OpenVPN routing issue?

Solway

just want a quick solution to work for the moment.
im in the process of setting up a AD environmnet, its going to all change.

what should i use to prevent over lap?

Rico

Set your tunnel network to anything else than 10.0.0.0/8 because your LAN is eating all the space for this network.
Just use something like 192.168.123.0/24 for the tunnel. But stay in RFC1918 space!!
I'd recommend to renumber your LAN to something realistic...

-Rico

Solway

just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnel

Rico

Yeah that would be Okay.

-Rico

Solway

ive quickly changed to
10.1.1.0/8 LAN
192.168.123.0/24 for tunnel

so i didnt have to change the lan

but the daemon crashes on this

[error] 	Unable to contact daemon 	Service not running? 	0

Sep 9 15:22:57 	syslogd 		kernel boot file is /boot/kernel/kernel
Sep 9 15:23:00 	php-fpm 		/status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was ''
Sep 9 15:23:00 	php-fpm 		OpenVPN failed to start 

Sep 9 15:23:00 	openvpn 	92899 	Options error: --server directive network/netmask combination is invalid
Sep 9 15:23:00 	openvpn 	92899 	Use --help for more information. 

chpalmer

@Solway said in OpenVPN routing issue?:

10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)

Those two LANs are overlapping.

chpalmer

push "route 10.1.1.0 255.0.0.0" added to config

You don't need anything on this line.

chpalmer

Show the lower half of your OpenVPN config screen in a screenshot..

Solway

ive changed network to

LAN 10.1.1.0/24
VPNtunnel 10.1.10.0/24

all works ok.

for some reason the VPN daemon was crashing using...
10.1.1.0/8 LAN
192.168.123.0/24 for tunnel

even this didnt work.
10.1.1.0/24 LAN
192.168.123.0/24 for tunnel

JKnott

@Solway said in OpenVPN routing issue?:

just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnel

Yeah, MS messes up a lot of things. Classful addresses went out years ago. As for VPNs and other point to point connections, you can use /31, though some systems (MS again) require /30. Even on IPv6, with gazillions of addresses, a /127 is recommended.

Solway

i got a new problem

VPN can connect no matter what

even if i revocate a user cert

vpn server is set to SSL/TLS + User auth

edit:
forget that fixed. didnt have revocation list selected in server. just clients.

think im good now. thanks for the help