OpenVPN change server virtual interface

JKnott · Apr 23, 2020, 11:36 AM

Normally different addresses are used. For example, when setting up the VPN you use an address for the tunnel that's outside of your LAN subnet. Have you not done that?

valentino · Apr 23, 2020, 11:47 AM

Yes, usually that is the case, and that is how it was done at first. The problem is that we have specific access over other resources that are only accessible from that LAN, so the only solution that i could come up with was giving the same ip addresses as if you are in the LAN.

I also tried the solution with NAT, meaning that i NAT-ed from the openvpn subnet to an IP in the LAN, so that they could have access. This works as well but NAT seems to break some applications and so i had to revert back to giving IP addresses the same as in LAN.

From what i have seen in the opevpn config file, the interface is raised by running this:
/usr/local/sbin/ovpn-linkup
and from what i see, that is where the IP address is given.

This would indicate why the ficonfig command would be ignored, as all the necessary stuff is done before reaching this command.

JKnott · Apr 23, 2020, 11:54 AM

@valentino

Are you trying to set up a VPN between 2 networks? If so, perhaps a peer to peer VPN might do what you want. I haven't set up one of those, so I don't know the details. Regardless, you can't have the same subnet at both ends of the VPN, unless you're using TAP mode.

valentino · Apr 23, 2020, 1:57 PM

Hello,

I am not trying to set up a VPN between two networks.

Basically what i have done is this:

Local LAN: 192.168.10.0/24
OpenVPN IPv4 tunnel Network: 192.168.10.128/25

When clients are connecting to OpenVPN they are getting an IP address in the range 192.168.10.130-253.

By using proxy arp, and responding to arp requests for 192.168.10.128/25 on the interface which to our local LAN and a PBR statement to force the traffic from 192.168.10.128/25 to the default gateway in the LAN 192.168.10.1.

This works fine as it is right now. The clients gets an IP from our LAN and they are accessing the resources as if they were in the office.

The problem appears if you have more than 127 clients, as you would need to make the IPV4 Tunnel Network a /24 . This will make OpenVPN server virtual inteface to be 192.168.10.1, which goes over the GW that is 192.168.10.1. What i am trying to do is force that server virtual IP address to be changed to another ip address, eg: 192.168.10.253.

JKnott · Apr 23, 2020, 2:17 PM

@valentino said in OpenVPN change server virtual interface:

This will make OpenVPN server virtual inteface to be 192.168.10.1, which goes over the GW that is 192.168.10.1.

Well yeah, when you select a /24 mask, you are telling it to ignore the .128, leaving it as a .0. That's just the way it works and you can't change that. Also, with proxy arp, you're not supposed to be assigning addresses outside of the subnet. If you do that, you will wind up with the 2 ends thinking they're on different subnets, but expected to behave as though on 1.

I still don't understand what it is you're trying to do. You say you want to access things that are on the LAN. Well, that's why you have routing, between the different subnets. If you absolutely must have the remote devices on the same subnet, then you have to use a TAP VPN.

Pippin · Apr 23, 2020, 2:23 PM

Take a look here:
https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts

JKnott · Apr 23, 2020, 2:31 PM

@Pippin

Quite so. Years ago, when I was frequently travelling with my work, I'd sometimes find myself in a hotel or motel which used the same subnet as I had at home. So, I moved my home network to the 172.16 range, as I have only once seen that used elsewhere. Most places use 192.168 or 10 blocks. Quite often people will leave a router with the same subnet as it came from the factory, which means there are a lot of networks on the same subnet.

valentino · Apr 24, 2020, 7:53 AM

@JKnott

I understand that by changing it o /24 makes it to ignore it. And with proxy arp you allow it to respond to arp requests that it receives on the interface. I will not put in to respond for the full /24 as this will break it. But you can put a /25 and smaller subnets if need be.

@Pippin

I understand what you are saying, that is a subnet that i gave as an example, we have ip's in the 172.17.0.0 range.

JKnott · Apr 24, 2020, 10:55 AM

@valentino said in OpenVPN change server virtual interface:

But you can put a /25 and smaller subnets if need be.

That will break how it works. Unless you have TAP mode, you will be routing between the 2 ends of the VPN. You CANNOT have the same subnet or parts of it on both sides of a router.

valentino · Apr 24, 2020, 11:02 AM

@JKnott

The pfsense is used as only a VPN box, it is not used as a gateway by any other equipment. I think i should have mentioned this in the beginning. The pfsense only has an interface on that subnet with an IP. Like i mentioned, right now what i set up is working.

But this does not get to the question i was asking, which is if i can change the server virtual ip address which the openvpn raises on the interface, disregarding on what i am trying to implement or not.