Is OpenVPN S2S /30 topology not recommended anymore ??

viragomann

@bingo600
I prefer a /30 tunnel network for a site-to-site as well. The setup seems more clear and reliable to me.

The docs don't say you should not configure it this way: OpenVPN Site-to-Site Configuration Example with SSL/TLS.
Check out the first note.

bingo600

@viragomann

Something is mentioned here.
https://community.openvpn.net/openvpn/wiki/Topology

It seems to be for "clients" not site2site , and the net30 seems to some old weird thing , for M$ clients.

I think (hope) someone saw that, and misunderstood.

Edit:
Wuutt: - They are removing net30 in 2.6
https://community.openvpn.net/openvpn/ticket/1288

Now i'm getting worried ....

Are we using subnet with a /30 , or are we (behind the curtains) specifying net30 , when using a /30 in pfSense ?

/Bingo

Pippin

https://forum.netgate.com/topic/92430/heads-up-openvpn-topology-default-changed-to-subnet-was-net30
.
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

viragomann

@bingo600
Yes, for an access server the subnet topology is recommended now.

Some old clients are not compatible with subnet topology, however, so the default setting was /30 in previous pfSense versions.

bingo600

@viragomann

So this is just for Servers with IPv4 Pools (aka not S2S)
https://community.openvpn.net/openvpn/ticket/1288

and

https://patchwork.openvpn.net/project/openvpn2/patch/20200620180532.15738-1-gert@greenie.muc.de/#2289

I have this selected on my S2S servers

viragomann

@bingo600 said in Is OpenVPN S2S /30 topology not recommended anymore ??:

https://community.openvpn.net/openvpn/ticket/1288

Good to know. One of my access servers still uses /30 topology.

I have this selected on my S2S servers

I simply use a /30 tunnel network in my s2s servers. So the topo settings is superfluous with that.

bingo600

@viragomann said in Is OpenVPN S2S /30 topology not recommended anymore ??:

I simply use a /30 tunnel network in my s2s servers. So the topo settings is superfluous with that.

And you still have the /30 "benefit" , as not having to do CSO's

I also have /30 tunnel network on my S2S both Client + Server

viragomann

@bingo600
Yes, with a /30 tunnel there is only one client possible. Hence you don't need a CSO.

bingo600

@viragomann
I'll try to set topology SUBNET tomorrow on my central server and test-fwall (client) S2S peer

Thanx

viragomann

@bingo600
If the server uses a /30 tunnel this won't change anything. But yeah, it would be compatible with the next OpenVPN versions.

bingo600

I changed all my S2S Server & Clients from:
Toplogy : NET30 --> Topology: Subnet
Remember to do it on the "Remote client first" , then on the "Server".

Since i already used a /30 as the Tunnel interface, this was all i had to do.

I experienced a brief OpenVPN outage, while the Server & Client restarted/reconnected ...
Outage 1..2 minutes.

/Bingo