OpenVPN Server stopped working.
-
Hello,
I've set up an OpenVPN Server with pfSense nearly a year ago and it was working fine (performance was very good).
Now I've tried to change the local network, because we recently changed our subnet mask to 255.255.255.0
Previous Local Network Setting: 192.168.175.0/24
Local Network Setting Now: 192.168.0.0/16
(This is all I changed! Nothing else.)
This is the content of my server.conf file:
dev ovpns2 dev-type tun dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 217.86.177.169 tls-server server 192.168.82.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc client-cert-not-required username-as-common-name auth-user-pass-verify /var/etc/openvpn/server2.php via-env tls-verify /var/etc/openvpn/server2.tls-verify.php lport 1194 management /var/etc/openvpn/server2.sock unix max-clients 25 push "route 192.168.0.0 255.255.0.0" push "dhcp-option DOMAIN APICON.local" push "dhcp-option DNS 192.168.175.230" push "dhcp-option WINS 192.168.175.230" duplicate-cn ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo persist-remote-ip floatSo I can still connect to my server just fine. I can ping the pfsense box (which is 192.168.175.250), but I can't ping anything else.
I can even access the pfsense web gui over the VPN, but nothing else works. I have no idea why this is.
-
192.168.0.0/16? This in an absolutely, totally horrible idea. You've cut off any remote LAN in 192.168. range. And yes, that includes the overlapping 192.168.82.0/24
Congrats.
-
haha - you beat me to it.
Yeah - I would move all your subnets to 10.something.something.something
Also wouldn't push a /16 unless there was a great reason for it.
Better to have a few distinct and uncommon /24s and push a few /24s
-
And if you seriously need /16 and 65K hosts, then use something in the 10/16 range.
-
Thank you for the replies. As soon as you mentioned it, I understood what the problem was. (I'm a dumbass.)
The /16 is a temporary fix for an annoying problem.
We have about 50 client computers with fixed IPs all over the 192.168.175.0 network. The dhcp server was constantly assigning IPs that were already in use. So I changed the subnet mask on every client with fixed IP for a quick and dirty fix done on a friday evening.
I know that it's not a good idea, but it's only temporary. I first have to assign the 50 clients to useful IPs and then set a DHCP range outside of those, so that our other client computers don't have issues.
-
If you just need some more space around "175" you can just reduce the netmask a little bit, e.g.
192.168.174.0/23 = 192.168.174.0 to 192.168.175.255 (netmask 255.255.254.0)
or
192.168.172.0/22 = 192.168.172.0 to 192.168.175.255 (netmask 255.255.252.0)then you don't overlap a whole lot of other stuff.
You can then make the DHCP range in the space outside of "175" to quickly get DHCP clients away from the random static stuff in 175 - whatever you do if you want the DHCP clients to talk to things in 175, then the things in 175 have to have their netmask changed. -
Thank you phil.davis, that's exactly what I did.
Everything is working now.