With Windows Vista and 7, Microsoft introduced the concept of network classes. Network interfaces can be part of a Private or Public network. When using OpenVPN, one must be careful in which type of network the adapter is placed. By default, OpenVPN's TAP-Win32 adapter is placed in a Public network, which has a side-effect that it is not possible to mount file shares. In this recipe, we will show how to change the network type so that the trusted services such as file sharing are possible over a VPN connection. While this has little to do with configuring the OpenVPN per se, this issue comes up often enough to warrant a recipe.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 7 SP1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe in Chapter 2, Client-server IP-only Networks at hand. For the client, keep the configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe in Chapter 2, Client-server IP-only Networks at hand.
basic-udp-server.conf
file:push "route 0.0.0.0 0.0.0.0 vpn_gateway 300"
example9-7-server.conf
. Start the server:[root@server]# openvpn --config example9-7-server.conf
With Windows 7+, each network type has different access rights. The network type with the fewest rights is Public, which means that the applications can set up TCP/IP connections, but they cannot access any of the resources available in the Work or Private networks, such as local printers and the local disks. When sharing resources that are on the same network as the OpenVPN client, this can become an issue.
Windows determines the type of network by looking at whether a default gateway is present for that network. If no default gateway is specified, the network is considered to be untrustworthy and hence it is made public. There is no option to easily change this afterward.
To overcome this peculiarity, we supply a default gateway with a very high metric:
push "route 0.0.0.0 0.0.0.0 vpn_gateway 300"
Using a very high metric, we avoid the problem that all network traffic is routed over the VPN, which can lead to biting-your-own-tail problems.
18.116.42.136