OpenVPN change server virtual interface
-
Hello,
I am wondering if there is a way to change the server virtual IP address that is given to the OpenVPN from the first usable ip address to another ip address at choice.
The problem that we have is that, by giving the same ip addreses as in our LAN network, a /24 which has an ip address of .1 , we can only assign a /25 for openvpn. This would make the ip address of the openvpn server virtual interface be .129 which at the moment is fine. The problem is that we have more than 127 people connecting on the vpn and need to extend this to a /24, and by changing the subnet in openvpn to a /24, will give the server virtual ip address as the gateway.
We tried adding the ifconfig x.x.x.x y.y.y.y command in custom options to force to change it, but it seems this command is ignored.
Any help would be appreciated.
-
Normally different addresses are used. For example, when setting up the VPN you use an address for the tunnel that's outside of your LAN subnet. Have you not done that?
-
Yes, usually that is the case, and that is how it was done at first. The problem is that we have specific access over other resources that are only accessible from that LAN, so the only solution that i could come up with was giving the same ip addresses as if you are in the LAN.
I also tried the solution with NAT, meaning that i NAT-ed from the openvpn subnet to an IP in the LAN, so that they could have access. This works as well but NAT seems to break some applications and so i had to revert back to giving IP addresses the same as in LAN.
From what i have seen in the opevpn config file, the interface is raised by running this:
/usr/local/sbin/ovpn-linkup
and from what i see, that is where the IP address is given.This would indicate why the ficonfig command would be ignored, as all the necessary stuff is done before reaching this command.
-
Are you trying to set up a VPN between 2 networks? If so, perhaps a peer to peer VPN might do what you want. I haven't set up one of those, so I don't know the details. Regardless, you can't have the same subnet at both ends of the VPN, unless you're using TAP mode.
-
Hello,
I am not trying to set up a VPN between two networks.
Basically what i have done is this:
Local LAN: 192.168.10.0/24
OpenVPN IPv4 tunnel Network: 192.168.10.128/25When clients are connecting to OpenVPN they are getting an IP address in the range 192.168.10.130-253.
By using proxy arp, and responding to arp requests for 192.168.10.128/25 on the interface which to our local LAN and a PBR statement to force the traffic from 192.168.10.128/25 to the default gateway in the LAN 192.168.10.1.
This works fine as it is right now. The clients gets an IP from our LAN and they are accessing the resources as if they were in the office.
The problem appears if you have more than 127 clients, as you would need to make the IPV4 Tunnel Network a /24 . This will make OpenVPN server virtual inteface to be 192.168.10.1, which goes over the GW that is 192.168.10.1. What i am trying to do is force that server virtual IP address to be changed to another ip address, eg: 192.168.10.253.
-
@valentino said in OpenVPN change server virtual interface:
This will make OpenVPN server virtual inteface to be 192.168.10.1, which goes over the GW that is 192.168.10.1.
Well yeah, when you select a /24 mask, you are telling it to ignore the .128, leaving it as a .0. That's just the way it works and you can't change that. Also, with proxy arp, you're not supposed to be assigning addresses outside of the subnet. If you do that, you will wind up with the 2 ends thinking they're on different subnets, but expected to behave as though on 1.
I still don't understand what it is you're trying to do. You say you want to access things that are on the LAN. Well, that's why you have routing, between the different subnets. If you absolutely must have the remote devices on the same subnet, then you have to use a TAP VPN.
-
Take a look here:
https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts -
Quite so. Years ago, when I was frequently travelling with my work, I'd sometimes find myself in a hotel or motel which used the same subnet as I had at home. So, I moved my home network to the 172.16 range, as I have only once seen that used elsewhere. Most places use 192.168 or 10 blocks. Quite often people will leave a router with the same subnet as it came from the factory, which means there are a lot of networks on the same subnet.
-
I understand that by changing it o /24 makes it to ignore it. And with proxy arp you allow it to respond to arp requests that it receives on the interface. I will not put in to respond for the full /24 as this will break it. But you can put a /25 and smaller subnets if need be.
I understand what you are saying, that is a subnet that i gave as an example, we have ip's in the 172.17.0.0 range.
-
@valentino said in OpenVPN change server virtual interface:
But you can put a /25 and smaller subnets if need be.
That will break how it works. Unless you have TAP mode, you will be routing between the 2 ends of the VPN. You CANNOT have the same subnet or parts of it on both sides of a router.
-
The pfsense is used as only a VPN box, it is not used as a gateway by any other equipment. I think i should have mentioned this in the beginning. The pfsense only has an interface on that subnet with an IP. Like i mentioned, right now what i set up is working.
But this does not get to the question i was asking, which is if i can change the server virtual ip address which the openvpn raises on the interface, disregarding on what i am trying to implement or not.
