Forums

Resolved
0 votes
Hello all,
for the first time, I've a case with an OpenVPN connexion where an internal special machine (machine tool) refuses to talk with an external client using openvpn. We tried the port forwaring, too but no chance .. but it works with computers connected in the internal lan. So we are wondering if the address the distant client get (10.0.xxxx) could be the problem and I'd like that our openvpn server can be configured to distribute addresses coming for the clearos dhcp server as other computers. But I wasn't able to find where and how ..
So if someone has an idea, it's really welcomed :)
Thanks to all
In OpenVPN
Friday, September 08 2017, 02:50 PM
Share this post:
Responses (1)
  • Accepted Answer

    Saturday, September 09 2017, 08:17 AM - #Permalink
    Resolved
    0 votes
    Hi Arnaud, no it can't get OpenVPN to use DHCP. You could segregate your LAN subnet, say, into two /25 subnets, one for DHCP and one for OpenVPN, but remember OpenVPN uses four addresses per user and four for itself so is quite IP hungry.

    Unfortunately, some sysadmins, seeing that 10.0.0.0/8 is a private address space take the whole of it without understanding the implications - and realising this gives them 16,777,214 usable addresses which is MegaCorp territory.

    It is easy to change the subnet which OpenVPN uses. It is specified in /etc/openvpn/clients.conf. If you find what LAN subnet your user, has you can change yours. 10.0.x.x should not interfere with the OpenVPN default which is 10.8.0.0/24, but perhaps he has a wider subnet. You could move into the 172.16.0.0/12 or 192.168.0.0/16 areas if you want. From observations, many hotels seem to use something in the 172.16.0.0/12 range. Personally I use 172.17.3.0/24 with my LAN on 172.17.2.0/24 (adjacent for a very particular purpose). I don't travel a lot but have never had issues. I would try to chose something not memorable like 192.168.168.0/24 or anything low in that subnet. Arguably my LAN is memorable as well.

    You can even have a backup strategy and give the user two optional tunnels. To do this, clone /etc/openvpn/clients.conf to something else, change the port (e.g.to 1195) and the "ifconfig-pool-persist /var/lib/openvpn/ipp.txt 120" line to point to a different file. Restart OpenVPN and open the new incoming port. On the client, clone the .ovpn file and change the port. Then he can connect with either file. I do something very similar but in my cloned clients.conf I have the line 'push "redirect-gateway def1"' so, if I use that connection, all traffic gets redirected through the tunnel. This is so, when we travel with the kids, they can still get BBC iPlayer on holiday - the BBC geo-block access. It also means I can get the BBC News site without ads and UK focussed.
    The reply is currently minimized Show
Your Reply