4

I have a OpenVPN server on a Netgear Wireless router setup (192.168.8.1). The Netgear router is setup behind another router (192.168.7.1) that connected to internet. I've added a port forward rule to the router that is facing internet. It forwards the VPN port to the Netgear router.

I try to start the OpenVPN client with:

sudo openvpn --config "client2.conf"

But I get an error message in regards of the routes.

Sun Sep 30 10:58:42 2018 us=603862 /sbin/ip route add 192.168.8.1/24 via 192.168.8.1 Error: Invalid prefix for given prefix length

Do I need to specify another route? If that is the case. How do I specify the route?

My client2.conf looks like this

client dev tap proto udp remote [MY_EXTERNAL_IP] [MY_VPN_PORT] resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key cipher AES-128-CBC comp-lzo verb 5

Settings for the Netgear router.

enter image description here enter image description here

Settings for the internet facing router.

enter image description here

Improve this question
4
  • What is your main LAN address range/prefix, what is your Netgear LAN address range, and what is your VPN address range? And why did you add this route to begin with?
    – grawity_u1686
    Commented Sep 30, 2018 at 11:31
  • The main LAN DHCP range starts at 192.168.7.50 and ends with 192.168.7.254. I'm not sure what the range is for the VPN. The Netgear router dosn't give an options for this.
    – g3blv
    Commented Sep 30, 2018 at 12:10
  • Does it give any options or information about the actual network (subnet), not just the DHCP range? For both the VPN and the LAN, that is.
    – grawity_u1686
    Commented Sep 30, 2018 at 12:19
  • I added the setting to the original post.
    – g3blv
    Commented Sep 30, 2018 at 12:27

1 Answer 1

Reset to default
4

192.168.8.1/24

Your OpenVPN server is sending a nonsensical route – it specifies that the route is for a 24-bit prefix, but the address has bits set beyond that limit (in fact it appears to be a full 32-bit host address).

You're getting an error message because these parameters contradict each other. A valid destination would have been either 192.168.8.1/32 for a single host, or 192.168.8.0/24 for the entire network.

192.168.8.1/24 via 192.168.8.1

Additionally, it's a cyclical route that goes through itself; i.e. "in order to reach 192.168.8.1 you must first go to 192.168.8.1". (Ever heard the term catch-22?)

There are situations where this is valid – it would be acceptable in tun-mode OpenVPN connections (point to point links) if an interface were specified as well, as the gateway would be ignored then, but in this example an interface isn't specified, and the VPN is tap-mode anyway.

It would also be valid if the system already had an on-link route for 192.168.8.1/32 specifically, but it's unknown whether it does in your situation.

But in normal situations, a route's gateway is not part of the same route's destination. Depending on what you really wanted, a more likely route would be 192.168.8.0/24 via 192.168.7.1 or the opposite 192.168.7.0/24 via 192.168.8.1 (I have to guess here).

Do I need to specify another route?

Depends on what you want to route and where... And assuming that you've added this route manually in the first place. If it comes from Netgear's firmware, your best option might be to ignore it (or try a firmware upgrade).

  • If you want VPN clients to be able to reach devices in the main LAN, the route that the Netgear's VPN server needs to distribute is 192.168.7.0/24 via 192.168.8.1.

    (Note that routes distributed to clients are not the same thing as routes that the Netgear router itself uses.)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .