OpenVPN - problem with /32-range



  • Why is this range not allowed?

    192.168.100.0/32

    OpenVPN refuses to start. Is it out of range for the fw somehow?

    I also tried smaller ones, but still with /32. I do need to get netmask 255.255.255.255 on the client machine (so that I get assigned same mask as windows VPN do and can replace it and contact stuff on the inside).



  • An IPv4 /32 is a single address. For network communication you need at least 2 addresses, one for each device.
    The smallest tunnel subnet is a /30 = 4 IP addresses: network address, server, client, broadcast (the smallest IP network).


  • Rebel Alliance Global Moderator

    "I do need to get netmask 255.255.255.255 on the client machine (so that I get assigned same mask as windows VPN do and can replace it and contact stuff on the inside)."

    Huh??  What vpn are you using on windows that you get a /32 mask?

    What does the mask of the client vpn interface have to do with contact stuff on the inside.. I assume you mean on the other side of the tunnel..



  • The smallest tunnel subnet is a /30 = 4 IP addresses: network address, server, client, broadcast (the smallest IP network).

    Actually, the smallest is a /31.  That for a point to point link, where there's no need for a broadcast or network address.  However, some software won't work with a /31.  Of course the equivalent on IPv6 is a /127, which will help you save some precious addresses.  ;)



  • @JKnott:

    The smallest tunnel subnet is a /30 = 4 IP addresses: network address, server, client, broadcast (the smallest IP network).

    Actually, the smallest is a /31.

    That can't be used for an openvpn tunnel.



  • @viragomann:

    @JKnott:

    The smallest tunnel subnet is a /30 = 4 IP addresses: network address, server, client, broadcast (the smallest IP network).

    Actually, the smallest is a /31.

    That can't be used for an openvpn tunnel.

    From https://community.openvpn.net/openvpn/wiki/Concepts-Addressing

    Examples for p2p topology

    This topology is only valid when none of your clients are Windows. The benefit is that you can use the entire network range. This can be beneficial when using smaller networks, such as a /29, /30, or even a /31 (normally unusable on "traditional" Ethernet-style networks.)

    So, as long as you don't have any Windows clients, a /31 is fine.  It's a Windows limitation, not OpenVPN.

    This has been discussed with other types of point to point link, where Windows is unable to handle /31 on a P-P link.

    There's even a RFC about /31 point to point links.
    https://tools.ietf.org/rfc/rfc3021.txt



  • ^^^^
    In fact, when you get right down to it, you don't even need an IP address for a point to point link.  You just specify the interface for the route.



  • Windows VPN (built in client) gives me this (from ipconfig):

    PPP
    IPv4 Address. . . . . . . . . . . : 192.168.100.150
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 0.0.0.0

    And it works for my use, but I guess I have to rethink this ;) OpenVPN gives me 255.255.255.0. I can't connect to equipment on the inside of the remote private network, but I guess this means that there is something else wrong and not the mask.

    This is what OpenVPN gives me:

    IPv4 Address. . . . . . . . . . . : 192.168.100.2
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    I can ping 192.168.100.1, but I can't access/ping 192.168.100.3 (a device present there).
    I have also tried "192.168.100.131/28", but OpenVPN refuses to start then.


  • Rebel Alliance Global Moderator

    Dude lets forget the whole mask thing - you zeroed in on something that has nothing to do with your problem.

    Lets back up and go over what your trying to do.. So I take it your trying to setup a road warrior vpn into some network… Where the network behind the vpn server is 192.168.100/?

    If that is the case then you would not give your client a 192.168.100 IP for its tunnel network.. You would give it something else unless you were trying to run a TAP or bridged connection.  Which should not be needed or warranted..

    If the network behind pfsense is 192.168.100/24 lets say.. And your off out somewhere with your client and you want to access this network.. Just use a different tunnel network.. I use 10.0.8/24 for example so when vpn clients connect they get an IP on the 10.0.8/24 network.. With route that says hey you want to get to 192.168.100 go down the tunnel.. All works - you will have to make sure any hosts on the 192.168.100 allow for this tunnel network to access them via any host firewalls, etc.

    Your only other problem you could run into is if the remote network your on is 192.168.100/24 as well or 10.0.8 etc..

    Does that help?  Can draw you a picture if you like..



  • You are absolutely right, I want access to an existing network 192.168.100.x and I haven't understood (before now) that I was actually "crashing" or overriding the target network. Lesson learned!

    IPv4 Tunnel Network 192.168.200.0/24 (network tunnel)

    Ok, I'm now able to get 192.168.200.2 IP locally on my computer and I can ping 192.168.200.1 (about 11ms, so I assume the VPN is actually working).

    How do I route from my tunnel to my target network - Is it similar to this? I tried it in the "Advanced settings - Custom options"-box in VPN Servers-page:

    push "route 192.168.100.0 255.255.255.0"

    Please note that I have a goal to keep all other traffic away from the tunnel - only traffic to the 192.168.100 network should go through the VPN. I sometimes struggle with that and in Windows I had to enable the "Use default gateway on remote network" in order to not loose Internet when using Windows VPN Client.

    I'm really exited to see if I can get this working!


  • Rebel Alliance Global Moderator

    All of these questions are asked when you run through the wizard.. I take it you didn't?

    To tell the client what networks are on this side of the vpn.. Just set those as local networks in the vpn server settings..

    See my attached, these are the networks I set so that client gets the routes to these network to go down the tunnel.  I do not have force gateway.. So vpn client will only go down the tunnel to get to the networks I list as local.




  • I tried that, but still no go (put 192.168.100.0/24 in the local network). I'll do it once more just in case I did it wrong.

    Yes, I followed the Wizard, but didn't work, so restarted the hole ting.



  • IPv4 Tunnel Network 192.168.200.0/24
    IPv4 Local network(s) 192.168.100.0/24

    Also sounds to easy to be correct ;)

    I still can't ping or access equipment for instance when I go to 192.168.100.3.

    My network adapter looks like this:

    Ethernet adapter Ethernet 2:

    Connection-specific DNS Suffix  . :
      IPv4 Address. . . . . . . . . . . : 192.168.200.2
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . :


  • Rebel Alliance Global Moderator

    And what does your route table look like on this windows machine when you connect.  Simple route print from cmdline, what did you client say when it was connecting for routes?

    As to sounds to easy - that is how easy it is really.. It really is bada bing bada boom done.. Run the wizard, follow the bouncing ball.  Export your config connect.. Takes all of like 1 minute to setup tops..

    Remember what I said about firewalls on access equipement!!  Does it have a firewall?  Does it have a gateway that points back to pfsense?



  • " Does it have a gateway that points back to pfsense"

    I don think so, because this is the unit that gives out DHCP to different internal stuff and it is it's own gateway. It is "RV325 Gigabit Dual WAN VPN Router".

    There isn't a way to spesify any GW either (since this is its own GW maybe..), so maybe I have to setup a static route somehow (as shown on Nimbus screenshot nb 2)?

    http://nimb.ws/Qlynxp
    http://nimb.ws/hBusEg

    And Windows-machine print-route is like this:

    http://nimb.ws/gv2upo


  • Rebel Alliance Global Moderator

    Well yeah that is going to be a problem.  How is it your trying to access a router with pfsense as the vpn connection.  How exactly is this configured.  where is the edge (pfsense I assume) and where is the rv325?  Could be you have more than just a simple gateway problem.

    But yeah your not going to be able to hit that rv325 100 IP from some other segment if it has not gateway off that segment.  You could try creating a static route for sure, or just source nat it at pfsense so it looks like your vpn client is talking to it from pfsense IP on that network.. Simple outbound nat rule picking that interface.



  • pfSense is in transparent bridge mode.

    I think the reason why this works today (through windows-server) is that I have a management computer inside the network more or less directly connected to the RV325 on eth2 of the server. On this management-computer, one port has the RV325 as gw. When I use VPN client in Windows against this computer, it fill find the path all ways. That explains why it works?

    So I would need to do something similar with pfSense basically.