Is OpenVPN S2S /30 topology not recommended anymore ??

bingo600

Edit: It is the NET30 Topology that will be deprecated in OpenVPN 2.6
See
https://community.openvpn.net/openvpn/ticket/1288
and
https://patchwork.openvpn.net/project/openvpn2/patch/20200620180532.15738-1-gert@greenie.muc.de/#2289

TLDR:
Think i saw someone post that OpenVPN /30 topology was not recommended anymore.

I'm using that for all my Site to Site VPN's, and would like to know if that is correct ?

Why would they deprecate /30 Topology ?
It's a "Clean" solution , and avoids the hassle of CSO's

/Bingo

viragomann

@bingo600
I prefer a /30 tunnel network for a site-to-site as well. The setup seems more clear and reliable to me.

The docs don't say you should not configure it this way: OpenVPN Site-to-Site Configuration Example with SSL/TLS.
Check out the first note.

bingo600

@viragomann

Something is mentioned here.
https://community.openvpn.net/openvpn/wiki/Topology

It seems to be for "clients" not site2site , and the net30 seems to some old weird thing , for M$ clients.

I think (hope) someone saw that, and misunderstood.

Edit:
Wuutt: - They are removing net30 in 2.6
https://community.openvpn.net/openvpn/ticket/1288

Now i'm getting worried ....

Are we using subnet with a /30 , or are we (behind the curtains) specifying net30 , when using a /30 in pfSense ?

/Bingo

Pippin

https://forum.netgate.com/topic/92430/heads-up-openvpn-topology-default-changed-to-subnet-was-net30
.
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

viragomann

@bingo600
Yes, for an access server the subnet topology is recommended now.

Some old clients are not compatible with subnet topology, however, so the default setting was /30 in previous pfSense versions.

bingo600

@viragomann

So this is just for Servers with IPv4 Pools (aka not S2S)
https://community.openvpn.net/openvpn/ticket/1288

and

https://patchwork.openvpn.net/project/openvpn2/patch/20200620180532.15738-1-gert@greenie.muc.de/#2289

I have this selected on my S2S servers

viragomann

@bingo600 said in Is OpenVPN S2S /30 topology not recommended anymore ??:

https://community.openvpn.net/openvpn/ticket/1288

Good to know. One of my access servers still uses /30 topology.

I have this selected on my S2S servers

I simply use a /30 tunnel network in my s2s servers. So the topo settings is superfluous with that.

bingo600

@viragomann said in Is OpenVPN S2S /30 topology not recommended anymore ??:

I simply use a /30 tunnel network in my s2s servers. So the topo settings is superfluous with that.

And you still have the /30 "benefit" , as not having to do CSO's

I also have /30 tunnel network on my S2S both Client + Server

viragomann

@bingo600
Yes, with a /30 tunnel there is only one client possible. Hence you don't need a CSO.

bingo600

@viragomann
I'll try to set topology SUBNET tomorrow on my central server and test-fwall (client) S2S peer

Thanx

viragomann

@bingo600
If the server uses a /30 tunnel this won't change anything. But yeah, it would be compatible with the next OpenVPN versions.

bingo600

I changed all my S2S Server & Clients from:
Toplogy : NET30 --> Topology: Subnet
Remember to do it on the "Remote client first" , then on the "Server".

Since i already used a /30 as the Tunnel interface, this was all i had to do.

I experienced a brief OpenVPN outage, while the Server & Client restarted/reconnected ...
Outage 1..2 minutes.

/Bingo