1

I have a device which connects to my vpn, that i plan to distribute to third parties.

my vpn ipset network is 10.8.0.0 i am also pushing 'route 10.7.0.0'

Please excuse the config above. My question is unrelated to whether it is correct.

A client informed me, that connecting my device, caused another of his systems to lose connection with the network. Could the vpn cause this.

I am fine with my device not being able to connect to my vpn, but causing one of the third party's systems to go down is not acceptable. I believe this should not be caused by the vpn, does anyone know of such problems ?

acid_crucifix
  • 121
  • 1
  • 4
  • Is this the correct place for this question ? If not, please redirect me to the correct forum, I find myself getting confused between serverfault and superuser as to where the question belongs – acid_crucifix Dec 11 '14 at 19:48

1 Answers1

4

A client informed me, that connecting my device, caused another of his systems to lose connection with the network. Could the vpn cause this.

Yes, that's possible. What you're describing can be caused by an address space collision - your VPN uses an address range that is also used on the other network, so when the VPN is connected, there is a range (or ranges) of IP addresses that are in use by each network, which can result in devices on those networks becoming inaccessible from one side or another, due to there being different routes to same address ranges, depending on which network you're on.

See this older question for more details, but it doesn't sound like it's something you'll be able to eliminate completely. (Not without switching over to pure IPv6, which you can expect to cause problems with networks that don't support IPv6.) Your best option is probably to use a less frequently used range for (10.0.0.0/8 is a very frequently used range, like 192.168.0.0/16), which is generally something in the 172.16.0.0/12 private address space. Of course, for that reason, the 172.16.0.0/12 address space is frequently used for VPNs, which can create address space collisions of its own.

For whatever it's worth, I use the upper half of the 172.16.0.0/12 address space for my SOHO network, and have yet to experience a collision, so that might be worth considering. For this specific client, the quickest solution would be finding out the IP address of the device that becomes inaccessible (to verify that you're seeing an IP address space collision), then getting a list of the private IP address subnets used, and switching your VPN to use a range that is not in use on this client's network.

Community
  • 1
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • 1
    If you can't find a network range another less-commonly known range that you can probably get away with using is the CGN range `100.64.0.0/10` RFC6598 – Zoredache Dec 11 '14 at 21:15
  • thanks for the reply, i will switch my network to the 172.16.0.0/12 space based on your advice.. and will also try the 100.64 one if the first leads to conflicts.. I still am not able to understand the problem though. My doubt is that two devices on the external network should not be affected by a third device trying to use vpn, because only the vpn using device should no about the vpn network ? Isn't that right ? – acid_crucifix Dec 14 '14 at 13:12
  • know* about the vpn network – acid_crucifix Dec 14 '14 at 13:19
  • Okay, i think i understand a little, the router also needs to know about the vpn ip range to handle it correctly i guess – acid_crucifix Dec 14 '14 at 13:32