Site2Site OpenVPN only works with /30 IPv4 Tunnel Network?

Upper Deck

@netblues said in Site2Site OpenVPN only works with /30 IPv4 Tunnel Network?:

And you have a normal /24 at the server tunnel network?

Yes. But using /24 still causes all sites to not be able to access each other.

Have you restarted openvpn service both ends after changes?

Thanks for reminding. The virtual address is normal after restarting.

Have you assigned an interface to the vpn server/client for better monitoring/management?

Yes. Everything looks ok.

bingo600

@upper-deck
Why not just create a /30 server for each site ?

I have 6 x Site to site (S2S) - /30 OVPN servers , and they give me no grief, and since they're "Point to point", all info can be given directly in the definitions.

I have no experience with /24 S2S , just use /24 for "Client Connects .. "dialin"

But since your desired "/24 Server" is a "one to many" i would expect you have to use Client Side Overrides (CSO) , in order to define the Site specific info , like routes etc ....

I absolutely prefer /30 , or more correctly Point-To-Point for (S2S).
And i "think" i get the advantage of having multiple servers , where each can run simultaneously on an available "CPU... Thread".
I have an idea (hope) that this would improve the "OpenVPN" is "locked to one Core" performance. Since several servers, each can use an available "Core" if needed.

Edit:
I have i5's or i3's with 4 "threads" , and 8GB Ram, so "multi OVPN server" resources is not an issue for me.

/Bingo

netblues

@bingo600 What you suggest is valid, however doesn't correct the mis- configuration issue of the op.

And certainly having 3 servers is more difficult to administer than one.

On the performance side, I would ditch openvpn altogether and opt for wireguard.

bingo600

@netblues said in Site2Site OpenVPN only works with /30 IPv4 Tunnel Network?:

@bingo600 What you suggest is valid, however doesn't correct the mis- configuration issue of the op.

I just commented on the /30 vs /24 S2S setup.

And certainly having 3 servers is more difficult to administer than one.

IMHO that's not correct, since you don't have to do the CSO's on a P2P /30.
I would say they're comparable in complexity.

On the performance side, I would ditch openvpn altogether and opt for wireguard.

I don't trust wireguard (yet) ...
OpenVPN is proved "easy and stable", and for my ISP BW 300Mb/s i have no problem "filling the line".

For squeezing the last drop out i'd go IPSEC.

/Bingo

Upper Deck

@netblues

I did some more tests. Under the premise of keeping other settings all the same, if the IPv4 Tunnel Network goes to /30, both the server and client networks are normal; as long as the IPv4 Tunnel Network is set to /24, the server and client will not be able to access each other. Except for the IPv4 Tunnel Network /24 /30 settings of the server-side and client-side, other configurations remain the same.

Also, I found a very interesting fact. When /30 is set, the Status page of OpenVPN displays server information. When /24 is set, the Status page displays the client connection information. Perhaps when the IPv4 Tunnel Network is set to /24, pfSense also thinks that the server-client VPN mode is used?

bingo600

@upper-deck said in Site2Site OpenVPN only works with /30 IPv4 Tunnel Network?:

Also, I found a very interesting fact. When /30 is set, the Status page of OpenVPN displays server information. When /24 is set, the Status page displays the client connection information. Perhaps when the IPv4 Tunnel Network is set to /24, pfSense also thinks that the server-client VPN mode is used?

Easy explained ...
When /30 is used pfSense knows it's a Point-to-Point.
And uses the info directly from the Server/Client definition.

/Bingo

Upper Deck

Still can't figure out why the /24 tunnel network doesn't work.

netblues

@upper-deck I thought it did from what you said

stephenw10

It's because when you set the server to use /24 topology you need to add client specific overrides for each client site with the remote subnets set. Doing so adds iroutes in OpenVPN so the daemon knows which subnets are at which clients. Note the 'Routing Table' button in the above screenshot for /24. That will display the iroutes and they must exist.
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html#create-client-specific-overrides

When you use /30 there can be only one client so the daemon assume all remote subnets are there.

Steve

Upper Deck

@stephenw10

Orz