What's new

OpenVPN Client in ASUS causes IP/routing conflict

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

quarantinho

New Around Here
Hey guys,

I've been working on this problem for ages and can't seem to find a solution:

My dad has set up a VPN and has provided me with an openVPN cfg file. Loading it into the OpenVPN client from my PC works absolutely fine - no issues whatsoever.

However, I would like my entire connection to be routed via the VPN, meaning that I would like to run it "through my router" (if that makes any sense). My setup looks like this: Cable Modem -> Router via WAN (ASUS RT-N66U) -> PC (Ethernet).

The various devices are assigned to the following IP adresses:
Cable Modem: 192.168.1.1
ASUS Router: 192.168.2.1

After following the steps described in various tutorials, I have come to this:

!.JPG


Hovering the exclamation mark reveals an "IP/routing conflict" meaning that I can't access the VPN via the router.

I have no idea what I'm doing wrong at this point, my setup and configuration method is basically the same as described in the ASUS FAQ (Link). I have already tried the method of connecting the ASUS via Ethernet and putting both devices into the same net, however that caused another problem where the VPN was just endlessly stuck in "connecting":

stuck.JPG


So what's the correct method and what's causing the problem? I'm sure I'm doing all sorts of things wrong, but I'm really out of ideas.

Any help is greatly appreciated.
 
What's the IP and subnet on the remote network being assigned via the VPN? Is your dad also trying to hand out 192.168.1.0/24 addresses?
 
What's the IP and subnet on the remote network being assigned via the VPN? Is your dad also trying to hand out 192.168.1.0/24 addresses?

I'm not sure but I don't think so. Can't ask him right now as he's at work. Any way I can check this from my side?

Here's what "ipconfig" gives out as a result when connected via the openVPN client from my PC vs when not connected. Does this shed some light on the IP mess?

ipconfig.JPG


As you can see, I've setup the local network like this to test if the issue appears with different configurations as well:

Modem: 192.168.99.1
Router: 192.168.100.100

Still getting the same issue though ...
 
Last edited:
Looks like 10.8.0.6 is getting assigned, so that's not anywhere near the same network, but if I recall correctly, linux assigns a 10.8 network to itself for tunneling, I'm not sure if that's the issue on the router though.
 
So any idea what it could be instead and if there's a way to run some tests via client side trying to fix these issues? Can I force my router to take a certain IP instead of what's being assigned?
 
Ok, I'll ask him to do that. Meanwhile: Do you have any clue why everything works fine from my PC but the router refuses to act the same way? Does it have to do it with my router being assigned a WAN IP by the cable modem and my PC being assigned a LAN IP via the router or is that nonsense?
 
So I've managed to find a solution for my router to enable the VPN by adding
Code:
pull-filter ignore "route 0.0.0.0 0.0.0.0"
into the .ovpn config. This did solve the issue in that sense that the router interface is now displaying the VPN as "connected", BUT now it doesn't seem to pass through the connection to my PC - when checking for my IP, I'm identified with my "normal" IP so to speak.

So now my router is connected to my Dad's VPN, but my PC isn't? I'm I getting this right? Any ways to resolve the new issue? Probably some settings in the ASUS interface that need to be changed.
 
did anyone ever find a solution for this? i have two identical asus GT-AXE11000 routers in two cities. I used to be able to use OpenVPN to link 2 of the older Asus routers. However, when I do the same thing on these routers (enable servers, download config files, then load them into each routers as the clients), I get a routing issue...I get a message in the VPN fusion client that says: "IP/Routing conflict: Please change your router LAN subnet"

If I change the router LAN subnet from 192.168.2.x to some other subnet (i.e. 192.168.3.x), I still get the same issue.

It seems like the OpenVPN network creates a new subnet starting with 10.8.x.x or something. I don't think this use to occur on my old set of routers running older firmware and OpenVPN. Ideas?

I've tried with both PPTP (which is insecure and not preferred) as well as with OpenVPN. As soon as I enable the connection, I lose internet access on my computer, so I guess the routing tables get messed up. Please ELIM5...

2021-10-19_2-50-45.png


I also did some research and found this link:


Seems like "VPN Fusion" (which is the client) "doesn't set up routes...." Is there a way I can do this manually?
 
Last edited:
did anyone ever find a solution for this? i have two identical asus GT-AXE11000 routers in two cities. I used to be able to use OpenVPN to link 2 of the older Asus routers. However, when I do the same thing on these routers (enable servers, download config files, then load them into each routers as the clients), I get a routing issue...I get a message in the VPN fusion client that says: "IP/Routing conflict: Please change your router LAN subnet"

If I change the router LAN subnet from 192.168.2.x to some other subnet (i.e. 192.168.3.x), I still get the same issue.

It seems like the OpenVPN network creates a new subnet starting with 10.8.x.x or something. I don't think this use to occur on my old set of routers running older firmware and OpenVPN. Ideas?

I've tried with both PPTP (which is insecure and not preferred) as well as with OpenVPN. As soon as I enable the connection, I lose internet access on my computer, so I guess the routing tables get messed up. Please ELIM5...

View attachment 36867

I also did some research and found this link:


Seems like "VPN Fusion" (which is the client) "doesn't set up routes...." Is there a way I can do this manually?

When using a routed (tun) OpenVPN client and server, there are three (3) networks involved; the local IP network of the client (e.g., 192.168.2.0/24), the remote IP network of the server (e.g., 192.168.3.0/24), and the tunnel itself (typically 10.8.0.0/24, but it could be anything that doesn't conflict w/ either the local or remote IP networks).

If you have all your ducks in a row in this regard, there should be NO ip conflicts. However, sometimes that's NOT the case. A common mistake is to have both the local and remote IP networks be the same or overlap. And when that happens, any reference to the remote network remains local, and is NOT routed over the VPN (and which is why some firmware will report the conflict, to warn you). That's why it's strongly recommended that anyone offering an OpenVPN server use a more obscure network than the all-too-common 192.168.0.0/24 and 192.168.1.0/24 (e.g., 172.16.99.0/24). There's just less chance of some OpenVPN client having the same IP network (although you can never rule out the possibility completely).

It's also possible the two networks *appear* to be different, but they actually overlap due to the netmask. Granted, this is rare since most home users use the /24 netmask by default. But sometimes users need more hosts, so they change (as in lower) the netmask to make that possible (e.g., /23). At first blush, it might appear (for example) that 192.168.2.0/23 and 192.168.3.0/24 are NOT in conflict, but they actually are because they overlap! The second network is a subnet of (i.e., lies within the range of) the first network. It's very easy to miss this subtle difference in the netmasks.

All that said, it doesn't matter if the local and remote networks are in conflict provided the OpenVPN server is NOT pushing its own network to the OpenVPN client, but just the network on the tunnel. That happens all the time w/ commercial OpenVPN providers. You don't have a clue if their local network conflicts w/ your own, since they never push it, and have no intention of providing access to it, only the internet. But in the case of a friend/relative offering their own OpenVPN server, in all likelihood they *are* pushing their own local network to the OpenVPN client, in an effort to offer access to it, and possibly the internet as well.

In the case of the OP, he was kind of on the right track w/ the following directive.

Code:
pull-filter ignore "route 0.0.0.0 0.0.0.0"

Had the ignored route been that of the remote network specifically (e.g., 192.168.1.0 255.255.255.255), it would probably have prevented the IP conflict, although the remote network would have remained inaccessible. But as written, it actually prevented *all* routing across the VPN by ignoring any and all push'd routes by the server.

It's also possible there are other routes on the client side that have nothing to do w/ the immediate networks of the OpenVPN connection, that are in conflict. Perhaps from another concurrently active OpenVPN client.

Frankly, it would have been much nicer if the VPN Fusion firmware told you *specifically* about the conflict (obviously it knows the details) rather than simply state there is one, leaving YOU to determine the specifics. The answer might reside within the OpenVPN logs. Or getting the specifics about network configuration from both sides by using the following commands on the two routers while they're connected.

Code:
ifconfig
ip route
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top