I got it working at last.
The howto is very good. The only thing that really got me stuck is that on my windows 2000 box the tap interface did not get an ip address.
I could see with "ipconfig /all" that it had an dhcpserver address but no ip.
This was solved by reading the man page and finding the option:
ip-win32 ipapi
in my client xx.ovpn configfile.
I also deleted the lines in the server conf about auth and logoff.sh.
My whole setup, using routing, and not bridging, is like below:
server:
================================
#TUN setup (routing not bridging)
mode server
duplicate-cn
port 1194
dev tun #in stead of dev tap
tls-server
dh dh1024.pem
ca ca.crt
cert SERVER.crt
key SERVER.key
#here authentication. Whithout it this
#setup is not safe: your laptop might
#be stolen.
#you could put the client keys on i-keys
#with pincode, or use a passphrase in the
#client ssl keys.
#the two lines below use password authentication.
#not perfect but better than nothing any time.
auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh
ifconfig 192.168.100.1 192.168.100.2
# IP range for openvpn clients
ifconfig-pool 192.168.100.5 192.168.100.200
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
#route to be established on the server
route-up "route delete -net 192.168.100.0/24"
route-up "route add -net 192.168.100.0/24 tun0"
#route to push to the other side
push "route 172.16.1.0 255.255.255.0"
push "ping 10"
push "ping-restart 60"
push "dhcp-option DOMAIN hansceess.net" # #push the DNS domain suffix
push "dhcp-option DNS 172.16.1.1" #push DNS #entries to openvpn client
push "route 192.168.100.1"
comp-lzo
status-version 2
status openvpn-status.log
verb 5
===========================================
config on the windows 2000 client:
=======================================
port 1194
dev tun
remote 192.168.0.114
tls-client
auth-user-pass
ca ca.crt
cert CLIENT.crt
key CLIENT.key
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
#ifconfig 192.168.100.2 192.168.100.1
#ip-win32 ipapi|manual|dynamic|netsh (see
#man page, use #when ip address on interface
#does not appear, but dhcp server
#is visable in ipconfig /all)
ip-win32 ipapi
comp-lzo
verb 5
=====================================
This works for me. In iptables on the server you need rules like these:
/sbin/iptables --append FORWARD -i tun0 -j ACCEPT
To let traffic pass through the VPN box to networks behind it.
Hans-Cees