OpenVPN server causing IP conflicts Asus RT-AC68U

[bennyInEire]

Hi hey all. I have the openVPN server running and works fine most of the time. My only issue is trying to control what IP address the VPN server allocates out. I'm finding sometimes I am getting IP conflicts when somebody logs on. I have my DHCP pool set from .20 to .100. But when I go to DHCP settings I get this warning "* In conflict with the VPN server settings:10.x.x.50-55" Is there I way to set the VPN settings to assign from .15 to .20

 

[ColinTaylor]

What VPN interface type are you using, TUN?

TUN is a routed connection so the VPN and your LAN need to be on different subnets. It is not sufficient to just try and use different IP addresses.

What is your LAN IP address and subnet mask. Same question for your VPN server.

 

[bennyInEire]

Interface is TUN
VPN subnet is 10.8.0.0/255.255.255.0
Lan = 10.11.12.0/255.255.255.0

 

[ColinTaylor]

Interface is TUN
VPN subnet is 10.8.0.0/255.255.255.0
Lan = 10.11.12.0/255.255.255.0

That looks correct. Double check the netmasks.

But when I go to DHCP settings I get this warning "* In conflict with the VPN server settings:10.x.x.50-55"

Where are you seeing this message? On the LAN > DHCP Server page?

What is the actual IP address range shown? 10.8.0.50-55, 10.11.12.50-55?

 

[bennyInEire]

Yep on LAN > DHCP Server page , IP Address range is 10.11.12.50-55

 

[ColinTaylor]

What firmware version are you using?

If you SSH into the router and issue these commands I think you'll see the problem.

nvram show | grep vpn | grep r1
nvram show | grep vpn | grep r2

 

[bennyInEire]

Firmware version is 3.0.0.4.384_21045
I ran those commands, please find output

Grep r1

xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# nvram show | grep vpn | grep r1
size: 58139 bytes (7397 left)
vpn_server1_nm=255.255.255.0
vpn_server1_local=10.8.0.1
vpn_server1_hmac=-1
vpn_crt_server1_client_crt=
vpn_crt_server1_crl=
vpn_server2_r1=192.168.1.50
vpn_crt_server1_crt=
vpn_server1_errno=0
vpn_server1_rgw=0
vpn_server1_poll=0
vpn_server1_reneg=-1
vpn_server1_r1=192.168.1.50
vpn_server1_r2=192.168.1.55
vpn_server1_pdns=0
vpn_server1_if=tun
vpn_server1_custom=
vpn_server1_remote=10.8.0.2
vpn_server1_comp=adaptive
vpn_server_r1=192.168.1.50
vpn_server1_ccd_val=
vpn_server1_clientlist=< I HAVE REMOVED THESE VALEUS, THEY WERE USER NAMES
vpn_crt_server1_client_key=
vpn_crt_server1_ca_key=
vpn_server1_tls_keysize=0
vpn_crt_server1_key=
vpn_server1_firewall=auto
vpn_server1_ccd=0
vpn_crt_server1_ca=
vpn_server1_sn=10.8.0.0
vpn_server1_digest=SHA1
vpn_server1_c2c=1
vpn_server1_state=2
vpn_server1_plan=1
vpn_server1_crypt=tls
vpn_server1_ccd_excl=0
vpn_crt_server1_dh=
vpn_server1_proto=udp
vpn_crt_server1_static=
vpn_server1_igncrt=0
vpn_server1_dhcp=1
vpn_server1_cipher=default
vpn_server1_port=1194
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root# debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
debug2: client_check_window_change: changed
debug2: channel 0: request window-change confirm 0
debug3: send packet: type 98
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root#

Grep 2

size: 58139 bytes (7397 left)
vpn_crt_server2_key=
vpn_server2_ccd=0
vpn_crt_server2_static=
vpn_server2_igncrt=0
vpn_server2_c2c=0
vpn_server2_cipher=default
vpn_server2_plan=1
vpn_server2_r1=192.168.1.50
vpn_server2_r2=192.168.1.55
vpn_server1_r2=192.168.1.55
vpn_server2_if=tun
vpn_server2_state=
vpn_server2_crypt=tls
vpn_server_r2=192.168.1.55
vpn_server2_dhcp=1
vpn_server2_port=1194
vpn_crt_server2_client_crt=
vpn_crt_server2_ca=
vpn_server2_hmac=-1
vpn_server2_sn=10.8.0.0
vpn_server2_proto=udp
vpn_server2_custom=
vpn_server2_remote=10.8.0.2
vpn_server2_firewall=auto
vpn_crt_server2_crl=
vpn_crt_server2_crt=
vpn_crt_server2_dh=
vpn_server2_rgw=0
vpn_server2_ccd_val=
vpn_server2_poll=0
vpn_crt_server2_ca_key=
vpn_server2_ccd_excl=0
vpn_server2_local=10.8.0.1
vpn_server2_pdns=0
vpn_crt_server2_client_key=
vpn_server2_comp=adaptive
vpn_server2_errno=
vpn_server2_nm=255.255.255.0
vpn_server2_reneg=-1
xxxxxx(username I have removed)@RT-AC68U:/tmp/home/root#

 

[ColinTaylor]

OK that's good, it's the same as my router. Although I'm not sure where all those "debug" lines came from, looks like you accidentally pasted them (right-mouse-click in PuTTY ).

Anyway you could try this but I don't know if it will work or whether they'll stick:

nvram set vpn_server_r1="10.11.12.15"
nvram set vpn_server_r2="10.11.12.20"
nvram set vpn_server1_r1="10.11.12.15"
nvram set vpn_server1_r2="10.11.12.20"
nvram set vpn_server2_r1="10.11.12.15"
nvram set vpn_server2_r2="10.11.12.20"
nvram commit
reboot

 

[bennyInEire]

Thanks,
Yep I probably did right click alright

I will update to the latest firmware first this evening.
I will then try to set as you've shown above tomorrow morning.

What command can I run again to check if they "stick" ?

 

[ColinTaylor]

After the reboot issue this command:

nvram show | grep vpn | grep -E "_r1|_r2" | sort

 

[ColinTaylor]

I will update to the latest firmware first this evening.

Thinking about (and testing) this a bit more... this makes no sense.

With a TUN connection you don't get an IP address assigned from the LAN DHCP pool, you get one from the VPN range. Which in your case would be 10.8.0.x.

You only get addresses from your LAN DHCP with a TAP connection. So if you change your VPN server to TAP and then set "Allocate from DHCP" to "No" you will see those IP addresses we're trying to change. So there's actually no need to do it through SSH, you can change them in the GUI (and then switch back to TUN).

But the point is, with a TUN interface those values should be ignored. So maybe it's actually a bug in the firmware. Maybe updating the firmware will fix it.

 

[bennyInEire]

Yep the thought had crossed my mind about the different subnets but I have no idea about how these interact/or not with each other. I guess I will do the firmware upgrade first and see how it goes. I'll let you know.

Whats confusing me is the warning I'm getting in the LAN DHCP

Thanks for your help