## I have a little glitch in my OpenVPN configuration.

One of the subjects which I have written about before, is that I host a VPN, which uses the OpenVPN protocol, and that I have used my own, hand-written configuration files for it.

There are certain ways in which this VPN is atypical, in its configuration. For example, what most system administrators will do, is assign a range of IP addresses on their virtual LAN, which do not overlap anywhere with the IP address range on their physical LAN. OTOH, what I have done is to use the configuration lines:


ifconfig 192.168.2.129 255.255.255.128
ifconfig-pool 192.168.2.130 192.168.2.254 255.255.255.0
push "route-gateway 192.168.2.129 255.255.255.0"

In my thoughts, I was assigning the IP address range from 192.168.2.129 through 192.168.2.254 to the VPN. But whenever my OpenVPN server starts or restarts it does so with a warning, that this IP address range overlaps with the existing IP addresses of my physical LAN, which go from 192.168.2.0 through 192.168.2.255 .

This is how I made a little mistake: My configuration unwittingly also included IP address 192.168.2.255 in the range, which will be routed as belonging to the VPN. And this is due to the first line above, which simply has 255.255.255.128 as its subnet mask.

This can cause the following problem. As part of my physical LAN, address 192.168.2.255 sometimes serves a purpose. It is the UDP Broadcast address of my router, and can be used by clients to find all the connected LAN clients.

Probably because I have done this, the command ‘nmblookup‘ will not work on my machine ‘Phoenix’, which is also my server (as I discovered for the first time last evening). But beyond that, this could be why setting this server to act as a WINS server creates a failure in the configuration of my LAN. This may not really be due to any intolerance on the part of my Windows 7 machine ‘Mithral’, of a Linux box acting as a WINS server.

Also, the command ‘nmblookup‘ works fine on both the other Linux machines on my LAN: On ‘Klystron’ and on ‘Walnut’.

If I was determined to make my configuration better, I could try tweaking this OpenVPN configuration, let us say with a subnet mask of 255.255.255.192 instead of with 255.255.255.128 . Of course, I would then also have to reduce the number of possible, available connections to my VPN accordingly, let us say so:


ifconfig 192.168.2.129 255.255.255.192
ifconfig-pool 192.168.2.130 192.168.2.191 255.255.255.0
push "route-gateway 192.168.2.129 255.255.255.0"



In other words, I can create a 6-bit subnet, the addresses of which are prepended by the bits ’10’. However, it was incorrect of me to have a 7-bit subnet, which was simply prepended by the high bit ‘1’, because unfortunately, doing so also masks the UDP Broadcast Address of the router.

For the moment, not being able to use the ‘nmblookup‘ command on ‘Phoenix’ has not had significant consequences for me, and one main reason might be the fact that in general, Linux avoids using NetBIOS. Also, the graphical browser I use, does not seem to depend 100% on this command, or on the local machine being the WINS server, in order to work.

So this error has little urgency for me, and also did not impede my use of the computers.

Dirk

(Edit : ) Minutes after writing this posting, I have applied the change in configuration as described. With great joy, I find that my ‘nmblookup‘ command works fine now.

Now, this error should not strike people as serious, because it was only according to the LAN, as seen by one client (‘Phoenix’) that this address belonged, incorrectly, to the VPN. However, sometimes routers have been programmed in their firmware to offer as an extended feature, to reflect whatever IP address assignments are reported by one client. If mine is such a router, then of course, this one IP address would have been spotted as a conflict, and overridden by the router, so that the other machines on my LAN, continued to see the correct mapping.

## I do not own my own router.

One thing which exists in a big way in Canada, is that ISP subscribers own their own router. But as it happens, my router is owned by Bell and rented to me. The official reason for this, is the fact that my router also provides me with Bell Fibe TV, which contrarily to the naming, is in fact provided over IP via DSL twisted-pair wires.

This paid-for TV content is DRM, so that it is hard to imagine that any other computer enthusiasts have managed to set up their own router, and to receive Fibe TV anyway.

But this also means that I do not have the access to flash my own router. Bell can flash the router when they see a need, but I cannot. And this also means that I cannot obtain full control over this router.

Readers might think that this is an odd situation, for a person who sets up a Web-server, and an OpenVPN-server, at his home IP address. But by using IP-tables in my Linux configuration, I have been able to do precisely that. In particular, the OpenVPN-server requires an ‘IP Masquerade’ to work. But as of my last test, it does work.

But because I am a person who ‘sometimes thinks suspiciously’, I have also had ideas, about what other consequences might arise, from the router being under the control of somebody else. One thing which may happen, is that this router, which displays no options or information regarding IPv6, may get confused and start dropping clients, over repeated requests for IPv6 addresses.

The Web-interface of this router is a dumbed-down interface, which I can access, but which for my benefit, does not give me deep control over the settings. One thing which remains true however, is that in Canada, there is next to no real use of IPv6 from the side of ISPs.

Now, I have set up an IPv6 gateway, which allows my site to be fetched by way of IPv6 if this is desired. But I have also set up my ‘ip6tables‘ in such a way that any request my Server makes for an IPv6 address, gets routed to this gateway, and not to my physical Ethernet connection. It is only logical. So ‘ping6‘ works gloriously on the Server, but not on my laptop. When I do a ‘ping6‘ on my server-box, I also get to see a graphical display in my ‘gkrellm‘ monitor widget, of activity going out over my ‘teredo‘ virtual NIC, not over my real NIC.

And so I have a somewhat lopsided configuration at home, but one which does what I want it to do.

Dirk