OpenVPN subnet topology routes
-
When using topology subnet on a site to site SSL vpn with a 192.168.250.0/26 subnet, this is what the routing table shows:
Destination Gateway Netif 192.168.250.0/26 192.168.250.1 ovpns3 192.168.250.1 link#17 lo0 192.168.250.1/32 ovpns3 ovpns3 192.168.250.2 link#17 ovpns3
I have 4 sites connected to this vpn(.2, .3, .4, .5) but only .2 is listed in the routing table, this leads me to a few questions.
**1. Why does the subnet(192.168.250.0/26) have a gateway of 192.168.250.1 instead of being directly connected?
2. Why does .2 have an entry and why don't the other sites(.3,.4,.5) also have entries?**
The reason I'm looking into this is I'm trying to get OSPF working with a subnet topology, which does work(full state) with the first neighbor(.2), but can't get past exchange with the others because quagga shows .3,.4,.5, etc. as "network unreachable".
-
Looks like you're still on tun mode. For it to show the way you are asking, it has to be on tap mode.
-
I've tried messing with tap, but I can't get it to work. Since I want to route over the vpn how would I need to set it up?
-
If you want multiple sites to use the same OpenVPN server with OSPF, you must use tap. tun cannot work, even with topology subnet.
Either that or use shared key servers/clients, one per remote location.
-
Can you give me any tips on setting up tap with an intermediate "tunnel" network for ospf neighbors to talk?
-
Use tap mode, put in a tunnel network subnet (e.g. x.x.x.0/24). Nothing magical about tap mode configs for this. The rest of the settings are identical to a topology subnet config.
-
That's what I tried, the server works, but the clients all fail at ifconfig. Anything I need to change on the client side besides switching to tap?
-
If it's SSL/TLS with tap the clients should need practically nothing in their config. Just tap mode, server IP address, CA/cert selected, match the compression settings. Leave the tunnel network and network boxes and such empty.
-
Thanks for your help, seems the client didn't like being converted to tap, I recreated a new client config with the exact same data and it worked.