Why is /30 not allowed for OpenVPN server tunnel subnet?



  • If I only need 2 client IP addresses why is /30 not allowed?  If I try to set /30 the service won't start and I get the following in the log:

    Options error: –server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower


  • Rebel Alliance Developer Netgate

    Because you can't use directives that require –server when it's in peer-to-peer mode (/30) with SSL/TLS.

    What exact choices did you make in the GUI? If you chose Remote Access SSL/TLS, change it to Peer-to-Peer SSL/TLS instead.



  • @jimp:

    Because you can't use directives that require –server when it's in peer-to-peer mode (/30) with SSL/TLS.

    What exact choices did you make in the GUI? If you chose Remote Access SSL/TLS, change it to Peer-to-Peer SSL/TLS instead.

    Yes it's set to Remote Access SSL/TLS.  What does changing it to Peer-to-Peer affect?


  • Rebel Alliance Developer Netgate

    It changes the visible options and some backend behavior to allow a peer-to-peer style configuration.

    You shouldn't use "Remote Access" modes for site-to-site VPNs, that's what the peer-to-peer modes are for.



  • @jimp:

    It changes the visible options and some backend behavior to allow a peer-to-peer style configuration.

    You shouldn't use "Remote Access" modes for site-to-site VPNs, that's what the peer-to-peer modes are for.

    This isn't a site-to-site VPN.  I have one of those configured as Peer-to-Peer but this is for mine and my wife's mobile devices to be able to VPN into my home network.


  • Rebel Alliance Developer Netgate

    A /30 makes no sense for remote access. OpenVPN's internal behavior changes significantly when using a /30 tunnel network, it's intended only for site-to-site VPNs.

    When using a /30 the server cannot push settings and it has several other limitations.



  • @jimp:

    A /30 makes no sense for remote access. OpenVPN's internal behavior changes significantly when using a /30 tunnel network, it's intended only for site-to-site VPNs.

    When using a /30 the server cannot push settings and it has several other limitations.

    Understood.  Thanks for the clarification.  I'll just use a /29.


Log in to reply