Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn site to site error

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      UnderCover
      last edited by

      I am following the pfsense book to setup an openvpn site-to-site

      it is extremely helpful with full of details!!!  THANK YOU!!

      quick note though, on page 321 it says to use address pool: 172.31.55.0/30

      when i use this address on the server i get the error

      openvpn[22148]: Options error: –server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower

      if i change it to 172.31.55.0/29

      also....

      on the client side, if you configure a shared key, an interface ip is required before it will let you save the configuration

      it starts up perfectly ( am using a pki infrastructure instead of shared key )

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        A /30 will only work if you set up this with a shared key.
        For site-to-site you should use a shared key.
        Yes you will have to set an interface IP, because with a shared key no routes/IPs/DHCP-settings/anything will be pushed from the server.
        The configuration is only what you put into the config file.

        The reason why a /30 with a PKI won't work:
        In a PKI you have the x.1 IP for the server.
        Every time a client connects a new dynamic /30 subnet is added to the virtual interface.
        So
        x.0/30 initial IP of the Server.
        x.4/30 first client (x.5 server, x.6 client)
        x.8/30 second client (x.9 server, x.10 client)
        etc.
        This ensures that the clients can talk only with the server and not with each other directly.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • U
          UnderCover
          last edited by

          thanks a lot for the response!

          that makes perfect sense!

          1 Reply Last reply Reply Quote 0
          • U
            UnderCover
            last edited by

            also note

            following the books example for site-to-site vpn with a shared key ther eis one step missing

            on the client side interface ip must be set: 172.31.55.0/30

            the configuration file for openvpn client will not let you save anything until an interace ip is set on top of what the book mentions

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              @UnderCover:

              also note

              following the books example for site-to-site vpn with a shared key ther eis one step missing

              on the client side interface ip must be set: 172.31.55.0/30

              the configuration file for openvpn client will not let you save anything until an interace ip is set on top of what the book mentions

              Thanks for catching that. We'll check into it and update the errata page if need be.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.