Opened 6 years ago

Closed 5 years ago

#453 closed Bug / Defect (fixed)

TAP broken with 2.3.4-i003 Win7/Win8/Srv2008R2 client AND server

Reported by: Joachim_Otahal Owned by:
Priority: major Milestone:
Component: tap-windows Version: OpenVPN 2.3.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: Tap, server, client
Cc:

Description

Up to now ALL 2.3.x versions were not able to be run as TAP server with Server 2008 R2 or Windows 7.
I had to switch down ALL of them to OpenVPN 2.2.2, where each time they worked "right out of the box", i.e. same config files as for 2.3.4. The setup is as usual: network bridge, and each openvpn adapter named VPN01, VPN02 etc, and using dev-node.
The connection is done successfully, but apart from that no go.

But now it is getting worse:
openvpn-install-2.3.4-i003-x64_64.exe and openvpn-install-2.3.4-I603-x86_64.exe both cannot do any TAP even on the client side (Win 7 x64 and Win 8.1 x64). No ping, no arp, nothing.
I already had several installs and calls, and the solution for all was: Use openvpn-install-2.3.4-I002-x86_64.exe - and then it worked.

I could live a little longer with the Server-TAP not working and sticking to version 2.2.2, but on the client side is not so funny.

Attachments (2)

client-config.ovpn (197 bytes) - added by Joachim_Otahal 6 years ago.
Client config working from 2.2.2 to 2.3.4-i002 x64, not working with 2.3.4-i003 x64
server-21.ovpn (184 bytes) - added by Joachim_Otahal 6 years ago.
Server config working with 2.2.2 on 2008 R2, not working with ANY 2.3.x

Download all attachments as: .zip

Change History (15)

comment:1 Changed 6 years ago by plaisthos

Can you attach your client/server configuration? Maybe you are using usual options. And can you try out to find out /where/ the packets are lost? (-verb 5 or higher iirc)

Changed 6 years ago by Joachim_Otahal

Attachment: client-config.ovpn added

Client config working from 2.2.2 to 2.3.4-i002 x64, not working with 2.3.4-i003 x64

Changed 6 years ago by Joachim_Otahal

Attachment: server-21.ovpn added

Server config working with 2.2.2 on 2008 R2, not working with ANY 2.3.x

comment:2 Changed 6 years ago by Joachim_Otahal

Be aware, I've tried a few of things on the server side before giving up and using 2.2.2 again, including:


local <lan IP address of VPN bridge>


dev VPN21
dev-mode tap
dev-node VPN21


dev tap
dev-node VPN21


comment:3 Changed 6 years ago by Joachim_Otahal

Switched from working 2.3.4-i002 for testing purposes on Win 8.1 x64 to
openvpn-install-2.3.4-I603-x86_64.exe
Connects, but no ping.
clicking "disconnect" on OpenVPN does not exit openvpn.
Killing the task with the taskmanager does not exit the task too, even worse, when trying to kill it again it says "cannot kill, you are trying to access a process which is about to exit" (Translated from German...).
verb 5 log:

Wed Oct 01 12:45:48 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Wed Oct 01 12:45:48 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Wed Oct 01 12:45:48 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Oct 01 12:45:48 2014 open_tun, tt->ipv6=0
Wed Oct 01 12:45:48 2014 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{798E4851-4EF5-4C25-861D-7056FB39F2A4}.tap
Wed Oct 01 12:45:48 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.114.140/255.255.255.0 on interface {798E4851-4EF5-4C25-861D-7056FB39F2A4} [DHCP-serv: 192.168.114.0, lease-time: 31536000]
Wed Oct 01 12:45:48 2014 Successful ARP Flush on interface [8] {798E4851-4EF5-4C25-861D-7056FB39F2A4}
Wed Oct 01 12:45:48 2014 UDPv4 link local (bound): [undef]
Wed Oct 01 12:45:48 2014 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:20021
Wed Oct 01 12:45:49 2014 Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:20021
Wed Oct 01 12:45:54 2014 Initialization Sequence Completed

Rebooting the machine now to get rid of the openvpn.exe task.

comment:4 Changed 6 years ago by Joachim_Otahal

Switched to openvpn-install-2.3.4-I003-x86_64.exe, and I have to correct myself at one point, TAP connection is working. And the openvpn tasks exits nicely and does not have to be killed via reboot.

However the SSL VPN Method is not working with any 2.3.4, 2.3.2 does it fine (though this has nothing to do with this bug, may be a completely different issue).

Config:

client
dev tun
proto tcp
remote XXX.XXX.XXX.XXX
tls-remote "/C=de/L=XXX/O=XXX/CN=XXX/emailAddress=XXX@XXX.de"

route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
ca XXX.ca.crt
cert XXX.ca.crt
key XXX.ca.crt
auth-user-pass
cipher AES-128-CBC
auth MD5
comp-lzo 
route-delay 4
verb 3
reneg-sec 0
auth-user-pass C:\\XXX.txt

An log: Nothing, not even a log file created.

Last edited 6 years ago by Joachim_Otahal (previous) (diff)

comment:5 Changed 6 years ago by sergey_platov

I have similar issue with openvpn-install-2.3.4-I605-x86_64.exe installed both on Windows 7 server and client hosts. The session can be established and can be dropped on the client side, but openvpn.exe process hangs on the server after connection is established. The following messages are present in the server log:

Thu Oct 30 08:34:21 2014 user/192.168.0.3:56790 MULTI: Outgoing TUN queue full, dropped packet len=54
Thu Oct 30 08:34:21 2014 user/192.168.0.3:56790 MULTI: Outgoing TUN queue full, dropped packet len=110
Thu Oct 30 08:34:21 2014 user/192.168.0.3:56790 MULTI: Outgoing TUN queue full, dropped packet len=110
Thu Oct 30 08:34:21 2014 user/192.168.0.3:56790 NOTE: --mute triggered...

The following config is used for server and client connections after (un)commenting appropriate sections and updating authorization options:

# Common options:
port 1194
dev tap
keepalive 10 120
persist-key
persist-tun
verb 4
mute 3
comp-lzo no

# Server options:
proto tcp-server
local 192.168.0.2
server 172.27.10.0 255.255.255.0
float
client-to-client
duplicate-cn
tcp-nodelay

# Client options:
#connect-retry-max 2
#client
#proto tcp-client
#remote 192.168.0.2
#nobind

# Auth options
ca "ca.crt"
cert "server.crt"
key "server.key"
dh "dh1024.pem"

UPD: My issue is still reproducible with openvpn-install-2.3.5-I601-x86_64.exe

Last edited 6 years ago by sergey_platov (previous) (diff)

comment:6 Changed 6 years ago by Samuli Seppänen

Some of these issues could be caused by bugs in the new tap-windows6 driver or OpenVPN 2.3's interaction with it. You should try the latest OpenVPN installers which have some tap-windows6-related fixes in them. I'll provide a new tap-windows6 installer separately which fixes one additional issue. Later I'll push out updated OpenVPN installers that have this new tap-windows6 driver in them.

comment:7 Changed 6 years ago by Joachim_Otahal

openvpn-install-2.3.5-I601-x86_64.exe + tap-windows-9.9.2_3.exe

Works on client side!
I cannot tell when I'll be able to test the server side, but on client side it works with dev tap, in all cases I have here.

comment:8 Changed 6 years ago by Samuli Seppänen

Joachim_Otahal: could you also try installing openvpn-install-2.3.5-I601-x86_64.exe and on top of that tap-windows-9.21.1.exe? Those two should fix all known issues in OpenVPN <-> tap-windows6 interaction (e.g. this one).

Some of the funkiness you've encountered could have been caused by multiple installations of OpenVPN, tap-windows and tap-windows6 on the same computer. In particular installing 32-bit and 64-bit versions side-by-side or in a row may cause issues. Uninstalling old versions before installing the new ones usually helps.

Last edited 6 years ago by Samuli Seppänen (previous) (diff)

comment:9 Changed 6 years ago by Joachim_Otahal

Openvpn: Tap uninstall, openvpn uninstall.
Install openvpn-install-2.3.5-I601-x86_64.exe + tap-windows-9.21.1.exe

Looks good on client side.
TAP vpn, TUN vpn and SSL-TUN/TAP working (Win 8.1 x64).

As for the funkiness: Always clean install, no mixed openvpn version. Would be a bad test style and difficult to reproduce to have multiple of them active at the same time.

Last edited 6 years ago by Joachim_Otahal (previous) (diff)

comment:10 Changed 6 years ago by Samuli Seppänen

Just a FYI: I released a new Windows installers (2.3.5-I602) with tap-windows-9.21.1 last Friday. No need to install tap-windows-9.21.1 separately anymore.

comment:11 Changed 6 years ago by Samuli Seppänen

Does the latest OpenVPN release (2.3.5-I602 or above) fix the issue on server-side also?

comment:12 Changed 6 years ago by Joachim_Otahal

I tested upgrading (uninstall, reboot, install, config) a Server 2008 R2 which was still running OpenVPN 2.2.2 due to that issue. Has 30 TAP VPN's (+ some TUN VPN's). I used openvpn-install-2.3.5-I602-x86_64.exe.
So far it looks good!

comment:13 Changed 5 years ago by Samuli Seppänen

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.