Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Topology - separate subnets for Windows clients

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 856 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      snow
      last edited by

      Hi guys,

      As described in the following article, I created some CSC overrides to separate specific users for different access:

      https://openvpn.net/index.php/open-source/documentation/howto.html#policy

      For an example:

      The server is running in network 10.0.1.0, and the CSC override entry provides an address within 10.0.2.0 network for one of the users.
      On Windows clients (in my case Windows 10, with OpenVPN client 2.4.2-I601 and TAP 9.21.2), this is running properly, but only when using "net30" topology.

      I already tried in the CSC settings the option "ifconfig-push 10.0.2.5 255.255.255.0" with "subnet" topology, instead of "ifconfig-push 10.0.2.5 10.0.2.6" with "net30" topology.
      But with "subnet" topology it's not working on my Windows clients.

      As described in the following article, it should be possible, but in this case the client is in the same subnet than the server:

      https://community.openvpn.net/openvpn/wiki/Topology

      Would it be also possible to get this running properly with "subnet" topology and if the Windows clients are located in a different subnet than the server?

      EDIT:

      I'm running on pfsense 2.3.4.

      Thanks,
      snow

      1 Reply Last reply Reply Quote 0
      • PippinP Offline
        Pippin
        last edited by

        You can create a OpenVPN instance for each group.

        OVPN-1 - 10.8.1.0/24 - Group-1
        OVPN-2 - 10.8.2.0/24 - Group-2
        …..
        etc.

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        1 Reply Last reply Reply Quote 0
        • S Offline
          snow
          last edited by

          @Pippin:

          You can create a OpenVPN instance for each group.

          OVPN-1 - 10.8.1.0/24 - Group-1
          OVPN-2 - 10.8.2.0/24 - Group-2
          …..
          etc.

          If I understand correctly you need different WAN IP, or different Port/Proto for each instance.
          But I would like to use only one WAN IP and Port/Proto.

          1 Reply Last reply Reply Quote 0
          • PippinP Offline
            Pippin
            last edited by

            One WAN IP is sufficient.

            OVPN-1 UDP or TCP listening on port 1194
            OVPN-2 UDP or TCP listening on port 1294

            So, only port needs to be different.

            Using one OVPN instance, I don`t know if is possible on pfSense.

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.