How to change the subnet on the OpenVPN Ubuntu Linux server

Hi ,

I cant comment on the site anymore but i have a question on how to edit / change the subnet on the finished product?
the guide is from (https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/)
is there a way to edit / change it without breaking the VPN server? as it is live for a year now

Hi @ADMN_Pixel85

You need to edit the the server config file.

WARNING
The following editing requires a good understanding of the networking concept, including firewalls. Otherwise, I won’t recommend doing it as it will break the existing OpenVPN setup. You have been wanred.

Changing the subnet on the OpenVPN Ubuntu server

You need to edit the /etc/openvpn/server/server.conf as the root user. For example:

sudo vim /etc/openvpn/server/server.conf

Then for IPv4:

server 10.8.0.0 255.255.255.0

For IPv6:

server-ipv6 fddd:1194:1194:1194::/64

Save and close the file.

Updating firewall rules

To view the current firewall rules:

sudo systemctl cat openvpn-iptables.service

Update old SNAT rules by running (replace vim with a text editor that you wish to use on the server)
export EDITOR=vim

sudo  systemctl cat openvpn-iptables.service

Here is how comment lines look:

[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 50.xxx.yyy.zzz
ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 50.xxx.yyy.zzz
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:yyyy::zzzz:aaaa:bbbb:ccc
ExecStart=/usr/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStart=/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:yyyy::zzzz:aaaa:bbbb:ccc
ExecStop=/usr/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStop=/usr/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

Uncomment all lines and then update those firewall rules with actual range set in the server.conf

Restarting the services

Then all you have to do is restart the services:

sudo systemctl daemon-reload
sudo systemctl restart openvpn-iptables.service
sudo systemctl restart openvpn-server@server.service 

Or simple reboot the server:

sudo reboot

For example I can replace the default subnet 10.8.0.0/24 with 172.16.0.0/24
Edit the server.conf:
From:

server 10.8.0.0 255.255.255.0

To:

server 172.16.0.0 255.255.255.0

Then edit the firewall config:

sudo systemctl edit openvpn-iptables.service

Find all old subnets 10.8.0.0/24

10.8.0.0/24

Replace with

172.16.0.0/24

Here is how it will look:

[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/24 ! -d 172.16.0.0/24 -j SNAT --to 50.xxx.yyy.zzz
ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 172.16.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 172.16.0.0/24 ! -d 172.16.0.0/24 -j SNAT --to 50.xxx.yyy.zzz
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 172.16.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:xxxx::yyyy:zzzz:tttt:aaaa
ExecStart=/usr/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStart=/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:xxxx::yyyy:zzzz:tttt:aaaa
ExecStop=/usr/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStop=/usr/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

Finally restart the server:

sudo reboot

Now your client subnet range changed to:

Class B, Private Internet subnet

  • VPN server start Address: 172.16.0.1
  • Netmask: 255.255.255.0 = 24
  • Wildcard: 0.0.0.255
  • VPN server start Address: 172.16.0.1
  • Network: 172.16.0.0/24
  • HostMin: 172.16.0.1
  • HostMax: 172.16.0.254
  • Broadcast: 172.16.0.255
  • Hosts/Net: 254
1 Like

Thanks,

i will try it , so
Step 1 Edit the server.conf
step 2 edit the iptables.services

p/s
Can i just copy the old iptables and paste to the new iptables and just change the ip and subnet because basically everything is the same except for the subnet from /24 to /21

step 3 reboot server

yes. you can copy and paste like that or only changes. it is upto you.

1 Like

nice, thanks so much. i have did as per your guide but i was wondering the iptables-services now have 2 part 1 is the old one and the new one is in there as well. ( i have attached ss for better understanding), my question is does this will effect the VPN?

I think you will have duplicate rules because it is using the ExecStart directive. What do you see when you run the following? Do you see duplicates nat rules?

sudo iptables -t nat -v -L POSTROUTING -n

Say one for /24 and the other for /21. What you can do is delete /24 rule first when you run:

sudo systemctl edit openvpn-iptables.service

So at bottom, you could say (the -D removes duplicate rule) :

ExecStart=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 50.xxx.yyy.zzz

when i

i can see 2 sets of ip subnet

when i use edit i cant see the old rules

so i can just remove from here using this command , but how do i delete the old rules in openvpn-iptables.services?

Thanks in advance

Run this:

sudo systemctl edit openvpn-iptables.service

Then at the bottom you add the delete rule that matches your set up like

ExecStart=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 50.xxx.yyy.zzz

Say:

[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/24 ! -d 172.16.0.0/24 -j SNAT --to 50.xxx.yyy.zzz
ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 172.16.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 172.16.0.0/24 ! -d 172.16.0.0/24 -j SNAT --to 50.xxx.yyy.zzz
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 172.16.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:xxxx::yyyy:zzzz:tttt:aaaa
ExecStart=/usr/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStart=/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:xxxx::yyyy:zzzz:tttt:aaaa
ExecStop=/usr/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStop=/usr/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
######################
### Delete rule goes here 
###################### 
ExecStart=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 50.xxx.yyy.zzz
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

The override rule will delete original rule. It is a mess but it should work.

ok thank you so much


Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki