I have a OpenVPN server on a Netgear Wireless router setup (192.168.8.1). The Netgear router is setup behind another router (192.168.7.1) that connected to internet. I've added a port forward rule to the router that is facing internet. It forwards the VPN port to the Netgear router.
I try to start the OpenVPN client with:
sudo openvpn --config "client2.conf"
But I get an error message in regards of the routes.
Sun Sep 30 10:58:42 2018 us=603862 /sbin/ip route add 192.168.8.1/24 via 192.168.8.1
Error: Invalid prefix for given prefix length
Do I need to specify another route? If that is the case. How do I specify the route?
My client2.conf looks like this
client
dev tap
proto udp
remote [MY_EXTERNAL_IP] [MY_VPN_PORT]
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 5
Settings for the Netgear router.
Settings for the internet facing router.
Best Answer
Your OpenVPN server is sending a nonsensical route – it specifies that the route is for a 24-bit prefix, but the address has bits set beyond that limit (in fact it appears to be a full 32-bit host address).
You're getting an error message because these parameters contradict each other. A valid destination would have been either
192.168.8.1/32for a single host, or192.168.8.0/24for the entire network.Additionally, it's a cyclical route that goes through itself; i.e. "in order to reach 192.168.8.1 you must first go to 192.168.8.1". (Ever heard the term catch-22?)
There are situations where this is valid – it would be acceptable in tun-mode OpenVPN connections (point to point links) if an interface were specified as well, as the gateway would be ignored then, but in this example an interface isn't specified, and the VPN is tap-mode anyway.
It would also be valid if the system already had an on-link route for 192.168.8.1/32 specifically, but it's unknown whether it does in your situation.
But in normal situations, a route's gateway is not part of the same route's destination. Depending on what you really wanted, a more likely route would be
192.168.8.0/24 via 192.168.7.1or the opposite192.168.7.0/24 via 192.168.8.1(I have to guess here).Depends on what you want to route and where... And assuming that you've added this route manually in the first place. If it comes from Netgear's firmware, your best option might be to ignore it (or try a firmware upgrade).
If you want VPN clients to be able to reach devices in the main LAN, the route that the Netgear's VPN server needs to distribute is
192.168.7.0/24 via 192.168.8.1.(Note that routes distributed to clients are not the same thing as routes that the Netgear router itself uses.)