Assigning clients tunnel IP a subnet of the server tunnel net



  • Hello everyone,

    I'm faced with an issue of client immediatly quitting after contacting the server when I setup my configuration.

    What I try to achieve
    The idea is to have a defined Subnet where machines can all talk together going through the central server.
    But I would like to achieve it while assigning specific IPs to the machines linked to from which region they are and some others in accordance with our address plan.
    All clients and servers are PFsense machines and there should only be one server.

    global subnet (OpenVPN server tunnel ) 10.128.16.0/20
    Central server IP : 10.128.16.1
    Client 1 subnet : 10.128.17.0/28
    C1 machine 1 : 10.128.17.1
    C1 m2 : 10.128.17.2
    Client 2 subnet : 10.128.17.16/28
    C2 m1 : 10.128.17.17 …. etc....

    The configuration so far
    Server

    Preshared key in an openvpn static key
    Server mode : P2P (Shared Key)
    IPV4 Tunnel Network : 10.128.16.0/20
    IPV4 Remote Networks : 10.128.0.0/20,10.128.16.0/20 (well, clients need to access all the super-subnet)
    Disable IPv6 : ON
    Verbosity Level 5

    PoC machine

    Server mode : P2P (Shared Key)
    IPV4 Tunnel Network : 10.128.17.0/28
    IPV4 Remote Networks : 10.128.0.0/20,10.128.16.0/20 (well, clients need to access all the super-subnet)
    Disable IPv6 : ON
    Verbosity Level 5

    P.S. : I tried ifconfig-push 10.128.17.2 10.128.16.1 but I get

    Options error: option 'ifconfig-push' cannot be used in this context (/var/etc/openvpn/client2.conf)

    The logs

    Jun 17 16:43:54 openvpn 804 LZO compression initialized
    Jun 17 16:43:54 openvpn 804 Socket Buffers: R=[42080->42080] S=[57344->57344]
    Jun 17 16:43:54 openvpn 804 ROUTE_GATEWAY 192.168.1.1
    Jun 17 16:43:54 openvpn 804 TUN/TAP device ovpnc2 exists previously, keep at program end
    Jun 17 16:43:54 openvpn 804 TUN/TAP device /dev/tun2 opened
    Jun 17 16:43:54 openvpn 804 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jun 17 16:43:54 openvpn 804 /sbin/ifconfig ovpnc2 10.128.16.2 10.128.16.1 mtu 1500 netmask 255.255.255.255 up
    Jun 17 16:43:54 openvpn 804 /usr/local/sbin/ovpn-linkup ovpnc2 1500 1573 10.128.16.2 10.128.16.1 init
    Jun 17 16:43:54 openvpn 804 /sbin/route add -net 10.128.0.0 10.128.16.1 255.255.240.0
    Jun 17 16:43:54 openvpn 804 /sbin/route add -net 10.128.16.0 10.128.16.1 255.255.255.0
    Jun 17 16:43:54 openvpn 804 Data Channel MTU parms [ L:1573 D:1450 EF:73 EB:143 ET:0 EL:3 AF:3/1 ]
    Jun 17 16:43:54 openvpn 804 Local Options String: 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 10.128.16.1 10.128.16.2,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
    Jun 17 16:43:54 openvpn 804 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 10.128.16.2 10.128.16.1,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
    Jun 17 16:43:54 openvpn 804 Local Options hash (VER=V4): '2de2c0a7'
    Jun 17 16:43:54 openvpn 804 Expected Remote Options hash (VER=V4): '8fec03ae'
    Jun 17 16:43:54 openvpn 804 UDPv4 link local (bound): [AF_INET]192.168.1.143
    Jun 17 16:43:54 openvpn 804 UDPv4 link remote: [AF_INET]84.39.44.121:1194
    Jun 17 16:43:59 openvpn 16909 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jun 17 16:43:59 openvpn 16909 MANAGEMENT: CMD 'state 1'
    Jun 17 16:43:59 openvpn 16909 MANAGEMENT: CMD 'status 2'
    Jun 17 16:43:59 openvpn 16909 MANAGEMENT: Client disconnected
    Jun 17 16:43:59 openvpn 804 MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Jun 17 16:43:59 openvpn 804 MANAGEMENT: CMD 'state 1'
    Jun 17 16:43:59 openvpn 804 MANAGEMENT: Client disconnected

    Thank you for reading, if you have any idea what I should do/use, please tell me.



  • Without super tight analysis of all your network ranges, it appears you have some potential issues with overlap of tunnel addresses and LAN routing.
    That's guaranteed to cause you issues.

    I get that you'd like to try and categorize different connecting clients to separate their regions, but how many are you expecting?
    If it's more than 200 clients then a /20 range is well more than enough.  If it's less than 50, a /24 is plenty.

    In addition, it's been my experience that keeping the tunnel subnets completely different from the possible LAN ranges is a very good thing.  In your case, I'd suggest something like 10.10.128.0/24 for your tunnels and then the LAN's can use what you need in the 10.128.x.x ranges.

    The other thing to consider is to do this using PKI rather than shared key.  It will mean a little more planning as to how many certificates you need to create, but it's well worth it IMHO in terms of the better (and simpler) control of routing you get.  In a general PKI site-site setup you don't need to worry about "routing" tunnels, they're only used by OpenVPN. Once they're up, you can ignore the tunnels and define routes for your LAN subnets making things much easier to troubleshoot.

    Just my $.02



  • Hello,

    First thank you for responding, it's a tricky subject and I appreciate all the help I can get.
    Now onto the topic :

    First of all, the OpenVPN tunnel is not only a site-to-site server but a remote access one too (meaning sometimes I only want to connect to the OVPN IP, not the private subnets this machine has access to).

    The tunnels are on a /20 but the LANs are on another, so no risk of collision. Our network plnning has been made to be a little future proof hence the /20.

    On the PKI, good idea but no, maintaining it properly would cost more of my time than I can allocate to it, automating the renewal of a shared key is no big deal.

    I was looking for a list of advanced options I can give to OpenVPN to assign a specific client-side tunnel IP belonging to the /20 in accordance to our naming scheme without letting the OpenVPN server choose it.