OpenVPN server and client on different IPs

kovica

Hi,
I started using pfSense about a week ago and would like to move my OpenVPN clients from a standalone Linux machine to pfSense. On Linux machine I'm using net30 topology, but that seems to be deprecated and subnet toplogy is recommended. I've never used subnet topology, so I have questions. Is it possible to have OpenVPN server on one IP (Tunnel network 172.30.10.0/24, so server gets 172.30.10.1) and a client on 172.30.20.10. I use "Client Specific Overrides" so I can set static IP and push a route:

ifconfig-push 172.30.20.10 255.255.255.0;push "route 172.40.15.0 255.255.255.0";

Client can connect and gets 172.30.20.10, but adding a route gives me an error:

2022-09-18 10:21:46 us=175360 net_addr_v4_add: 172.30.20.10/24 dev tun1
2022-09-18 10:21:46 us=176333 net_route_v4_add: 172.40.15.0/24 via 172.30.10.1 dev [NULL] table 0 metric -1
2022-09-18 10:21:46 us=176469 sitnl_send: rtnl: generic error (-101): Network is unreachable

Is it even possible to use topology subnet and have server and client on different subnets?

Best regards,
Kovi

viragomann

@kovica
The clients IP you state in the CSO must be inside of the tunnel network.

kovica

@viragomann So there is no way they can be on a different subnets? At least with the subnet topology.

viragomann

@kovica
This is only possible with net 30 topology. However, even with this the server has an IP within the clients subnet though.

What's the reason for desiring to have a different subnet on the client?
Routing works with subnet topology as well.

kovica

@viragomann I have been running standalone OpenVPN server on a Linux box for over 10 years. I and my coworkers got used to IPs. this is the reason I want to use the same IPs on pfSense too.
This is how current OpenVPN server works:
server.conf:

local 172.20.11.4
proto udp
port 1194
dev tun0 
comp-lzo
server 172.200.1.0 255.255.255.0
route 172.200.2.0 255.255.255.0 
push route "172.20.11.0 255.255.255.0" 
ca CA.crt
cert server.crt
key server.key
dh dh2048.pem
persist-key
persist-tun
persist-local-ip
persist-remote-ip
push "persist-key"
push "persist-tun"
keepalive 10 60
user vpn
group vpn
daemon
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
verb 3
management localhost 7505
client-config-dir ccd
ccd-exclusive 

#client-to-client

And a client's ccd looks like:

ifconfig-push 172.200.2.93 172.200.2.94
push "route 172.200.0.0 255.255.0.0"

viragomann

@kovica
It's not on pfSense, it's the OpenVPN project who intend to remove the net 30 topology in future versions:
Topology in OpenVPN
Depreciation warning for --topology net30 on servers with IPv4 pools.

Actual pfSense however, has version 2.5 inside. So the net 30 is still available.
But as far as I know, the CSO tunnel has to be part of the servers tunnel network.

Anyway I'm running a server with a /24 tunnel and net 30 topo and I have a CSO with a /29 tunnel inside it to enable multiple connections for me.

kovica

@viragomann Yes, I know net30 is being deprecated by OpenVPN, not pfSense.
But otherwise thank you for clearing things up. I guess I'm stuck with net30 for now.