## I have a little glitch in my OpenVPN configuration.

One of the subjects which I have written about before, is that I host a VPN, which uses the OpenVPN protocol, and that I have used my own, hand-written configuration files for it.

There are certain ways in which this VPN is atypical, in its configuration. For example, what most system administrators will do, is assign a range of IP addresses on their virtual LAN, which do not overlap anywhere with the IP address range on their physical LAN. OTOH, what I have done is to use the configuration lines:


ifconfig 192.168.2.129 255.255.255.128
ifconfig-pool 192.168.2.130 192.168.2.254 255.255.255.0
push "route-gateway 192.168.2.129 255.255.255.0"

In my thoughts, I was assigning the IP address range from 192.168.2.129 through 192.168.2.254 to the VPN. But whenever my OpenVPN server starts or restarts it does so with a warning, that this IP address range overlaps with the existing IP addresses of my physical LAN, which go from 192.168.2.0 through 192.168.2.255 .

This is how I made a little mistake: My configuration unwittingly also included IP address 192.168.2.255 in the range, which will be routed as belonging to the VPN. And this is due to the first line above, which simply has 255.255.255.128 as its subnet mask.

This can cause the following problem. As part of my physical LAN, address 192.168.2.255 sometimes serves a purpose. It is the UDP Broadcast address of my router, and can be used by clients to find all the connected LAN clients.

Probably because I have done this, the command ‘nmblookup‘ will not work on my machine ‘Phoenix’, which is also my server (as I discovered for the first time last evening). But beyond that, this could be why setting this server to act as a WINS server creates a failure in the configuration of my LAN. This may not really be due to any intolerance on the part of my Windows 7 machine ‘Mithral’, of a Linux box acting as a WINS server.

Also, the command ‘nmblookup‘ works fine on both the other Linux machines on my LAN: On ‘Klystron’ and on ‘Walnut’.

If I was determined to make my configuration better, I could try tweaking this OpenVPN configuration, let us say with a subnet mask of 255.255.255.192 instead of with 255.255.255.128 . Of course, I would then also have to reduce the number of possible, available connections to my VPN accordingly, let us say so:


ifconfig 192.168.2.129 255.255.255.192
ifconfig-pool 192.168.2.130 192.168.2.191 255.255.255.0
push "route-gateway 192.168.2.129 255.255.255.0"



In other words, I can create a 6-bit subnet, the addresses of which are prepended by the bits ’10’. However, it was incorrect of me to have a 7-bit subnet, which was simply prepended by the high bit ‘1’, because unfortunately, doing so also masks the UDP Broadcast Address of the router.

For the moment, not being able to use the ‘nmblookup‘ command on ‘Phoenix’ has not had significant consequences for me, and one main reason might be the fact that in general, Linux avoids using NetBIOS. Also, the graphical browser I use, does not seem to depend 100% on this command, or on the local machine being the WINS server, in order to work.

So this error has little urgency for me, and also did not impede my use of the computers.

Dirk

(Edit : ) Minutes after writing this posting, I have applied the change in configuration as described. With great joy, I find that my ‘nmblookup‘ command works fine now.

Now, this error should not strike people as serious, because it was only according to the LAN, as seen by one client (‘Phoenix’) that this address belonged, incorrectly, to the VPN. However, sometimes routers have been programmed in their firmware to offer as an extended feature, to reflect whatever IP address assignments are reported by one client. If mine is such a router, then of course, this one IP address would have been spotted as a conflict, and overridden by the router, so that the other machines on my LAN, continued to see the correct mapping.

## My router may have been flashed.

One of the ironies of my LAN is, I am hosting a Web-site from it, but I do not even own my present router. Mine is a router owned by my ISP, and which provides me with proprietary TV as well.

This means that my ISP has the right to perform a firmware update on the router, which can also be called ‘flashing the router’.

I suspect that this may have happened, around Wednesday Morning, November 9.

My main reason for suspecting this, was a subtle change in the way my router manages my LAN.

According to This Earlier Posting, I previously needed to set my router as the WINS server as well.

To explain in lay-terms what this means, I need to mention that the local IP addresses which computers have on a LAN do exist, in addition to which Windows has introduced its own way of giving the local computers names. Linux can mimic how this works, using its ‘Samba’ software suite, but also tries to avoid ‘NetBIOS’ (naming) as much as possible, outside of Samba network browsing, or ‘copying-and-pasting of files, between computers on a LAN’.

Just like domain-names need to be resolved into IP addresses on the Internet, which is the WAN to this LAN – the Wide-Area Network – on the Local Area Network, computer-names also need to be resolved into IP addresses, before the computers can actually ‘talk to each other graphically’. Traditionally, Windows offered its whimsical mechanism for doing so, which was named NetBIOS, by which any and every computer could act as the WINS server – thus offering its repository of LAN locations to the WINS clients, but alternatively, there could also exist one dedicated WINS server.

What I had grown used to, was that on my LAN, the router would insist that it be my WINS server, thus ‘not trusting’ any of my Linux boxes to do so in some way. I therefore had to defer to this service, as provided by the router.

I had previously set my ‘/etc/samba/smb.conf‘ to

   wins support = no

dns proxy = yes

Well as of Wednesday, the LAN had suddenly ‘looked different’ according to client-browsers. Each computer had suddenly remained aware only of its own identity, with no Workgroup of other computers to network with.

This was all happening, while my connection to the WAN still seemed secure and operative.

Long story short, I think that my ISP may have performed the Firmware Update, and that according to the new firmware version, the router was suddenly not willing to provide this service anymore. And so what I felt I had to do next, was change these settings back to

   wins support = no

dns proxy = no

Now that I have done so, each computer can ‘see’ my whole Workgroup again – which was apparently not feasible according to earlier experiences.

Further, for laypeople I might want to emphasize, that it is not just a frivolous exercise of mine, to give each computer a name. If they did not have names, then according to the screen-shot below, I would also not be able to tell them apart, since they all have the same icon anyway:

Now I suppose that an inquiring mind might ask, “Since Linux can imitate Windows, why does Dirk not just set ‘wins support = yes‘ as well?” My answer to this hypothetical question would be, that

• According to common sense, this option will just make the current machine available, as a potential WINS Server, but
• In my practical experience, the LAN will interpret this as more of an imperative gesture, of a kind that will actually cause a feud to break out between the machines.

In my experience, if I even set one of my Linux machines to do this, all the other Linux machines will refer to its repository of (4) LAN names, the others becoming clients, but the Windows 7 machine named ‘Mithral’ will refuse to have it. In this case, Mithral will insist that it must be the WINS Server, and not some Linux box. And then, further logic-testing of which machines can see which, will reveal that in practice, I must leave this option switched off, if there is also to be any Windows machine to share the LAN with.

Dirk