OpenVPN Server connecting to Clients only in Static Key or SSL/TLS /30 Mode?
-
Hi,
@jimp mentioned in one of his great OpenVPN hangouts that Servers can be Clients.
I think this could perfecty fit in a Multi-WAN/Failover Scenario and I want to test around a bit with it. My Problem is...all my 50 Sites are connected in Subnet Style. Jim said this is only possible in SSL/TLS /30 mode.
The point is I don't get why it should not be possible in subnet style mode...maybe someone can explain this a bit? Or is there any workaround to get it running in Subnet Style?Thanks!
-Rico
-
With subnet style you have one server and many clients. If that one server is also a client, which "server" does it connect to? It can't connect to every other location as a single client, it can only be one client.
With SSL/TLS /30 and shared key it's always 1:1 client:server, so you can easily determine where to connect since it's only one other peer.
-
Thank you very much for the quick answer.
In my Setup I have one separate OpenVPN Server Instance for each Site (mainly to get the load a bit balanced over multiple Cores), so it should be possible?
Generally speaking I got your point, but still wondering because in /30 mode I could also fit 63 Clients in one Instance and would have the same problem then?Thanks again!
-Rico
-
net30 mode is NOT the same as using a /30 tunnel network. Completely different worlds.
net30 has a large tunnel network for multiple clients and each client is allocated a /30 inside the large tunnel network.
/30 tunnel network is special as it works like shared key -- only one single client for one single server.
-
Got it.
But in my case with all the separate Instances it should be working? Because of the 1:1 Server/Client relationship?-Rico
-
If each site truly has one client going to one server and never multiple clients per server, then it should work so long as you change your tunnel networks to /30 networks first.
-
So for example I change 10.10.93.0/24 to 10.10.93.0/30 for Site A on the Server Side (IPv4 Tunnel Network) and let it fly?
Any other downside when doing that?-Rico
-
As long as each pair has their own distinct tunnel network that would be fine. You will need to put the same tunnel network on both sides, and routes. /30 tunnel network mode cannot push settings from the server to the client so both must be configured fully.
-
Thanks again for your quick help.
All my confusion was about thinking /30 = net30
Keep up your good work, I like the hangouts very much.-Rico
-
I do not need to have any iroutes (Client Specific Overrides) defined on the Server, because with the /30 tunnel network it already got a 1:1 relationship, right?
-Rico
-
No, iroutes are not needed in that mode.