Ask The Oracle

...A Tech blog for Engineers, Software Devs, and Computer Geeks

How to Make OpenVPN work with the Windows 7 Firewall

Written by BobW on October 1st, 2013

OpenVPN is a robust open source VPN application that provides a secure, encrypted link between computers over a public network (i.e. the Internet). I have installed it on many different computers over the years. I have successfully run OpenVPN under Windows using third party firewalls. I was more than a little surprised when I tried to set up a VPN at the office of one of my consulting client’s and found that OpenVPN would not work with the Windows 7 built in firewall. If I turned off the firewall everything worked fine.  Of course, it does not make much sense to set up a VPN for security but have the firewall turned off.

I figured this must be a common problem, so I used Google to search for the solution but I could not find one. I found that there were many questions online about this problem, but there were no good solutions posted. There were bits and pieces of information on this issue, some helpful and some wrong.

It took some time but I figured out how to get it to work. I wrote this article to help the rest of you find instructions on how to solve this problem. I hope it saves you from many hours of frustration getting your VPN to work.

To Start 

Before you begin, make sure that your VPN works correctly under Windows 7 with the firewall turned off. This article does not describe how to install OpenVPN. There are many good tutorials online to help you with that. This article describes how to make OpenVpn work with the Windows 7 built in firewall.

First steps:

Note: This tutorial assumes that you are using the standard OpenVpn installation with the OpenVpn GUI tool under Windows 7. However, the procedure will work without the GUI tool also.

1)      Make sure that the OpenVpn works with the Firewall turned off.
2)      Turn the Firewall back on.
3)      Make sure that you are running the OpenVPN GUI as Administrator on both the client and server. Otherwise you will get them to connect but they will not communicate.

The Problem of Public Networks

The problem with running the VPN with the firewall on is that Windows will classify the VPN network as a public network because the VPN does not have a default gateway.  In Figure 1, you can see that the last network connection (OpenVPN) is shown as “Unidentified network, Public network”.  This causes the problem.  The VPN will not work with a public network.

Network2 UFO

Figure 1 VPN is Public Network

 Notice that the other network, Network 5, is shown as a “Work network”. If you click on “Work Network” you will get a dialog box that lets you change the type of network connection (home, work or public network). However, for the “Unidentified network (OpenVpn) this does not work. If you click on “Public network”, nothing happens.

Here is how you change the VPN to Work network.  

1)      In the upper left corner of the Network dialog, click on “Change adapter settings”.
2)      Select the VPN adapter.
3)      Right click and select Properties.
4)      Select “Internet Protocol Version 4” and click the Properties button.
5)      Click the “Advanced” button.
6)      Under Default gateways, click the “Add” button.
7)      Add the gateway address (See Gateway Setting below) leaving the “Automatic metric” checkbox checked.
8)      Click OK and save all settings.

Gateway Setting

You will need to add the address for the gateway for your network. If your VPN is set up to use addresses starting at 10.8.0.1, then set the gateway to 10.8.0.2 (in your server configuration file there is a a line “server 10.8.0.0 255.255.255.0” that specifies the address range for your VPN).

  Gateway Figure 2 Setting default Gateway

 Once you add the address, Windows will recognize the new network connection. If you are asked what type of connection, select “Work network”. Otherwise pull up the Network and Sharing Center from the Control panel. You should see the new network connection. If it is not set to “Work network”, click on the “Public network” and you should now be allowed to change it to “Work network”.

Network1

 Figure 3 VPN is Work Network

 Getting the Client Side to Work

The client side of the VPN will have a similar problem with public networks. The solution for the client is simpler. Edit the server configuration file and add the following lines at the end:

; Fix for problem with client side Windows 7 firewall
; (Goes in Server config file)
push “route-metric 512”
push “route 0.0.0.0 0.0.0.0”

This pushes a fake route and default gateway to the client. The fake gateway allows the network connection type to be editable. Open the Network and Sharing center on the client computer. If your client VPN network shows up as a Work network you are all set. Otherwise on your VPN network connection, click on “public network” under the network name and change it to a Work network.

Test

1)      On the server side, the OpenVpn GUI icon should be “green” indicating a successful connection is made.

OpenVpn Gui connected

 Figure 4 Server Connected

 2)      Hover the mouse over the OpenVpn GUI icon in the windows tray on the bottom right of your screen. It will display the server address (In my case “Assigned IP: 10.8.0.1”)
3)      On the client side make sure that the OpenVpn GUI icon is green showing a successful connection.
4)      Get the address of the client by hovering the mouse over the OpenVpn GUI icon.
5)      From the server open a command window (click Windows button and type “cmd”)
6)      Type “ping 10.8.0.XX (where you use Your client address instead of “10.8.0.XX”)
7)      If you get a response your server can talk to the client
8)      From the client, ping your server (i.e. ping 10.8.0.1 using your servers address instead of  10.8.0.1”)
9)      If you get a response, your client can talk to the server. Your VPN should be working.

 Ping

Figure 5 Ping the Client

 Conclusion

This procedure allows you to connect a Windows 7 Server and client using OpenVPN using the built in Windows 7 firewall. It is not a complicated procedure. If you see anything that you would like to add to this write up, please leave a comment. I hope this saves you a lot time and frustration setting up your VPN.

2 Comments so far ↓

  1. hennot says:

    When you copy server configuration from this blog article, be sure to replace diagonal quotation marks with vertical (normal) ones. Then check if client got gateway correctly.

  2. hennot says:

    Even after getting the network type from public to private, I still couln’t ping client from the server (the client was able to ping the server) when the firewall is on. I found that in Windows Advanced Firewall the “File and Printer Sharing (Echo Request – ICMPv4-In)” rule’s Scope tab Local subnet in Remote IP address and the client was in 10.100.3.58/255.255.255.252 network and the server was 10.100.0.1.

    Of couse I could just remove the local subnet restriction from all the File and Print rules for private networks but if anyone has a better idea, I would appreciate sharing it.

You must be logged in to post a comment.