IPV4 Network Tunnel config Issue

maverick.phillips · Jul 10, 2018, 2:25 PM

Hello All,

I have an issue whereby I get the error: Options error: --server directive network/netmask combination is invalid

Now I know what this relates to and its my IP config for the IPV4 Network Tunnel - I have set the IP 10.1.3.0/22

If I change this to 10.1.3.0/24 then the VPN connects - however as this is the incorrect subnet this will not allow VPN traffic to my LAN network.

Has anyone got an idea as to what this could be ?

viragomann · Jul 10, 2018, 2:42 PM

Is the tunnel network overlapping with LAN?
What's your LAN network?

maverick.phillips · Jul 10, 2018, 3:00 PM

Hello,

Yes it would be,

My LAN Is 10.1.0.0/22

My pool is 10.1.0.100-10.1.3.0

I would like pfSense to use everything above 10.1.3.0 as IPs for VPN clients.

But the way to do this is not overly clear,

viragomann · Jul 10, 2018, 3:11 PM

If the OpenVPN server is in tun mode the vpn tunnel network must not overlap other networks assigned to pfSense.
So choose another network range for the tunnel.

maverick.phillips · Jul 10, 2018, 4:13 PM

@viragomann

Thanks for that - sounds like I need in tap mode then ?
I don’t know if tun will work as I haven’t set up any routing for it

viragomann · Jul 10, 2018, 4:26 PM

I don't know, whats your intention with the OpenVPN server.

In tun mode the server provides a tunnel network which work as transit network. Traffic meant to the remote site is to be routed to the other vpn endpoint. The server is capable to push routes to the clients.

In tap mode the vpn interface can be bridge to another local network, e.g. LAN. So clients will get an IP of the LAN from the DHCP server.
So to access remote LAN devices there is no route needed.

Most challenges can be mastered with tun mode, which is the recommended one.

johnpoz · Jul 10, 2018, 4:33 PM

@maverick-phillips said in IPV4 Network Tunnel config Issue:

sounds like I need in tap mode then ?

No not really - just sounds like you need to correctly setup your tunnel network. There is very few legit reasons where you would want to run tap mode.. Its not the recommended setup, nor is it even supported on some clients. For example the ios openvpn client does not support tap mode.

Why do you think you need tap mode? And not just correctly setup tun mode?

maverick.phillips · Jul 10, 2018, 4:36 PM

Hello,

Main reason is I have been trying for some time and i can’t get the configuration right.

I would love to use Tun mode however with my understanding of how the IPV4 networks need to be setup I haven’t yet got it to work correctly.

What would your suggestion be on the correct config for this ?

kpa · Jul 10, 2018, 4:45 PM

Key points to any routed VPN:

Tunnel subnet must be completely separate from any of you other subnets used, zero overlap allowed.
Let's the VPN system (OpenVPN in this case) manage the routing, read the OpenVPN documentation carefully, pay attention to --route, --push "route" and --iroute directives. On PfSense part of the routing is handled by the remote network configuration item (on a Remote Access Client or with a peer to peer setup), other parts have to be added to Advanced Configuration/Custom options.

kpa · Jul 10, 2018, 4:48 PM

By the way, tap mode changes almost nothing in the scenario. The only difference is that the tunnel network is no longer point-to-point and has broadcast semantics resembling a typical ethernet LAN. Client configuration and routing are still pretty much the same and if you can't get tun mode working properly you won't get tap mode working either.