OpenVPN Server connecting to Clients only in Static Key or SSL/TLS /30 Mode?


  • LAYER 8 Rebel Alliance

    Hi,

    @jimp mentioned in one of his great OpenVPN hangouts that Servers can be Clients.
    I think this could perfecty fit in a Multi-WAN/Failover Scenario and I want to test around a bit with it. My Problem is...all my 50 Sites are connected in Subnet Style. Jim said this is only possible in SSL/TLS /30 mode.
    The point is I don't get why it should not be possible in subnet style mode...maybe someone can explain this a bit? Or is there any workaround to get it running in Subnet Style?

    Thanks!

    -Rico


  • Rebel Alliance Developer Netgate

    With subnet style you have one server and many clients. If that one server is also a client, which "server" does it connect to? It can't connect to every other location as a single client, it can only be one client.

    With SSL/TLS /30 and shared key it's always 1:1 client:server, so you can easily determine where to connect since it's only one other peer.


  • LAYER 8 Rebel Alliance

    Thank you very much for the quick answer.
    In my Setup I have one separate OpenVPN Server Instance for each Site (mainly to get the load a bit balanced over multiple Cores), so it should be possible?
    Generally speaking I got your point, but still wondering because in /30 mode I could also fit 63 Clients in one Instance and would have the same problem then?

    Thanks again!

    -Rico


  • Rebel Alliance Developer Netgate

    net30 mode is NOT the same as using a /30 tunnel network. Completely different worlds.

    net30 has a large tunnel network for multiple clients and each client is allocated a /30 inside the large tunnel network.

    /30 tunnel network is special as it works like shared key -- only one single client for one single server.


  • LAYER 8 Rebel Alliance

    Got it.
    But in my case with all the separate Instances it should be working? Because of the 1:1 Server/Client relationship?

    -Rico


  • Rebel Alliance Developer Netgate

    If each site truly has one client going to one server and never multiple clients per server, then it should work so long as you change your tunnel networks to /30 networks first.


  • LAYER 8 Rebel Alliance

    So for example I change 10.10.93.0/24 to 10.10.93.0/30 for Site A on the Server Side (IPv4 Tunnel Network) and let it fly?
    Any other downside when doing that?

    -Rico


  • Rebel Alliance Developer Netgate

    As long as each pair has their own distinct tunnel network that would be fine. You will need to put the same tunnel network on both sides, and routes. /30 tunnel network mode cannot push settings from the server to the client so both must be configured fully.


  • LAYER 8 Rebel Alliance

    Thanks again for your quick help.
    All my confusion was about thinking /30 = net30 😌
    Keep up your good work, I like the hangouts very much.

    -Rico


  • LAYER 8 Rebel Alliance

    I do not need to have any iroutes (Client Specific Overrides) defined on the Server, because with the /30 tunnel network it already got a 1:1 relationship, right?

    -Rico


  • Rebel Alliance Developer Netgate

    No, iroutes are not needed in that mode.


Log in to reply