The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ovipn1
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 13, 2022 1:53 pm

The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.

Post by ovipn1 » Thu Jan 13, 2022 2:10 pm

Hello, community:

I've been running a Linux router with host-to-LAN OpenVPN for quite a few years, without issues, but now my client had to rebuild their machine, and they lost their config and PEM files. I've sent them a backup of the initial setup and re-exported their PEMs, but they are having a problem:

client log

Thu Jan 13 12:12:12 2022 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Sep 26 2017
Thu Jan 13 12:12:12 2022 Windows version 5.1 (Windows XP) 32bit
Thu Jan 13 12:12:12 2022 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Thu Jan 13 12:12:12 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25347
Thu Jan 13 12:12:12 2022 Need hold release from management interface, waiting...
Thu Jan 13 12:12:12 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25347
Thu Jan 13 12:12:12 2022 MANAGEMENT: CMD 'state on'
Thu Jan 13 12:12:12 2022 MANAGEMENT: CMD 'log all on'
Thu Jan 13 12:12:12 2022 MANAGEMENT: CMD 'hold off'
Thu Jan 13 12:12:12 2022 MANAGEMENT: CMD 'hold release'
Thu Jan 13 12:12:31 2022 MANAGEMENT: CMD 'username "Auth" "vpnuser0"'
Thu Jan 13 12:12:31 2022 MANAGEMENT: CMD 'password [...]'
Thu Jan 13 12:12:31 2022 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Jan 13 12:12:32 2022 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Jan 13 12:12:32 2022 Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:1194 [nonblock]
Thu Jan 13 12:12:32 2022 MANAGEMENT: >STATE:1642065152,TCP_CONNECT,,,
Thu Jan 13 12:12:33 2022 TCP connection established with [AF_INET]xx.xx.xx.xx:1194
Thu Jan 13 12:12:33 2022 TCPv4_CLIENT link local: [undef]
Thu Jan 13 12:12:33 2022 TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:1194
Thu Jan 13 12:12:33 2022 MANAGEMENT: >STATE:1642065153,WAIT,,,
Thu Jan 13 12:12:33 2022 MANAGEMENT: >STATE:1642065153,AUTH,,,
Thu Jan 13 12:12:33 2022 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=dc7d9a9f 7fb294cf
Thu Jan 13 12:12:33 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jan 13 12:12:36 2022 VERIFY OK: depth=1, C=IT, O=Zeroshell.net, OU=Example, CN=ZeroShell Example CA, emailAddress=Fulvio.Ricciardi@zeroshell.net
Thu Jan 13 12:12:36 2022 VERIFY OK: depth=0, OU=Hosts, CN=router.xxxxxxx.xx
Thu Jan 13 12:12:38 2022 WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
Thu Jan 13 12:12:38 2022 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1576'
Thu Jan 13 12:12:38 2022 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Thu Jan 13 12:12:38 2022 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 13 12:12:38 2022 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu Jan 13 12:12:38 2022 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 13 12:12:38 2022 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 13 12:12:38 2022 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu Jan 13 12:12:38 2022 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 13 12:12:38 2022 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Jan 13 12:12:38 2022 [router.xxxxxxx.xx] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Thu Jan 13 12:12:39 2022 MANAGEMENT: >STATE:1642065159,GET_CONFIG,,,
Thu Jan 13 12:12:40 2022 SENT CONTROL [router.xxxxxxx.xx]: 'PUSH_REQUEST' (status=1)
Thu Jan 13 12:12:41 2022 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.250.254,,dhcp-option DNS 192.168.250.254,route remote_host 255.255.255.255 net_gateway 1,route 10.10.10.2 255.255.255.255,ping 5,ping-restart 60,ifconfig 192.168.250.50 255.255.255.0'
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: route options modified
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: route-related options modified
Thu Jan 13 12:12:41 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 13 12:12:41 2022 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Thu Jan 13 12:12:41 2022 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=2 HWADDR=00:0c:29:d1:7c:c9
Thu Jan 13 12:12:41 2022 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jan 13 12:12:41 2022 MANAGEMENT: >STATE:1642065161,ASSIGN_IP,,192.168.250.50,
Thu Jan 13 12:12:41 2022 MANAGEMENT: Client disconnected
Thu Jan 13 12:12:41 2022 There is a problem in your selection of --ifconfig endpoints [local=192.168.250.50, remote=255.255.255.0]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
Thu Jan 13 12:12:41 2022 Exiting due to fatal error


Here is the config:
client conf

remote xx.xx.xx.xx 1194
proto tcp

auth-user-pass

ca CA.pem

cert client.pem
key client.pem

comp-lzo
verb 3
mute 20
resolv-retry infinite
nobind
client
dev tap
persist-key
persist-tun


The VPN on the server side uses the IP range 192.168.250.50 - 192.168.250.55, netmask 255.255.255.0, GW 192.168.250.254.

What am I doing wrong with this client's config, this time?

Thank you!

ovipn1
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 13, 2022 1:53 pm

Re: The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.

Post by ovipn1 » Fri Jan 14, 2022 4:56 pm

Replaced TUN with TAP and it worked.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.

Post by TinCanTech » Fri Jan 14, 2022 5:10 pm

That is not possible.

Post Reply