OpenVPN routing issue?

Rico · Sep 9, 2019, 2:07 PM

Set your tunnel network to anything else than 10.0.0.0/8 because your LAN is eating all the space for this network.
Just use something like 192.168.123.0/24 for the tunnel. But stay in RFC1918 space!!
I'd recommend to renumber your LAN to something realistic...

-Rico

Solway · Sep 9, 2019, 2:15 PM

just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnel

Rico · Sep 9, 2019, 2:18 PM

Yeah that would be Okay.

-Rico

Solway · Sep 9, 2019, 2:24 PM

ive quickly changed to
10.1.1.0/8 LAN
192.168.123.0/24 for tunnel

so i didnt have to change the lan

but the daemon crashes on this

[error] 	Unable to contact daemon 	Service not running? 	0

Sep 9 15:22:57 	syslogd 		kernel boot file is /boot/kernel/kernel
Sep 9 15:23:00 	php-fpm 		/status_services.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/server1.conf'' returned exit code '1', the output was ''
Sep 9 15:23:00 	php-fpm 		OpenVPN failed to start

Sep 9 15:23:00 	openvpn 	92899 	Options error: --server directive network/netmask combination is invalid
Sep 9 15:23:00 	openvpn 	92899 	Use --help for more information.

chpalmer · Sep 9, 2019, 3:17 PM

@Solway said in OpenVPN routing issue?:

10.1.1.3/8 - Windows AD server, hosts DNS, NTP and DHCP(lan only) -
10.1.1.2/8 - pfsense (mainly gateway, firewall and vpn server)

Those two LANs are overlapping.

chpalmer · Sep 9, 2019, 3:20 PM

push "route 10.1.1.0 255.0.0.0" added to config

You don't need anything on this line.

chpalmer · Sep 9, 2019, 3:21 PM

Show the lower half of your OpenVPN config screen in a screenshot..

Solway · Sep 9, 2019, 4:12 PM

ive changed network to

LAN 10.1.1.0/24
VPNtunnel 10.1.10.0/24

all works ok.

for some reason the VPN daemon was crashing using...
10.1.1.0/8 LAN
192.168.123.0/24 for tunnel

even this didnt work.
10.1.1.0/24 LAN
192.168.123.0/24 for tunnel

JKnott · Sep 9, 2019, 4:20 PM

@Solway said in OpenVPN routing issue?:

just realised my F up, i blame windows and its auto 255.0.0.0 subnet stuff

i'll do
10.1.1.0/22 LAN
10.2.1.0/24 for tunnel

Yeah, MS messes up a lot of things. Classful addresses went out years ago. As for VPNs and other point to point connections, you can use /31, though some systems (MS again) require /30. Even on IPv6, with gazillions of addresses, a /127 is recommended.

Solway · Sep 9, 2019, 4:38 PM

i got a new problem

VPN can connect no matter what

even if i revocate a user cert

vpn server is set to SSL/TLS + User auth

edit:
forget that fixed. didnt have revocation list selected in server. just clients.

think im good now. thanks for the help