0

I am generating an OpenVPN configuration for my server. I want clients to be able to access my server's router, which is 192.168.1.1, as well as the local network, so I pushed this route:

192.168.1.1/24

and then imported the OVPN file on my Windows OpenVPN client (the official one).

On my Windows, it works. On other Windows (from my father's computer), it connects but I can't access 192.168.1.1. I end up acessing the local router, not the remote one.

Somebody said on OpenVPN forum that I shouldn't add 192.168.1.1/24. Why? How should I do it then?

Guerlando OCs
  • 67
  • 1
  • 7
  • 1
    How is your system supposed to know which host is meant if you address 192.168.1.1? OpenVPN offers the option `--client-nat` for reducing such problems. – Hauke Laging Apr 27 '20 at 21:11
  • @HaukeLaging you mean OpenVPN client? I'm using the windows one, can't use command line – Guerlando OCs Apr 28 '20 at 00:48
  • 1
    The command line options can be used in the config file, too. – Hauke Laging Apr 28 '20 at 07:46
  • As a general rule: Avoid using 192.168.0.0/16 for business networks, use higher numbers for guest wifi (192.168.100-255.x) and 10.0.0.0/8 for business networks, even avoid 172.16.0.0/12 since docker has basically consumed that network space. – Jacob Evans May 04 '20 at 22:51
  • Also see similarly suggested, not to use that network ID - https://forums.openvpn.net/viewtopic.php?t=19680 – Jacob Evans May 04 '20 at 22:53

3 Answers3

3

They are telling you not to use 192.168.1.1/24 because almost all home routers use that subnet by default. Just change it to 192.168.2.0/24 - that should cure your problem.

CB_Ron
  • 338
  • 2
  • 10
  • Wait, I don't understand. How do I make 192.168.2.0/24 on the client, access 192.168.1.0/24 on the server? – Guerlando OCs Apr 28 '20 at 00:49
  • I was suggesting you make the server's subnet 192.168.2.0/24 and then push that route. That way it will not conflict with home routers that pretty much all use 192.168.1.0/24. – CB_Ron Apr 28 '20 at 19:43
  • Unfortunately I can't do that – Guerlando OCs Apr 30 '20 at 23:02
  • 2
    There is another way: you can reconfigure father's home router and hope other users won't have same subnet in theirs (which is quite probable). – Eugene Apr 30 '20 at 23:07
3

As @Hauke Laging have mentioned, you can map another subnet/IP (that is less often used by home routers) to 192.168.1.0/24/192.168.1.1. For example:

push "route 10.0.9.0 255.255.255.0"
push "client-nat dnat 192.168.1.0 255.255.255.0 10.0.9.0"

or

push "route 10.11.12.13"
push "client-nat dnat 192.168.1.1 255.255.255.255 10.11.12.13"

Then you can access 192.168.1.0/24/192.168.1.1 the server is connected to with 10.0.9.0/24/10.11.12.13 on the VPN client.

This can be done with DNAT or NETMAP in iptables as well. Assuming by "accessing the router" you mean its web UI, you may even just DNAT say $server_vpn_ip:80 to 192.168.1.1:80, if the former isn't occupied already.

(Note: assuming the server has already been doing IP forwarding and masquerading.)

Tom Yan
  • 747
  • 3
  • 9
2

Avoid commonly used private networks in VPN subnets

This concerns both the subnets assigned to the VPN clients on the remote side, but also all the networks that needs to be accessed using the VPN. If there is a local network the client is directly connected to and it has a overlapping subnet, it takes precedence.

I've listed some subnets you should avoid in an answer from 2017:

Techspot has A List of Common Default Router IP Addresses that helps with this. Usually home routers uses /24 subnets. Nowadays mobile phones are often used for sharing network connection, so we must take these ranges into account, too. According to the list we can deduce we should avoid:

  • 192.168.0.0/19 - most of the routers seems to use some of these, above 192.168.31.255.
  • 10.0.0.0/24 is also widely used, and Apple uses 10.0.1.0/24.
  • 192.168.100.0/24 is used by Motorola, ZTE, Huawei and Thomson.
  • Motorola uses (in addition) 192.168.62.0/24 and 192.168.102.0/24.
  • 192.168.123.0/24 is used by LevelOne, Repotec, Sitecom and U.S. Robotics (less common)
  • Some D-Links have 10.1.1.0/24 and 10.90.90.0/24.

OpenVPN recommendations and defaults

OpenVPN has published an article on Numbering private subnets:

While addresses from these netblocks should normally be used in VPN configurations, it’s important to select addresses that minimize the probability of IP address or subnet conflicts. The types of conflicts that need to be avoided are:

  • conflicts from different sites on the VPN using the same LAN subnet numbering, or
  • remote access connections from sites which are using private subnets which conflict with your VPN subnets.

The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN network addresses. Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely. The best candidates are subnets in the middle of the vast 10.0.0.0/8 netblock (for example 10.66.77.0/24).

For the client subnets, OpenVPN defaults to 10.8.0.0/24. From Topology in OpenVPN:

Subnet topology is the current recommended topology; it is not the default as of OpenVPN 2.3 for reasons of backwards-compatibility with 2.0.9-era configs. It is safe and recommended to use subnet topology when no old/outdated clients exist that are running OpenVPN 2.0.9 under Windows.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129