OpenVPN Support Forum

Hi,

I have set up OpenVPN server under Debian. When Windows user tries to log in, he gets an error:

Tue Aug X XX:XX:56 201X There is a problem in your selection of --ifconfig endpoints [local=10.10.5.24, remote=10.10.5.1]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.

Here is the server's config file:

port 443
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh4096.pem
tls-auth /etc/openvpn/keys/ta.key 0
crl-verify /etc/openvpn/keys/crl.pem
server 10.10.5.0 255.255.255.0
persist-key
persist-tun
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 10.10.5.0 255.255.255.0"
push "route-gateway 10.10.5.1"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
persist-key
persist-tun
mtu-disc maybe
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd
comp-lzo yes
push "comp-lzo yes"
keepalive 10 120
verb 1
status /var/log/openvpn/status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log


Here is the OVPN client file for Windows client. User is running OpenVPN as admin:

client
dev tun
remote XX.XXX.XXX.XXX 443
proto tcp
mute-replay-warnings
ca ca.crt
cert user.crt
key user.key
tls-auth ta.key 1
remote-cert-tls server
persist-key
persist-tun
comp-lzo
ping 10
ping-restart 60
verb 0
route-method exe
route-delay

Any idea what could be wrong? It works under Linux, Android and Mac OS perfectly.

The original error message you got explains the problem:

The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.

Since the address you're pushing (must be coming from your ccd file, although you ddin't post that) is not within a /30 subnet, you cannot use it with Windows clients using the net30 topology, which is the default.

The reason this works on non-Windows is because even in net30 topology the addressing is configured as a traditional Point-to-Point (PtP) interface; Windows has no notion of this concept, and the TAP driver fakes it by using an entire /30 and only using the center-two usable IPs on the fake "subnet."

You have a couple choices, the easiest of which is to switch to using the "subnet" topology by adding: to your server config, which will also push this topology to clients. This requires that you push addresses with an IP and subnet, not a PtP pairing of IPs, which looks like this: The other option is to change the address pair you push to Windows clients to be within a /30, for which you can see all available pairs as indicated in the error message with: Additionally, when using any form of static address assignment, you should explicitly limit your `ifconfig-pool` to exclude the range you are using for such static assignment. If you don't, it's possible the normal "lowest free address" assignment by the server for connecting clients will pass out the same IP you attempt to set statically for a given client, and this causes issues. Use of ipp can make this harder to figure out as well since it's not "truly static" but just a "recommendation" to the server to use the last IP the client had, if it's available.

Thus I'd recommend that you look at the manpage and expand your `server` configuration option and reduce the size of your `ifconfig-pool` to a range excluding addresses you wish to statically push.

OK, here is my CCD file:
cat /etc/openvpn/ccd/userx
ifconfig-push 10.10.5.24 10.10.5.1

And ipp.txt looks like:
...
...
userx,10.10.5.24
...

OK, my question is... if I just put topology subnet into server config, will it work with the current setup?

BTW, command openvpn --show-valid-subnets gives an error:

Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: show-valid-subnets (2.2.1)
Use --help for more information.

Is this command working only in Windows?