OpenVPN routing issue?

Solway

Hi guys been pulling my hair out trying to setup a basic OpenVPN server to PC client.

i started to use a tutorial link here.
Only to realise the AES security didnt match on the tutorial page (so changed it to all AES-256-CBC)
The openvpn server wouldnt start the deamon, which was then fixed due to IP issue with VPN server. 10.10.10.1/24, where it needed a 0 instead of a 1.
If i changed it to /8, it also caused the deamon to stop.

Now ive managed to get the client to connect. but it cant see the LAN ips. no pinging LAN.

i have the following (have i dont this right??)

10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)

OpenVPN server set to 10.1.10.0/24
pfsense openvpn server provides dhcp to its client (10.10.10.1-254)
ticked - Force all client-generated IPv4 traffic through the tunnel.
Openvpn clients are giving 10.1.1.3 DNS & NTP
push "route 10.1.1.0 255.0.0.0" added to config

when openvpn client connects,
they connect, but the routing doesnt work. cant ping anything apart from pfsense box.

route addition failed using service: the parameter is incorrect [status=87 if_index=36]

what am i doing wrong?

Rico

@Solway said in OpenVPN routing issue?:

what am i doing wrong?

Using weird tutorials and not the Netgate ones.
Start here:
https://docs.netgate.com/pfsense/en/latest/book/openvpn/using-the-openvpn-server-wizard-for-remote-access.html

-Rico

Solway

yes been looking all over that

but when i do...

Tunnel Network 10.10.1.0/8
Local Network 10.1.1.0/8

the OpenVPN deamon crashes and wont start.

if i change local network to 10.1.1.0/24 it works, and connects but doesnt allow vpn clients to see the LAN.

cant figure it out

Rico

The networks you specify are overlapping. Why the F do you use /8 networks...you really have over 16 million devices there?

-Rico

Solway

just want a quick solution to work for the moment.
im in the process of setting up a AD environmnet, its going to all change.

what should i use to prevent over lap?

Rico

Set your tunnel network to anything else than 10.0.0.0/8 because your LAN is eating all the space for this network.
Just use something like 192.168.123.0/24 for the tunnel. But stay in RFC1918 space!!
I'd recommend to renumber your LAN to something realistic...

-Rico

Solway

just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnel

Rico

Yeah that would be Okay.

-Rico

Solway

ive quickly changed to
10.1.1.0/8 LAN
192.168.123.0/24 for tunnel

so i didnt have to change the lan

but the daemon crashes on this

[error] 	Unable to contact daemon 	Service not running? 	0

Sep 9 15:22:57 	syslogd 		kernel boot file is /boot/kernel/kernel
Sep 9 15:23:00 	php-fpm 		/status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was ''
Sep 9 15:23:00 	php-fpm 		OpenVPN failed to start 

Sep 9 15:23:00 	openvpn 	92899 	Options error: --server directive network/netmask combination is invalid
Sep 9 15:23:00 	openvpn 	92899 	Use --help for more information. 

chpalmer

@Solway said in OpenVPN routing issue?:

10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)

Those two LANs are overlapping.

chpalmer

push "route 10.1.1.0 255.0.0.0" added to config

You don't need anything on this line.

chpalmer

Show the lower half of your OpenVPN config screen in a screenshot..

Solway

ive changed network to

LAN 10.1.1.0/24
VPNtunnel 10.1.10.0/24

all works ok.

for some reason the VPN daemon was crashing using...
10.1.1.0/8 LAN
192.168.123.0/24 for tunnel

even this didnt work.
10.1.1.0/24 LAN
192.168.123.0/24 for tunnel

JKnott

@Solway said in OpenVPN routing issue?:

just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnel

Yeah, MS messes up a lot of things. Classful addresses went out years ago. As for VPNs and other point to point connections, you can use /31, though some systems (MS again) require /30. Even on IPv6, with gazillions of addresses, a /127 is recommended.

Solway

i got a new problem

VPN can connect no matter what

even if i revocate a user cert

vpn server is set to SSL/TLS + User auth

edit:
forget that fixed. didnt have revocation list selected in server. just clients.

think im good now. thanks for the help