It is currently 20.10.2017 23:25


All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Getting wrong remote LAN subnet (i.e. Green subnet)
PostPosted: 01.12.2009 03:49 
DES
DES

Joined: 30.11.2009 17:24
Posts: 3
We have been running IPCop 1.4.21 with Zerina for OpenVPN access and Tunnelblick on the client side successfully for some time.

We recently changed the subnet on the local LAN (Green interface) to be 192.168.64.0 to avoid conflicts when using OpenVPN with public WIFI points set up with subnet 192.168.1.0 (which is what we had on our local LAN before). All machines on Green interface changed numbers and we are successfully communicating out from the LAN and can reach inside and outside from the IPCop machine (Green, Red, Blue, Orange interfaces).

But when running Tunnelblick to access the LAN on the Green interface we get the following warning:
Code:
2009-12-01 08:48:55 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]

The local LAN being the WIFI access point we are using on the outside and remote VPN should be our local LAN.

We can see that the VPN tunnel is set up correctly in the Zerina interface, which marks a particular tunnel connection with a particular certificate "Open". In the OpenVPN Connection statistics we can see that some amount of data is transferred, about 8KB.

IPCop and all the client machines have been restarted.

But we get the wrong IP subnet on the Green interface when trying to connect now from the outside.

Where does the 192.168.1.0 subnet setting come from for our Green interface when we have changed it to 192.168.64.0 ?

Are there settings for Zerina which are not changed automatically when changing the IP on the Green interface? Like a config file or something.

Full connect log from Tunnelblick is below.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Getting wrong remote LAN subnet (i.e. Green subnet)
PostPosted: 01.12.2009 03:49 
DES
DES

Joined: 30.11.2009 17:24
Posts: 3
Code:
2009-12-01 08:48:42 Tunnelblick 3 (3.0b18 build 576); OpenVPN 2 (2.1_rc19)
2009-12-01 08:48:46 SUCCESS: pid=2089
2009-12-01 08:48:46 SUCCESS: real-time state notification set to ON
2009-12-01 08:48:46 SUCCESS: real-time log notification set to ON
2009-12-01 08:48:46 OpenVPN 2.1_rc19 i386-apple-darwin9.8.0 [SSL] [LZO2] [PKCS11] built on Sep 23 2009
2009-12-01 08:48:46 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2009-12-01 08:48:46  waiting...
2009-12-01 08:48:46 MANAGEMENT: Client connected from 127.0.0.1:1337
2009-12-01 08:48:46 MANAGEMENT: CMD 'pid'
2009-12-01 08:48:46 MANAGEMENT: CMD 'state on'
2009-12-01 08:48:46 MANAGEMENT: CMD 'log on all'
2009-12-01 08:48:46 END
2009-12-01 08:48:46 MANAGEMENT: CMD 'hold release'
2009-12-01 08:48:46 SUCCESS: hold release succeeded
2009-12-01 08:48:46 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2009-12-01 08:48:46 WARNING: file 'Thomas.p12' is group or others accessible
2009-12-01 08:48:46 LZO compression initialized
2009-12-01 08:48:46  you should also set --tun-mtu 1500 (currently it is 1400)
2009-12-01 08:48:46 Control Channel MTU parms [ L:1442 D:138 EF:38 EB:0 ET:0 EL:0 ]
2009-12-01 08:48:46 Data Channel MTU parms [ L:1442 D:1442 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2009-12-01 08:48:46 Local Options hash (VER=V4): 'a6ae7d69'
2009-12-01 08:48:46 Expected Remote Options hash (VER=V4): '006a55ce'
2009-12-01 08:48:46  or --up-delay
2009-12-01 08:48:46 Socket Buffers: R=[42080->65536] S=[9216->65536]
2009-12-01 08:48:46 UDPv4 link local: [undef]
2009-12-01 08:48:46 UDPv4 link remote: XX.233.XX.42:1194
2009-12-01 08:48:46
2009-12-01 08:48:47
2009-12-01 08:48:47  sid=eadfe373 4ed7a2be
2009-12-01 08:48:49  /C=SE/O=Our_Company/OU=Our_Office/CN=Our_Company_CA/emailAddress=me@myemail.com
2009-12-01 08:48:49 VERIFY OK: nsCertType=SERVER
2009-12-01 08:48:49  /C=SE/O=Our_Company/OU=Our_Place/CN=mailgate.ourdomain.com
2009-12-01 08:48:53 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2009-12-01 08:48:53 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2009-12-01 08:48:53 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2009-12-01 08:48:53 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2009-12-01 08:48:53  1024 bit RSA
2009-12-01 08:48:53 [mailgate.ourdomain.com] Peer Connection Initiated with XX.233.XX.42:1194
2009-12-01 08:48:54
2009-12-01 08:48:54 SENT CONTROL [mailgate.ourdomain.com]: 'PUSH_REQUEST' (status=1)
2009-12-01 08:48:55 ifconfig 10.189.241.6 10.189.241.5'
2009-12-01 08:48:55 OPTIONS IMPORT: timers and/or timeouts modified
2009-12-01 08:48:55 OPTIONS IMPORT: --ifconfig/up options modified
2009-12-01 08:48:55 OPTIONS IMPORT: route options modified
2009-12-01 08:48:55 ROUTE default_gateway=192.168.1.1
2009-12-01 08:48:55 TUN/TAP device /dev/tun0 opened
2009-12-01 08:48:55
2009-12-01 08:48:55 /sbin/ifconfig tun0 delete
2009-12-01 08:48:55 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2009-12-01 08:48:55 /sbin/ifconfig tun0 10.189.241.6 10.189.241.5 mtu 1400 netmask 255.255.255.255 up
2009-12-01 08:48:55 /Applications/More Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh tun0 1400 1442 10.189.241.6 10.189.241.5 init
2009-12-01 08:48:55
2009-12-01 08:48:55 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
2009-12-01 08:48:55 /sbin/route add -net 192.168.1.0 10.189.241.5 255.255.255.0
2009-12-01 08:48:55 /sbin/route add -net 10.189.241.1 10.189.241.5 255.255.255.255
2009-12-01 08:48:55 GID set to nobody
2009-12-01 08:48:55 UID set to nobody
2009-12-01 08:48:55 Initialization Sequence Completed
2009-12-01 08:48:55 XX.233.XX.42



Slightly edited the external IP addresses and domain names.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Getting wrong remote LAN subnet (i.e. Green subnet)
PostPosted: 06.12.2009 11:35 
DES
DES

Joined: 30.11.2009 17:24
Posts: 3
We have set back the IP subnet to default on the "home" network and changed the subnet on the "away" network through double NAT to avoid some other issues we came across. So this is not solved, would dearly like to know why this is not working as expected.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Getting wrong remote LAN subnet (i.e. Green subnet)
PostPosted: 20.12.2009 00:42 
openvpn.eu Admin
openvpn.eu Admin
User avatar

Joined: 23.01.2006 08:05
Posts: 3321
Location: near Vienna
Hello

I'm not familiar with Zerina but OpenVPN uses a config file which would contain a line like:
Code:
push "route 192.168.1.0 255.255.255.0"

I would guess that Zerina creates this file when you configure the VPN and doesn't change it if you change IP configurations on the host.

So try to find the config file (I think it's somewhere in /var, if I remember well) and change the line. Afterwards restart the VPN service.
Alternatively you can delete and recreate the VPN profile. But I think the first idea is the better one.

_________________
regards,
note
Please take a look at our rules. Besucht mal unsere Wiki !


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net