OpenVPN error

acs259 · Jul 29, 2018, 1:55 AM

Pretty green with all this router stuff. Followed the wizard for OpenVPN and exported. Cannot connect and the logs give this:

Options error: --server directive network/netmask combination is invalid

Where did I go wrong?

acs259 · Jul 29, 2018, 2:24 AM

Also found that the service is not starting
php-fpm 32757 OpenVPN failed to start

My tunnel is set to 192.168.1.200/24 if that helps any

acs259 · Jul 29, 2018, 5:57 PM

Anyone? All I really want to do is be able to remote to my pfsense box from work.

YT videos and tutorials make this seem easy, but clearly something is wrong. Seems to be that way with a lot of the pfsense stuff, which tells me the problem is me. Frustration is high, please help!

johnpoz · Jul 29, 2018, 6:03 PM

@acs259 said in OpenVPN error:

My tunnel is set to 192.168.1.200/24 if that helps any

That is not a network - that is a HOST 192.168.1.0/24 would be a network... Keep in mind your tunnel needs to be different than your lan..

192.168.1.200/29 would be valid.. .200 would be the wire/network, .201 would be first host address .206 last host while .207 would be broadcast. You could also have /28 or /30 at .200 for the wire.

acs259 · Jul 29, 2018, 6:16 PM

My thinking is that to connect to my network, the server has to have an IP within my network's range which is 192.168.1.1/24.

Why does 192.168.1.200/24 not work but 192.168.1.200/29 does?

chpalmer · Jul 29, 2018, 6:36 PM

@acs259 said in OpenVPN error:

My thinking is that to connect to my network, the server has to have an IP within my network's range which is 192.168.1.1/24.

Why does 192.168.1.200/24 not work but 192.168.1.200/29 does?

Actually anything in the 192.168.1.1/24 should not be used if that is a LAN on either side.. Use something else. 172.16.1.0/30 is a choice that would work. Its just for the tunnel.

Your LAN should not be within the subnet of the opposite LAN either.

acs259 · Jul 29, 2018, 6:41 PM

Appreciate the replies. I can just literally make up an address as long as it's outside my network? so confused.

acs259 · Jul 29, 2018, 6:49 PM

172.16.1.0/30 doesn't work. Threw an error in the logs that it has to be less than 29. So now the service starts - yay! So from an outside PC with the certificate, do I connect to 172.16.1.0 now?

Derelict · Jul 29, 2018, 6:50 PM

@acs259 Because 192.168.1.200/29 is a valid /29 network address. 192.168.1.200/24 is not (192.168.1.0/24 is)

If your LAN is the default 192.168.1.1/24 you need to use something else.

I can just literally make up an address as long as it's outside my network?

Not necessarily. There is a range of addresses reserved for private usage. You will commonly see this called RFC1918.

10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

Here's a random one for your tunnel network: 172.22.184.0/24

In order for a router to route between networks the networks have to be different.

You can't have one network 192.168.1.0/24 and another 192.168.1.200/29 in most cases because all of the hosts on 192.168.1.0/24 will think all of the addresses in the /29 (192.168.1.200 - 192.168.1.207) would be reachable on the local subnet and traffic for them would be attempted there instead of being forwarded to the router for routing.

Derelict · Jul 29, 2018, 6:53 PM

@acs259 No. You connect to the WAN address. Your client will then be assigned a tunnel address in 172.16.1.0/29. Use the Client export package to create a client config.

A remote access OpenVPN server has to be a /29 or larger else openVPN will consider the connection to be point-to-point, not point-to-multipoint.

acs259 · Jul 29, 2018, 6:58 PM

Exported to a USB drive and threw that in a laptop connected to a cell phone hotspot. It fails to install OpenVPN and ends. I can connect the laptop to my network, log into pfsense, and run it from there and it works, but I won't be able to do that from work.

Derelict · Jul 29, 2018, 7:00 PM

What? You're going to need to offer more information than that. Hard to say what windows permissions you need to enable. Windows problem.

Once it's installed it should be installed. You shouldn't need the installer again until you want to update it.

Derelict · Jul 29, 2018, 7:01 PM

@acs259 said in OpenVPN error:

I can connect the laptop to my network, log into pfsense, and run it from there and it works, but I won't be able to do that from work.

I have no idea what that even means.

acs259 · Jul 29, 2018, 7:05 PM

Did Client Export to a USB drive. Put USB in a laptop outside my network and ran the installer. It fails saying OpenVPN could not be found.

I connected the laptop to wifi on my network and logged into pfsense and ran the exact same installer and it worked.

Derelict · Jul 29, 2018, 7:05 PM

So it should be installed and you should be good to go.

acs259 · Jul 29, 2018, 7:11 PM

On the laptop, yes. How do I get things installed on my work PC? (again, thanks for helping)

acs259 · Jul 29, 2018, 7:26 PM

ok, laptop VPN works and was able to log into pfsense. Uninstalled OpenVPN and re-ran the exported EXE and it installed OpenVPN. So I think I should be good to go now.

Thank you so much to those who pitched in. This is pretty much the first success with anything other than base configuration that I have gotten to work. Still a little confused about the subnetting stuff above, but I'll take this as a win.