Posted: Tue Feb 27, 2024 11:10 Post subject: Openvpn conflicts when local & server networks have same
I have OpenVPN server running via DDWRT on a Netgear R6700v3.
The server subnet is 192.168.1.x with the router at 192.168.1.1
I access it using OpenVPN running both on Win11 and on my Pixel phone.
All is fine, EXCEPT when the remote local subnet is also 192.168.1.x with the local router at 192.168.1.1 (same as on the OpenVPN server network)
In that case, it works fine on my Pixel phone but on Win11, I am seemingly getting dns conflicts.
Specifically,
-When I try to access my server router (192.168.1.1), I get the local router on 192.168.1.1 (though I can connect to addresses on myserver 192.168.1.x subnet)
-Presumably as a result, WAN DNS doesn't work -- i.e., I can't ping a WAN ip-name (though I can ping it by IP address.)
I tried, adding the client option `block-outside-dns` but that didn't help.
So, how do I get OpenVPN to work when the local client subnet has the same IP address as the remote server?
It is strange though that it works on Android but not on Windows...
Note I followed the DD-WRT OpenVPN guide.
For reference, on the server side, I added the following to `Additional Configuration`:
Code:
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN mydomain"
push "dhcp-option ADAPTER_DOMAIN_SUFFIX mydomain"
server 10.10.10.0 255.255.255.0 nopool
ifconfig-pool 10.10.10.1 10.10.10.100
For the client, I use:
Code:
client
dev tun
remote myfullyqualifieddomain 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4 #Verbosity
float
tun-mtu 1400 #Lowered default can be commented to let OpenVPN decide
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
Joined: 18 Mar 2014 Posts: 13281 Location: Netherlands
Posted: Tue Feb 27, 2024 11:22 Post subject:
From the first page of the OpenVPN Server setup guide:
Quote:
Note:
1. If you use the default TUN setup which is a routed solution, the servers subnet, the OpenVPN's subnet (10.8.0.0) and the clients subnet must all be different!
2. Testing can only be done from outside e.g. with your phone or laptop on cellular data or from a friends/neighbours internet.
That is why it usually is a good idea to use something different then 192.168.1.1 for the router on which you place your OpenVPN (or WG) server etc. on.
From the first page of the OpenVPN Server setup guide:
Quote:
Note:
1. If you use the default TUN setup which is a routed solution, the servers subnet, the OpenVPN's subnet (10.8.0.0) and the clients subnet must all be different!
2. Testing can only be done from outside e.g. with your phone or laptop on cellular data or from a friends/neighbours internet.
That is why it usually is a good idea to use something different then 192.168.1.1 for the router on which you place your OpenVPN (or WG) server etc. on.
Ahhh. Thanks for the reference!
Granted 192.168.1.x may not be the greatest choice since it is so common, but unless you have a static WAN IP address, how do you guarantee that the #1 above will be true?
Also, changing away from 192.168.1.x for my server network would not be easy since there are so many static addresses and routines that depend on it that have built up over the years.
Is there any solution that would work in Win11?
After all, everything seems to work fine on my Android Pixel running on the same 192.168.1.x client network so it clearly is possible on some architectures...
Note both Win11 and Android Pixel are running OpenVPN 3.4.x with the same profile.
From the first page of the OpenVPN Server setup guide:
Is there any solution that would work in Win11?
After all, everything seems to work fine on my Android Pixel running on the same 192.168.1.x client network so it clearly is possible on some architectures...
Note both Win11 and Android Pixel are running OpenVPN 3.4.x with the same profile.
In partial answer to my own question, possibly it works on Android because `ifconfig` shows no ipv4 network other than the 10.10.10.xxx vpn network assignment while on win11, `ifconfig` shows both a 10.10.0.xxx vpn network assignment as well as the original 192.168.1.xxx remote LAN assignment.
If that is true, is there any way to get OpenVPN on Win11 to ignore/shutdown the 192.168.1.xxx network assignment?
Note `block-oustide-dns` didn't help...
Last edited by puterboy2 on Tue Feb 27, 2024 12:17; edited 2 times in total
Is there any solution that would work in Win11?
After all, everything seems to work fine on my Android Pixel running on the same 192.168.1.x client network so it clearly is possible on some architectures...
Note both Win11 and Android Pixel are running OpenVPN 3.4.x with the same profile.
In partial answer to my own question, possibly it works on Android because when the VPN is alive, `ifconfig` shows no ipv4 network other than the 10.10.10.xxx vpn network assignment (i.e., the original 192.168.1.xxx client LAN assignment is no longer present)
In contrast, on win11, `ifconfig` shows both a 10.10.10.xxx vpn network assignment as well as the original 192.168.1.xxx client LAN assignment - thus allowing for routing conflict since it appears that the client LAN routing is preferred to the VPN routing.
If that is true, is there any way to get OpenVPN on Win11 to ignore/shutdown the original client LAN 192.168.1.xxx network assignment so long as the VPN connection is alive?
Perhaps one can change the routing priority so that the VPN is looked up first?
Note adding `block-oustide-dns` didn't help...
Last edited by puterboy2 on Tue Feb 27, 2024 12:18; edited 1 time in total
Is there any solution that would work in Win11?
After all, everything seems to work fine on my Android Pixel running on the same 192.168.1.x client network so it clearly is possible on some architectures...
Note both Win11 and Android Pixel are running OpenVPN 3.4.x with the same profile.
In partial answer to my own question, possibly it works on Android because when the VPN is alive, `ifconfig` shows no ipv4 network other than the 10.10.0.xxx vpn network assignment (i.e., the original 192.168.1.xxx client LAN assignment is no longer present)
In contrast, on win11, `ifconfig` shows both a 10.10.0.xxx vpn network assignment as well as the original 192.168.1.xxx client LAN assignment - thus allowing for routing conflict since it appears that the client LAN routing is preferred to the VPN routing.
If that is true, is there any way to get OpenVPN on Win11 to ignore/shutdown the original client LAN 192.168.1.xxx network assignment so long as the VPN connection is alive?
Perhaps one can change the routing priority so that the VPN is looked up first?
Note adding `block-oustide-dns` didn't help...
I seem to be able to fix the problem by manually running the following on the client after launching the VPN:
This solves both of the problems outlined in my original post.
So,
1. Is this a valid solution? Or will it have other potentially deleterious affects beyond making it impossible to access the local LAN
2. Is there any way to do this within OpenVPN?