• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN routing issue?

Scheduled Pinned Locked Moved OpenVPN
15 Posts 4 Posters 1.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Solway
    last edited by Sep 9, 2019, 11:35 AM

    Hi guys been pulling my hair out trying to setup a basic OpenVPN server to PC client.

    i started to use a tutorial link here.
    Only to realise the AES security didnt match on the tutorial page (so changed it to all AES-256-CBC)
    The openvpn server wouldnt start the deamon, which was then fixed due to IP issue with VPN server. 10.10.10.1/24, where it needed a 0 instead of a 1.
    If i changed it to /8, it also caused the deamon to stop.

    Now ive managed to get the client to connect. but it cant see the LAN ips. no pinging LAN.

    i have the following (have i dont this right??)

    10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
    10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)

    OpenVPN server set to 10.1.10.0/24
    pfsense openvpn server provides dhcp to its client (10.10.10.1-254)
    ticked - Force all client-generated IPv4 traffic through the tunnel.
    Openvpn clients are giving 10.1.1.3 DNS & NTP
    push "route 10.1.1.0 255.0.0.0" added to config

    when openvpn client connects,
    they connect, but the routing doesnt work. cant ping anything apart from pfsense box.

    route addition failed using service: the parameter is incorrect [status=87 if_index=36]
    

    what am i doing wrong?

    R 1 Reply Last reply Sep 9, 2019, 1:38 PM Reply Quote 0
    • R
      Rico LAYER 8 Rebel Alliance @Solway
      last edited by Sep 9, 2019, 1:38 PM

      @Solway said in OpenVPN routing issue?:

      what am i doing wrong?

      Using weird tutorials and not the Netgate ones.
      Start here:
      https://docs.netgate.com/pfsense/en/latest/book/openvpn/using-the-openvpn-server-wizard-for-remote-access.html

      -Rico

      1 Reply Last reply Reply Quote 0
      • S
        Solway
        last edited by Sep 9, 2019, 1:44 PM

        yes been looking all over that

        but when i do...

        Tunnel Network 10.10.1.0/8
        Local Network 10.1.1.0/8

        the OpenVPN deamon crashes and wont start.

        if i change local network to 10.1.1.0/24 it works, and connects but doesnt allow vpn clients to see the LAN.

        cant figure it out

        1 Reply Last reply Reply Quote 0
        • R
          Rico LAYER 8 Rebel Alliance
          last edited by Sep 9, 2019, 1:53 PM

          The networks you specify are overlapping. Why the F do you use /8 networks...you really have over 16 million devices there?

          -Rico

          1 Reply Last reply Reply Quote 0
          • S
            Solway
            last edited by Sep 9, 2019, 2:05 PM

            just want a quick solution to work for the moment.
            im in the process of setting up a AD environmnet, its going to all change.

            what should i use to prevent over lap?

            1 Reply Last reply Reply Quote 0
            • R
              Rico LAYER 8 Rebel Alliance
              last edited by Rico Sep 9, 2019, 2:07 PM Sep 9, 2019, 2:06 PM

              Set your tunnel network to anything else than 10.0.0.0/8 because your LAN is eating all the space for this network.
              Just use something like 192.168.123.0/24 for the tunnel. But stay in RFC1918 space!!
              I'd recommend to renumber your LAN to something realistic...

              -Rico

              1 Reply Last reply Reply Quote 0
              • S
                Solway
                last edited by Sep 9, 2019, 2:15 PM

                just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

                i'll do
                10.1.1.0/22 LAN
                10.2.1.0/24 for tunnel

                J 1 Reply Last reply Sep 9, 2019, 4:20 PM Reply Quote 0
                • R
                  Rico LAYER 8 Rebel Alliance
                  last edited by Sep 9, 2019, 2:18 PM

                  Yeah that would be Okay.

                  -Rico

                  1 Reply Last reply Reply Quote 0
                  • S
                    Solway
                    last edited by Sep 9, 2019, 2:24 PM

                    ive quickly changed to
                    10.1.1.0/8 LAN
                    192.168.123.0/24 for tunnel

                    so i didnt have to change the lan

                    but the daemon crashes on this

                    [error] 	Unable to contact daemon 	Service not running? 	0
                    
                    Sep 9 15:22:57 	syslogd 		kernel boot file is /boot/kernel/kernel
                    Sep 9 15:23:00 	php-fpm 		/status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was ''
                    Sep 9 15:23:00 	php-fpm 		OpenVPN failed to start 
                    
                    Sep 9 15:23:00 	openvpn 	92899 	Options error: --server directive network/netmask combination is invalid
                    Sep 9 15:23:00 	openvpn 	92899 	Use --help for more information. 
                    
                    1 Reply Last reply Reply Quote 0
                    • C
                      chpalmer
                      last edited by Sep 9, 2019, 3:17 PM

                      @Solway said in OpenVPN routing issue?:

                      10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
                      10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)

                      Those two LANs are overlapping.

                      Triggering snowflakes one by one..
                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                      C 1 Reply Last reply Sep 9, 2019, 3:20 PM Reply Quote 0
                      • C
                        chpalmer @chpalmer
                        last edited by Sep 9, 2019, 3:20 PM

                        push "route 10.1.1.0 255.0.0.0" added to config

                        You don't need anything on this line.

                        Triggering snowflakes one by one..
                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                        1 Reply Last reply Reply Quote 0
                        • C
                          chpalmer
                          last edited by Sep 9, 2019, 3:21 PM

                          Show the lower half of your OpenVPN config screen in a screenshot..

                          Triggering snowflakes one by one..
                          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                          1 Reply Last reply Reply Quote 0
                          • S
                            Solway
                            last edited by Sep 9, 2019, 4:12 PM

                            ive changed network to

                            LAN 10.1.1.0/24
                            VPNtunnel 10.1.10.0/24

                            all works ok.

                            for some reason the VPN daemon was crashing using...
                            10.1.1.0/8 LAN
                            192.168.123.0/24 for tunnel

                            even this didnt work.
                            10.1.1.0/24 LAN
                            192.168.123.0/24 for tunnel

                            1 Reply Last reply Reply Quote 0
                            • J
                              JKnott @Solway
                              last edited by Sep 9, 2019, 4:20 PM

                              @Solway said in OpenVPN routing issue?:

                              just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

                              i'll do
                              10.1.1.0/22 LAN
                              10.2.1.0/24 for tunnel

                              Yeah, MS messes up a lot of things. Classful addresses went out years ago. As for VPNs and other point to point connections, you can use /31, though some systems (MS again) require /30. Even on IPv6, with gazillions of addresses, a /127 is recommended.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • S
                                Solway
                                last edited by Solway Sep 9, 2019, 4:38 PM Sep 9, 2019, 4:33 PM

                                i got a new problem

                                VPN can connect no matter what

                                even if i revocate a user cert

                                vpn server is set to SSL/TLS + User auth

                                edit:
                                forget that fixed. didnt have revocation list selected in server. just clients.

                                think im good now. thanks for the help

                                1 Reply Last reply Reply Quote 0
                                15 out of 15
                                • First post
                                  15/15
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received