[Solved] OpenVPN issues after subnet change

Hi folks,

I'm having a router running OpenWrt Chaos Calmer 15.05.1. Lan is on subnet 192.168.1.0 / 255.255.255.0. I have set it up as OpenVPN client. Remote access through VPN was redirected to a server on lan having ip 192.168.1.2 with ports 22 and 80. It worked perfectly.

Due to changes in the home network I have been forced to switch to the following subnet: 10.0.0.0 / 255.0.0.0. The server on lan was given ip 10.0.0.2

Port forwarding is no longer working. I suspect a conflict with tun0. Do I need to move VPN to another subnet? The router is assigned 10.8.0.10 / 255.255.255.255.

Any ideas?

Kind regards,
Roman

If it's the same subnet, likely...but you never mentioned the subnet of the tunnel.

You'll probably want to post your config files - network, openvpn, and firewall will likely be necessary to see.

Out of curiosity, why are you using 255.0.0.0 (/8 = 16M hosts) for your LAN? And is the router really assigned to 10.8.0.10 255.255.255.255 -- normally it would be 255.255.255.0 (or /24) so that the subnet matches your LAN's subnet definition (which is also usually /24).

Is this the only/main router on your network? If not, please describe (or sketch a diagram of) your network.

What "server" was set to 10.0.0.2? Is that the OpenVPN server or some other server?

What is the OpenVPN network definition? It is not supposed to overlap with the main network (and if it is 10.anything, it will technically overlap due to the /8 network you've apparently defined).

Thanks Peter, this is really helpful!

Out of curiosity, why are you using 255.0.0.0 (/8 = 16M hosts) for your
LAN?

It's not my choice but given by the network admin.

And is the router really assigned to 10.8.0.10 255.255.255.255 --
normally it would be 255.255.255.0 (or /24) so that the subnet matches
your LAN's subnet definition (which is also usually /24).

When setting up OpenVPN I used default settings without changing them. So
the above is what I get by default. I should be able to change this tough.

Is this the only/main router on your network?

Yes

What "server" was set to 10.0.0.2? Is that the OpenVPN server or some
other server?

This is the lan server that I want to access through OpenVPN/redirect.

What is the OpenVPN network definition?

As mentioned above I use default settings. It was set to
10.8.0.0/255.255.255.255.

It is not supposed to overlap with
the main network (and if it is 10.anything, it will technically overlap
due to the /8 network you've apparently defined).

I think, this is causing my problem. My plan is to switch tun from
10.8.0.0/255.255.255.255 to 172.8.0.0/255.255.255.0.

I think this will fix things. Do you agree?

Thanks Wayne!

If it's the same subnet, likely...but you never mentioned the subnet of
the tunnel.

When setting up OpenVPN I used the default settings without changing them.
It's 10.8.0.0/255.255.255.255.

I think you are right! I have a conflicting subnet. My plan is to switch
tun from 10.8.0.0/255.255.255.255 to 172.8.0.0/255.255.255.0.

Hi Wayne and Peter,

Little correction to what I wrote earlier on:

My OpenVPN server was not set to 10.8.0.0/255.255.255.255 but 10.8.0.0/255.255.255.0 instead. Therefore I didn't need to change this. Sorry for that.

Things work perfectly again thanks to your questions and suggestions. All it needed was a one line edit in /etc/openvpn/server.conf of the OpenVPN server changing 'server 10.8.0.0 255.255.255.0' to 'server 172.8.0.0 255.255.255.0'.

Thanks so much!!!

Kind regards,
Roman

Is your problem solved and can the topic be closed?

Is your problem solved and can the topic be closed?

Yes, it is solved and can be closed. Thanks!

Glad you got things working and that it was as simple as adjusting your OpenVPN configuration.

I would still like to know why the network admin has set a /8 network on your router. For most SOHO type networks, this is way overkill in terms of number of hosts supported, and if a network does actually serve more than 253 hosts (i.e. the max for a /24), it is a good idea to subdivide the range using subnets/VLANs... this ensures that the broadcast domain does not get too large and will avoid slowdowns and inefficiencies.

To me, a /8 network in a SOHO environment is unusual and likely a sign of sloppy work by the network admin.

Hi Peter,

The attached schematic should make thinks clearer...

Kind regards,
Roman

Schematic makes it more clear about the overall architecture of the network, but I still don't understand why a /8 vs smaller networks. A properly designed network can have multiple VLANs that allow and/or restrict inter-VLAN routing as needed, but importantly keeping the broadcast domain small enough to maintain optimal performance overall. Inter-VLAN routing can be handle at a router level or within certain smart/managed switches that have L2+ and limited L3 functionality. Also, with one huge /8, communication across all nodes is trivially easy, but restricting access/communication is not quite as straight forward.

But obviously this is the network designer's choice, so hopefully it is working well.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.