Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Assigning clients tunnel IP a subnet of the server tunnel net

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      P_Gineste
      last edited by

      Hello everyone,

      I'm faced with an issue of client immediatly quitting after contacting the server when I setup my configuration.

      What I try to achieve
      The idea is to have a defined Subnet where machines can all talk together going through the central server.
      But I would like to achieve it while assigning specific IPs to the machines linked to from which region they are and some others in accordance with our address plan.
      All clients and servers are PFsense machines and there should only be one server.

      global subnet (OpenVPN server tunnel ) 10.128.16.0/20
      Central server IP : 10.128.16.1
      Client 1 subnet : 10.128.17.0/28
      C1 machine 1 : 10.128.17.1
      C1 m2 : 10.128.17.2
      Client 2 subnet : 10.128.17.16/28
      C2 m1 : 10.128.17.17 …. etc....

      The configuration so far
      Server

      Preshared key in an openvpn static key
      Server mode : P2P (Shared Key)
      IPV4 Tunnel Network : 10.128.16.0/20
      IPV4 Remote Networks : 10.128.0.0/20,10.128.16.0/20 (well, clients need to access all the super-subnet)
      Disable IPv6 : ON
      Verbosity Level 5

      PoC machine

      Server mode : P2P (Shared Key)
      IPV4 Tunnel Network : 10.128.17.0/28
      IPV4 Remote Networks : 10.128.0.0/20,10.128.16.0/20 (well, clients need to access all the super-subnet)
      Disable IPv6 : ON
      Verbosity Level 5

      P.S. : I tried ifconfig-push 10.128.17.2 10.128.16.1 but I get

      Options error: option 'ifconfig-push' cannot be used in this context (/var/etc/openvpn/client2.conf)

      The logs

      Jun 17 16:43:54 openvpn 804 LZO compression initialized
      Jun 17 16:43:54 openvpn 804 Socket Buffers: R=[42080->42080] S=[57344->57344]
      Jun 17 16:43:54 openvpn 804 ROUTE_GATEWAY 192.168.1.1
      Jun 17 16:43:54 openvpn 804 TUN/TAP device ovpnc2 exists previously, keep at program end
      Jun 17 16:43:54 openvpn 804 TUN/TAP device /dev/tun2 opened
      Jun 17 16:43:54 openvpn 804 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Jun 17 16:43:54 openvpn 804 /sbin/ifconfig ovpnc2 10.128.16.2 10.128.16.1 mtu 1500 netmask 255.255.255.255 up
      Jun 17 16:43:54 openvpn 804 /usr/local/sbin/ovpn-linkup ovpnc2 1500 1573 10.128.16.2 10.128.16.1 init
      Jun 17 16:43:54 openvpn 804 /sbin/route add -net 10.128.0.0 10.128.16.1 255.255.240.0
      Jun 17 16:43:54 openvpn 804 /sbin/route add -net 10.128.16.0 10.128.16.1 255.255.255.0
      Jun 17 16:43:54 openvpn 804 Data Channel MTU parms [ L:1573 D:1450 EF:73 EB:143 ET:0 EL:3 AF:3/1 ]
      Jun 17 16:43:54 openvpn 804 Local Options String: 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 10.128.16.1 10.128.16.2,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
      Jun 17 16:43:54 openvpn 804 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 10.128.16.2 10.128.16.1,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
      Jun 17 16:43:54 openvpn 804 Local Options hash (VER=V4): '2de2c0a7'
      Jun 17 16:43:54 openvpn 804 Expected Remote Options hash (VER=V4): '8fec03ae'
      Jun 17 16:43:54 openvpn 804 UDPv4 link local (bound): [AF_INET]192.168.1.143
      Jun 17 16:43:54 openvpn 804 UDPv4 link remote: [AF_INET]84.39.44.121:1194
      Jun 17 16:43:59 openvpn 16909 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Jun 17 16:43:59 openvpn 16909 MANAGEMENT: CMD 'state 1'
      Jun 17 16:43:59 openvpn 16909 MANAGEMENT: CMD 'status 2'
      Jun 17 16:43:59 openvpn 16909 MANAGEMENT: Client disconnected
      Jun 17 16:43:59 openvpn 804 MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
      Jun 17 16:43:59 openvpn 804 MANAGEMENT: CMD 'state 1'
      Jun 17 16:43:59 openvpn 804 MANAGEMENT: Client disconnected

      Thank you for reading, if you have any idea what I should do/use, please tell me.

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        Without super tight analysis of all your network ranges, it appears you have some potential issues with overlap of tunnel addresses and LAN routing.
        That's guaranteed to cause you issues.

        I get that you'd like to try and categorize different connecting clients to separate their regions, but how many are you expecting?
        If it's more than 200 clients then a /20 range is well more than enough.  If it's less than 50, a /24 is plenty.

        In addition, it's been my experience that keeping the tunnel subnets completely different from the possible LAN ranges is a very good thing.  In your case, I'd suggest something like 10.10.128.0/24 for your tunnels and then the LAN's can use what you need in the 10.128.x.x ranges.

        The other thing to consider is to do this using PKI rather than shared key.  It will mean a little more planning as to how many certificates you need to create, but it's well worth it IMHO in terms of the better (and simpler) control of routing you get.  In a general PKI site-site setup you don't need to worry about "routing" tunnels, they're only used by OpenVPN. Once they're up, you can ignore the tunnels and define routes for your LAN subnets making things much easier to troubleshoot.

        Just my $.02

        -jfp

        1 Reply Last reply Reply Quote 0
        • P
          P_Gineste
          last edited by

          Hello,

          First thank you for responding, it's a tricky subject and I appreciate all the help I can get.
          Now onto the topic :

          First of all, the OpenVPN tunnel is not only a site-to-site server but a remote access one too (meaning sometimes I only want to connect to the OVPN IP, not the private subnets this machine has access to).

          The tunnels are on a /20 but the LANs are on another, so no risk of collision. Our network plnning has been made to be a little future proof hence the /20.

          On the PKI, good idea but no, maintaining it properly would cost more of my time than I can allocate to it, automating the renewal of a shared key is no big deal.

          I was looking for a list of advanced options I can give to OpenVPN to assign a specific client-side tunnel IP belonging to the /20 in accordance to our naming scheme without letting the OpenVPN server choose it.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.