Changing local IP range from 192.x to 10.x & OpenVPN

I like the idea of changing my local IPs on my home network from 192.168.x.x to the 10.x.x.x range and grouping them in my own preferred segments.

The one issue I do see is that I use 3rd party OpenVPN client services along with pbr. Those VPN services use the same 10.x.x.x range and from what I've read the server assigns those from a defined IP pool which I have no control over. Is this correct? Is there anything I could do in regards to restricting the 3rd party VPN to a certain range inside of 10.x.x.x from the client side or within OpenWRT?

Thx!

No, there is nothing you can do, but you can ensure that you're not using the same subnets if you know what (broad) range of addresses they use. Alternatively, you can consider the 172.16.0.0/12 ranges.

Appreciated!

@psherman is correct. FWIW, I’ve used 10.10.x.0/24 subnets since I started using OpenWrt - lazy, less characters to enter :slight_smile: , and haven’t come across a commercial vpn provider ever in that range.

2 Likes

One of my current connections , tun2/10.10.0.15

Although they all seem to use, 10.x.0.x so I could experiment knowing that.

Some mobile ISPs like to use 10.0.0.0/8, as well as many larger company or university networks, so chances for conflicts are higher there than with other subnets.

Sharing my reply from them and it's very neat and workable.

We use 10.0.0.0/16 for our internal network that's correct. Depending on what port you use when connecting to the server you will get a different range, so you could in theory always connect using the same port and with that know what /16 that's being used for the vpn, and put your own lan in a different one.

For example I'm connecting on port 1194 and get 10.8.0.0/16

2 Likes

Depending on the remote IP addresses of your company you need to actually connect to, overlapping IP ranges could cause a problem, but there's a non-zero chance they won't, even if there are conflicts.

If a computer has two different network interfaces with overlapping IP ranges, and assuming they don't have explicit metric numbers to hint otherwise, this computer should choose the network with the smaller network size.

That's named "Longest Match" in RFCs 4632, 1812 and others.

See: https://datatracker.ietf.org/doc/html/rfc1812#page-75

For example, if a packet's IP Destination Address is
10.144.2.5 and there are network prefixes 10.144.2.0/24,
10.144.0.0/16, and 10.0.0.0/8, then this rule would keep only
the first (10.144.2.0/24) because its prefix length is
longest.

My guess would be: As long as you stick to small /24 or /23 networks for your personal ranges, even within the huge 10.0.0.0/8 space, you're most likely "sort of" good.

Best-case scenario: You're lucky and pick a slice out of your company network that your computer doesn't need to talk to, so you don't notice any conflicts.

Worst-case scenario: Your computer needs to talk to some of your company's IP addresses where your personal network overlaps with, but that specific traffic doesn't get routed through your VPN, hence, no link to that slice of your company's network.

Pretty unlikely: You would only lose internet connectivity entirely if you accidentally picked the very same /24 or /23 range your company announces specifically.

I'd pick a /24 or /23 range for my personal stuff and keep my eyes peeled for any hiccups, but I wouldn't expect there to be any.

If you have a lot of local devices, put those into individual ranges on individual vlans. When I'm connected to my company via VPN, I usually don't care if my computer can connect to my security cameras or my Sonos network speakers. I just don't care if my company computer temporarily loses connection to my "security" or my "IoT"-vlan while connected to the company VPN. Having multiple small ranges at home reduces the chance of company VPN conflicts having any noticeable effect.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.