New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You should probably be giving those VPNs addresses like:
Since, as others have mentioned, those are within a reserved IP space. You're creating some issues by picking IPs at random for your private networks. Use the ones that are specifically assigned for private use.
I have understand! Many many thanks!
Yes, I will do as you @tehdan @JustAMacUser
10.0.0.X
10.0.1.X
10.0.2.X
Thank you!
All this posts have learned a LOT
@plopes - glad to help, openvpn is always a nightmare the first time but it's so useful to have...
One question more...
I have change on the server.conf this ip range
to
server 10.0.1.0 255.255.255.0
I have restarted openvpn
etc/init.d/openvpn restart
but users don't connect...
Did you also change iptables to match the new subnet?
e: Could you also clarify: Are users not connecting to the VPN at all? Or are they connecting but there's no apparently traffic (i.e. nothing loads in a browser)?
Oh, this is an edge case, but in some setups you cannot use a subnet if you're on that subnet. For example: if your home network is 10.0.0.0/24 and you try to connect to a VPN that is issuing addresses in 10.0.0.0/24, you're going to encounter some routing issues. That's probably not what you're experiencing now, but I figured I'd through it out there in case others come across this thread.
This.
It is why i never use 196.168.* for VPN - Nearly any home router in EU/DACH runs on 192.168.0.1 (modems) or 192.168.1.1 (wifi routers without modems), 10.0.0.0/24 is also a bad choice as this is the next common, 172.16/12 is much less used. I usually just pick a random /16 in 10.???.0.0/16, but not 10.10.0.0/16.
This is why a pro OpenVPN setup has 2 client IP ranges
For my personal ones I use the test/documentation ranges reserved in RFC5753 - never had any trouble (nor seen them used in any documentation...) but I'm always a bit reluctant to set other people up that way just in case... anyone tried this/hit any problems?
Hi again!
I have tried with openvpn server range on 10.0.1.X and 5 of 10 users didn't connect at all, even after restart openvpn on server and client side.
Today I have tried 10.50.0.X and only 2 don't connect.
On client side, all of them, at home, have range like 192.168.1.X
Can be because of that?
Other thing, I have static ip etc/openvpn/ccd
with file like, name of user and inside of this file
ifconfig-push 10.50.0.2 10.50.0.3
That is any rule to don´t start from 10.50.0.2?
Ah right, if you're assigning ips with CCD then you need to give out /30 subnets, by specifying the host ips in your if config-push directive, ie -
10.0.50.5 10.0.50.6
10.0.50.9 10.0.50.10
10.0.50.13 10.0.50.14
... And so on
This is because of a limitation in the Windows tun driver. If you have no windows clients you can make life easier...
You can get all the possible valid ips here https://docs.openvpn.net/subnet-mask-cheat-sheet/ look at the /30 table
So you can start with
ifconfig-push 10.50.0.2 10.50.0.3
than
ifconfig-push 10.50.0.5 10.50.0.6
than
ifconfig-push 10.50.0.8 10.50.0.9
can also use CGNAT Range, i use 100.100.11.1-200 range
Sorry my ignorance @tehdan but what is /30 subnets? Practical way, what that mean?
on windows, openvpn creates a small virtual network per client - a /30 is the smallest possible subnet with 2 useable Ips - one for the client, one for the server. You have to use the pairs as per above. The reason for the gaps is any ip subnet has 2 reserved/special IPs: network and broadcast.
Please, advise what ip should I use on openvpn server in order to clients can access public Internet from the vpn...
Should I use
10.0.0.X?
10.50.0.X?
10.0.50.X?
Or any other range of IP?
Cause I had 100.0.0.X and 22.0.0.X without any problem, but when I had this ip's didn't need to route traffic to public internet
You should use any private IP range:
192.168.0.0/16 (192.168.0.0-192.168.255.255)
10.0.0.0/8 (10.0.0.0-10.255.255.255)
172.16.0.0/12 (172.16.0.0-172.31.255.255)
If you use any public range, like you used 100.x.x.x and you'll try to access a website which uses real assigned 100.x.x.x, you won't be able to.
Many thanks!