OpenVPN routing issue?



  • Hi guys been pulling my hair out trying to setup a basic OpenVPN server to PC client.

    i started to use a tutorial link here.
    Only to realise the AES security didnt match on the tutorial page (so changed it to all AES-256-CBC)
    The openvpn server wouldnt start the deamon, which was then fixed due to IP issue with VPN server. 10.10.10.1/24, where it needed a 0 instead of a 1.
    If i changed it to /8, it also caused the deamon to stop.

    Now ive managed to get the client to connect. but it cant see the LAN ips. no pinging LAN.

    i have the following (have i dont this right??)

    10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
    10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)

    OpenVPN server set to 10.1.10.0/24
    pfsense openvpn server provides dhcp to its client (10.10.10.1-254)
    ticked - Force all client-generated IPv4 traffic through the tunnel.
    Openvpn clients are giving 10.1.1.3 DNS & NTP
    push "route 10.1.1.0 255.0.0.0" added to config

    when openvpn client connects,
    they connect, but the routing doesnt work. cant ping anything apart from pfsense box.

    route addition failed using service: the parameter is incorrect [status=87 if_index=36]
    

    what am i doing wrong?


  • LAYER 8 Rebel Alliance

    @Solway said in OpenVPN routing issue?:

    what am i doing wrong?

    Using weird tutorials and not the Netgate ones.
    Start here:
    https://docs.netgate.com/pfsense/en/latest/book/openvpn/using-the-openvpn-server-wizard-for-remote-access.html

    -Rico



  • yes been looking all over that

    but when i do...

    Tunnel Network 10.10.1.0/8
    Local Network 10.1.1.0/8

    the OpenVPN deamon crashes and wont start.

    if i change local network to 10.1.1.0/24 it works, and connects but doesnt allow vpn clients to see the LAN.

    cant figure it out


  • LAYER 8 Rebel Alliance

    The networks you specify are overlapping. Why the F do you use /8 networks...you really have over 16 million devices there?

    -Rico



  • just want a quick solution to work for the moment.
    im in the process of setting up a AD environmnet, its going to all change.

    what should i use to prevent over lap?


  • LAYER 8 Rebel Alliance

    Set your tunnel network to anything else than 10.0.0.0/8 because your LAN is eating all the space for this network.
    Just use something like 192.168.123.0/24 for the tunnel. But stay in RFC1918 space!!
    I'd recommend to renumber your LAN to something realistic...

    -Rico



  • just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

    i'll do
    10.1.1.0/22 LAN
    10.2.1.0/24 for tunnel


  • LAYER 8 Rebel Alliance

    Yeah that would be Okay.

    -Rico



  • ive quickly changed to
    10.1.1.0/8 LAN
    192.168.123.0/24 for tunnel

    so i didnt have to change the lan

    but the daemon crashes on this

    [error] 	Unable to contact daemon 	Service not running? 	0
    
    Sep 9 15:22:57 	syslogd 		kernel boot file is /boot/kernel/kernel
    Sep 9 15:23:00 	php-fpm 		/status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was ''
    Sep 9 15:23:00 	php-fpm 		OpenVPN failed to start 
    
    Sep 9 15:23:00 	openvpn 	92899 	Options error: --server directive network/netmask combination is invalid
    Sep 9 15:23:00 	openvpn 	92899 	Use --help for more information. 
    


  • @Solway said in OpenVPN routing issue?:

    10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
    10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)

    Those two LANs are overlapping.



  • push "route 10.1.1.0 255.0.0.0" added to config

    You don't need anything on this line.



  • Show the lower half of your OpenVPN config screen in a screenshot..



  • ive changed network to

    LAN 10.1.1.0/24
    VPNtunnel 10.1.10.0/24

    all works ok.

    for some reason the VPN daemon was crashing using...
    10.1.1.0/8 LAN
    192.168.123.0/24 for tunnel

    even this didnt work.
    10.1.1.0/24 LAN
    192.168.123.0/24 for tunnel



  • @Solway said in OpenVPN routing issue?:

    just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

    i'll do
    10.1.1.0/22 LAN
    10.2.1.0/24 for tunnel

    Yeah, MS messes up a lot of things. Classful addresses went out years ago. As for VPNs and other point to point connections, you can use /31, though some systems (MS again) require /30. Even on IPv6, with gazillions of addresses, a /127 is recommended.



  • i got a new problem

    VPN can connect no matter what

    even if i revocate a user cert

    vpn server is set to SSL/TLS + User auth

    edit:
    forget that fixed. didnt have revocation list selected in server. just clients.

    think im good now. thanks for the help


Log in to reply