VPN IP address range

[kf6dky]

Our internal network started with small business sever handling DHCP with a range of 192.168.1.xxx. The issue is when I enable OpenVPN, users connect just fine but most standard home networks have the same address range by default. Now I merely know basic VPN knowledge so bear with me. There's obviously a big mess with remote users VPN in.

What is a good address range/subnet to change our small business server so that we don't conflict when home users connect???

It seems easier to change our internal range rather than have all remote/home users change their defaults in their routers.

[proactivens]

the default open vpn address pool is 172.16.0.x, so you will not have any problems.

If you manually set the open vpn client address pool, you want to use a non-routable network (a network that is not currently in use)

Most people will make it 172.16.100.x or something like that.

When a user installs open vpn client on their computer it creates a TAP interface (virtual ethernet interface) that gets it's IP address assigned to it via the Open VPN server during the authentication / negotiation phase of establishing the connection. This way, when ever the user's computer is sending traffic across the vpn, it is not coming from their LAN or WAN IP, it is coming from their TAP interface IP.

[kf6dky]

Well here's the situation I had. I setup open VPN with default settings. When a remote user connected the main LAN network remained up internally but lost all outside traffic to and from WAN. Why would this happen?

[mrunkel]

Let's reset this here.

If your remote LAN (let's call this the home Subnet) has the same IP range as the local subnet (let's call this the Office subnet) then yes, you will not be able to communicate with devices in the office subnet from the home subnet. The home pc will think that everything in the office subnet is actually closer. This includes your office DNS server which is what the home pc is trying to use, so that's why the "internet" seems to be down.

The openvpn pool does nothing to alleviate this problem.

Yes, you are correct if you don't have a lot of servers, changing the office subnet range is often easier than having home users change their router settings (it has settings? is the most common response to that request).

I would recommend anything like: 192.168.x.0/24 where x is not 0, 1 or 100. You should be safe.

Also, 10/8 has lots of choices. Like 10.10.10.0/24 or: 10.11.12.0/24.

[kf6dky]

mrunkel ... That's exactly what I was asking. Thanks for seeing through my cryptic post.

Would you consider an address range of 192.168.x.0, ther than x= 1,2 or 100 to be a good "standard of practice" for the issue Im having?