Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN subnet topology routes

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmcentire
      last edited by

      When using topology subnet on a site to site SSL vpn with a 192.168.250.0/26 subnet, this is what the routing table shows:

      
Destination             Gateway              Netif
192.168.250.0/26       192.168.250.1        ovpns3
192.168.250.1          link#17              lo0
192.168.250.1/32        ovpns3              ovpns3
192.168.250.2           link#17              ovpns3

      I have 4 sites connected to this vpn(.2, .3, .4, .5) but only .2 is listed in the routing table, this leads me to a few questions.

      **1. Why does the subnet(192.168.250.0/26) have a gateway of 192.168.250.1 instead of being directly connected?

      2. Why does .2 have an entry and why don't the other sites(.3,.4,.5) also have entries?**

      The reason I'm looking into this is I'm trying to get OSPF working with a subnet topology, which does work(full state) with the first neighbor(.2), but can't get past exchange with the others because quagga shows .3,.4,.5, etc. as "network unreachable".

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Looks like you're still on tun mode. For it to show the way you are asking, it has to be on tap mode.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          jmcentire
          last edited by

          I've tried messing with tap, but I can't get it to work.  Since I want to route over the vpn how would I need to set it up?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If you want multiple sites to use the same OpenVPN server with OSPF, you must use tap. tun cannot work, even with topology subnet.

            Either that or use shared key servers/clients, one per remote location.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              jmcentire
              last edited by

              Can you give me any tips on setting up tap with an intermediate "tunnel" network for ospf neighbors to talk?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Use tap mode, put in a tunnel network subnet  (e.g. x.x.x.0/24). Nothing magical about tap mode configs for this. The rest of the settings are identical to a topology subnet config.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J
                  jmcentire
                  last edited by

                  That's what I tried, the server works, but the clients all fail at ifconfig.  Anything I need to change on the client side besides switching to tap?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    If it's SSL/TLS with tap the clients should need practically nothing in their config. Just tap mode, server IP address, CA/cert selected, match the compression settings. Leave the tunnel network and network boxes and such empty.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • J
                      jmcentire
                      last edited by

                      Thanks for your help, seems the client didn't like being converted to tap, I recreated a new client config with the exact same data and it worked.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.