OpenVPN routing issue?
-
Hi guys been pulling my hair out trying to setup a basic OpenVPN server to PC client.
i started to use a tutorial link here.
Only to realise the AES security didnt match on the tutorial page (so changed it to all AES-256-CBC)
The openvpn server wouldnt start the deamon, which was then fixed due to IP issue with VPN server. 10.10.10.1/24, where it needed a 0 instead of a 1.
If i changed it to /8, it also caused the deamon to stop.Now ive managed to get the client to connect. but it cant see the LAN ips. no pinging LAN.
i have the following (have i dont this right??)
10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)OpenVPN server set to 10.1.10.0/24
pfsense openvpn server provides dhcp to its client (10.10.10.1-254)
ticked - Force all client-generated IPv4 traffic through the tunnel.
Openvpn clients are giving 10.1.1.3 DNS & NTP
push "route 10.1.1.0 255.0.0.0" added to configwhen openvpn client connects,
they connect, but the routing doesnt work. cant ping anything apart from pfsense box.route addition failed using service: the parameter is incorrect [status=87 if_index=36]
what am i doing wrong?
-
@Solway said in OpenVPN routing issue?:
what am i doing wrong?
Using weird tutorials and not the Netgate ones.
Start here:
https://docs.netgate.com/pfsense/en/latest/book/openvpn/using-the-openvpn-server-wizard-for-remote-access.html-Rico
-
yes been looking all over that
but when i do...
Tunnel Network 10.10.1.0/8
Local Network 10.1.1.0/8the OpenVPN deamon crashes and wont start.
if i change local network to 10.1.1.0/24 it works, and connects but doesnt allow vpn clients to see the LAN.
cant figure it out
-
The networks you specify are overlapping. Why the F do you use /8 networks...you really have over 16 million devices there?
-Rico
-
just want a quick solution to work for the moment.
im in the process of setting up a AD environmnet, its going to all change.what should i use to prevent over lap?
-
Set your tunnel network to anything else than 10.0.0.0/8 because your LAN is eating all the space for this network.
Just use something like 192.168.123.0/24 for the tunnel. But stay in RFC1918 space!!
I'd recommend to renumber your LAN to something realistic...-Rico
-
just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff
i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnel -
Yeah that would be Okay.
-Rico
-
ive quickly changed to
10.1.1.0/8 LAN
192.168.123.0/24 for tunnelso i didnt have to change the lan
but the daemon crashes on this
[error] Unable to contact daemon Service not running? 0
Sep 9 15:22:57 syslogd kernel boot file is /boot/kernel/kernel Sep 9 15:23:00 php-fpm /status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was '' Sep 9 15:23:00 php-fpm OpenVPN failed to start
Sep 9 15:23:00 openvpn 92899 Options error: --server directive network/netmask combination is invalid Sep 9 15:23:00 openvpn 92899 Use --help for more information.
-
@Solway said in OpenVPN routing issue?:
10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)Those two LANs are overlapping.
-
push "route 10.1.1.0 255.0.0.0" added to config
You don't need anything on this line.
-
Show the lower half of your OpenVPN config screen in a screenshot..
-
ive changed network to
LAN 10.1.1.0/24
VPNtunnel 10.1.10.0/24all works ok.
for some reason the VPN daemon was crashing using...
10.1.1.0/8 LAN
192.168.123.0/24 for tunneleven this didnt work.
10.1.1.0/24 LAN
192.168.123.0/24 for tunnel -
@Solway said in OpenVPN routing issue?:
just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff
i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnelYeah, MS messes up a lot of things. Classful addresses went out years ago. As for VPNs and other point to point connections, you can use /31, though some systems (MS again) require /30. Even on IPv6, with gazillions of addresses, a /127 is recommended.
-
i got a new problem
VPN can connect no matter what
even if i revocate a user cert
vpn server is set to SSL/TLS + User auth
edit:
forget that fixed. didnt have revocation list selected in server. just clients.think im good now. thanks for the help