    On-link        10.8.0.2     100
192.168.1.0                255.255.255.0    On-link   192.168.1.185     266

Yes, that's how to avoid this issue.

Many thanks for the explanation, Fitz.

 

[unsynaps]

It's only an issue when the private LAN address range (i.e. 192.168.1.0/24) is the same for both local and remote networks.

Ahhh. OK. Yeah. Private on home network is 192.168. Work is 10.10.

What exactly is that sed command doing though?

EDIT: seems to be the same thing that https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files explains.