OpenVPN routing issue?
-
The networks you specify are overlapping. Why the F do you use /8 networks...you really have over 16 million devices there?
-Rico
-
just want a quick solution to work for the moment.
im in the process of setting up a AD environmnet, its going to all change.what should i use to prevent over lap?
-
Set your tunnel network to anything else than 10.0.0.0/8 because your LAN is eating all the space for this network.
Just use something like 192.168.123.0/24 for the tunnel. But stay in RFC1918 space!!
I'd recommend to renumber your LAN to something realistic...-Rico
-
just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff
i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnel -
Yeah that would be Okay.
-Rico
-
ive quickly changed to
10.1.1.0/8 LAN
192.168.123.0/24 for tunnelso i didnt have to change the lan
but the daemon crashes on this
[error] Unable to contact daemon Service not running? 0
Sep 9 15:22:57 syslogd kernel boot file is /boot/kernel/kernel Sep 9 15:23:00 php-fpm /status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was '' Sep 9 15:23:00 php-fpm OpenVPN failed to start
Sep 9 15:23:00 openvpn 92899 Options error: --server directive network/netmask combination is invalid Sep 9 15:23:00 openvpn 92899 Use --help for more information.
-
@Solway said in OpenVPN routing issue?:
10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)Those two LANs are overlapping.
-
push "route 10.1.1.0 255.0.0.0" added to config
You don't need anything on this line.
-
Show the lower half of your OpenVPN config screen in a screenshot..
-
ive changed network to
LAN 10.1.1.0/24
VPNtunnel 10.1.10.0/24all works ok.
for some reason the VPN daemon was crashing using...
10.1.1.0/8 LAN
192.168.123.0/24 for tunneleven this didnt work.
10.1.1.0/24 LAN
192.168.123.0/24 for tunnel -
@Solway said in OpenVPN routing issue?:
just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff
i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnelYeah, MS messes up a lot of things. Classful addresses went out years ago. As for VPNs and other point to point connections, you can use /31, though some systems (MS again) require /30. Even on IPv6, with gazillions of addresses, a /127 is recommended.
-
i got a new problem
VPN can connect no matter what
even if i revocate a user cert
vpn server is set to SSL/TLS + User auth
edit:
forget that fixed. didnt have revocation list selected in server. just clients.think im good now. thanks for the help