Is 10.0.0.x/24 bad for VPN?
-
Hi!
I've been using pfSense to power a basic network that uses 10.0.0.x/24 for its subnet. I recently attempted to configure OpenVPN with no luck. I configured the tunnel network to run on 10.1.0.0/24. After a great deal of searching online, I've come to the consensus that maybe I should change my subnet so that I'm no longer using the 10.0.0.x scheme. I was under the impression that 10.0.0.x and 10.1.0.x were different subnets. Is that correct? Can anyone confirm if using 10.0.0.x is problematic, and why that might be?
Thanks!
-
@ecorva Not problematic at all and different networks depend on the subnet mask. If you're using /24's for both, they're different. Even 10.0.1.x/24 would be different and good to use.
-
@ecorva yeah those are different networks.. But all depends on what networks are going to be connecting... There can be problems with any rfc1918 network when users don't correctly configure them, I have seen many locations uses 10/8 which yeah messes with using anything in the 10 range.. And using stuff in low end like 10.0.0 can be problematic sometimes because everyone uses the first few network in the range..
You can't fix 10/8 but saying away from like 10.0.0/24 or 10.0.1/24 or 10.1.1/.24 might be less problematic.. 192.168 and 10 seem to be the most popular.. Maybe use something in the 172.16/12 range - this seems to be less used from just casual observation.
Something like 172.29.42/24 is prob not a common used network.. But you still can have problems if someone ends up using the 172.16/12 network, etc.. same goes for 192.168, 192.168.0/24 and 192.168.1/24 are very common.. My lowest network is 192.168.2/24 - but again if your at some location and they are using 192.168/16 your kind of hosed no matter what your using in that range..
I have seen some sdwan deployments that leverage 192.0.2 for some of their tunnel networks.. because its not a network that would route on the public internet and nobody should be using that.. Its meant as a documentation network ;)
Other networks like 198.51.100.0/24 and 203.0.113.0/24 are also network that shouldn't conflict because they are documentation networks.. Not suggesting you use those.. But have seen some weird use of networks to try and make sure you don't step on other networks when you need a unique network that shouldn't cause problems.
-
@johnpoz thanks very much for the detailed response. I think I better understand some of the comments I read elsewhere now. I'm going to close this post and try a different approach to my VPN debugging. Cheers!
-
Just to add some more info:
https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts -
@ecorva said in Is 10.0.0.x/24 bad for VPN?:
Hi!
I've been using pfSense to power a basic network that uses 10.0.0.x/24 for its subnet. I recently attempted to configure OpenVPN with no luck. I configured the tunnel network to run on 10.1.0.0/24. After a great deal of searching online, I've come to the consensus that maybe I should change my subnet so that I'm no longer using the 10.0.0.x scheme. I was under the impression that 10.0.0.x and 10.1.0.x were different subnets. Is that correct? Can anyone confirm if using 10.0.0.x is problematic, and why that might be?
Thanks!
Those should be OK, but what you have to watch for is the subnet used at the remote site. For example, 10.0.0.0 /24 is common and will conflict with one of your choices. I used to run into that problem, when I was doing a lot of travel with my work To avoid it, I made my home network 172.16.0.0 /24, as the 172.16 block is rarely used elsewhere.
Better option is to move to IPv6 if you can. I have configured my VPN to use IPv6, if available, otherwise IPv4.
-
@Pippin that common subnet list is excellent!
