OpenVPN Server stopped working.



  • Hello,

    I've set up an OpenVPN Server with pfSense nearly a year ago and it was working fine (performance was very good).

    Now I've tried to change the local network, because we recently changed our subnet mask to 255.255.255.0

    Previous Local Network Setting: 192.168.175.0/24

    Local Network Setting Now: 192.168.0.0/16

    (This is all I changed! Nothing else.)

    This is the content of my server.conf file:

    dev ovpns2
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 217.86.177.169
    tls-server
    server  	192.168.82.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    client-cert-not-required
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server2.php via-env
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    max-clients 25
    push "route 192.168.0.0 255.255.0.0"
    push "dhcp-option DOMAIN APICON.local"
    push "dhcp-option DNS 192.168.175.230"
    push "dhcp-option WINS 192.168.175.230"
    duplicate-cn
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    
    

    So I can still connect to my server just fine. I can ping the pfsense box (which is 192.168.175.250), but I can't ping anything else.

    I can even access the pfsense web gui over the VPN, but nothing else works. I have no idea why this is.


  • Banned

    192.168.0.0/16? This in an absolutely, totally horrible idea. You've cut off any remote LAN in 192.168. range. And yes, that includes the overlapping 192.168.82.0/24

    Congrats.



  • haha - you beat me to it.

    Yeah - I would move all your subnets to 10.something.something.something

    Also wouldn't push a /16 unless there was a great reason for it.

    Better to have a few distinct and uncommon /24s and push a few /24s


  • Banned

    And if you seriously need /16 and 65K hosts, then use something in the 10/16 range.



  • Thank you for the replies. As soon as you mentioned it, I understood what the problem was. (I'm a dumbass.)

    The /16 is a temporary fix for an annoying problem.

    We have about 50 client computers with fixed IPs all over the 192.168.175.0 network. The dhcp server was constantly assigning IPs that were already in use. So I changed  the subnet mask on every client with fixed IP for a quick and dirty fix done on a friday evening.

    I know that it's not a good idea, but it's only temporary. I first have to assign the 50 clients to useful IPs and then set a DHCP range outside of those, so that our other client computers don't have issues.



  • If you just need some more space around "175" you can just reduce the netmask a little bit, e.g.
    192.168.174.0/23 = 192.168.174.0 to 192.168.175.255 (netmask 255.255.254.0)
    or
    192.168.172.0/22 = 192.168.172.0 to 192.168.175.255 (netmask 255.255.252.0)

    then you don't overlap a whole lot of other stuff.
    You can then make the DHCP range in the space outside of "175" to quickly get DHCP clients away from the random static stuff in 175 - whatever you do if you want the DHCP clients to talk to things in 175, then the things in 175 have to have their netmask changed.



  • Thank you phil.davis, that's exactly what I did.

    Everything is working now.