Which routes to push in my OpenVPN config for clients to access server's local network?
Solution 1:
As @Hauke Laging have mentioned, you can map another subnet/IP (that is less often used by home routers) to 192.168.1.0/24
/192.168.1.1
. For example:
push "route 10.0.9.0 255.255.255.0"
push "client-nat dnat 192.168.1.0 255.255.255.0 10.0.9.0"
or
push "route 10.11.12.13"
push "client-nat dnat 192.168.1.1 255.255.255.255 10.11.12.13"
Then you can access 192.168.1.0/24
/192.168.1.1
the server is connected to with 10.0.9.0/24
/10.11.12.13
on the VPN client.
This can be done with DNAT
or NETMAP
in iptables as well. Assuming by "accessing the router" you mean its web UI, you may even just DNAT say $server_vpn_ip:80
to 192.168.1.1:80
, if the former isn't occupied already.
(Note: assuming the server has already been doing IP forwarding and masquerading.)
Solution 2:
They are telling you not to use 192.168.1.1/24
because almost all home routers use that subnet by default. Just change it to 192.168.2.0/24
- that should cure your problem.
Solution 3:
Avoid commonly used private networks in VPN subnets
This concerns both the subnets assigned to the VPN clients on the remote side, but also all the networks that needs to be accessed using the VPN. If there is a local network the client is directly connected to and it has a overlapping subnet, it takes precedence.
I've listed some subnets you should avoid in an answer from 2017:
Techspot has A List of Common Default Router IP Addresses that helps with this. Usually home routers uses
/24
subnets. Nowadays mobile phones are often used for sharing network connection, so we must take these ranges into account, too. According to the list we can deduce we should avoid:
192.168.0.0/19
- most of the routers seems to use some of these, above192.168.31.255
.10.0.0.0/24
is also widely used, and Apple uses10.0.1.0/24
.192.168.100.0/24
is used by Motorola, ZTE, Huawei and Thomson.- Motorola uses (in addition)
192.168.62.0/24
and192.168.102.0/24
.192.168.123.0/24
is used by LevelOne, Repotec, Sitecom and U.S. Robotics (less common)- Some D-Links have
10.1.1.0/24
and10.90.90.0/24
.
OpenVPN recommendations and defaults
OpenVPN has published an article on Numbering private subnets:
While addresses from these netblocks should normally be used in VPN configurations, it’s important to select addresses that minimize the probability of IP address or subnet conflicts. The types of conflicts that need to be avoided are:
- conflicts from different sites on the VPN using the same LAN subnet numbering, or
- remote access connections from sites which are using private subnets which conflict with your VPN subnets.
The best solution is to avoid using
10.0.0.0/24
or192.168.0.0/24
as private LAN network addresses. Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely. The best candidates are subnets in the middle of the vast10.0.0.0/8
netblock (for example10.66.77.0/24
).
For the client subnets, OpenVPN defaults to 10.8.0.0/24
. From Topology in OpenVPN:
Subnet topology is the current recommended topology; it is not the default as of OpenVPN 2.3 for reasons of backwards-compatibility with 2.0.9-era configs. It is safe and recommended to use subnet topology when no old/outdated clients exist that are running OpenVPN 2.0.9 under Windows.