• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN Server connecting to Clients only in Static Key or SSL/TLS /30 Mode?

Scheduled Pinned Locked Moved OpenVPN
11 Posts 2 Posters 915 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    Rico LAYER 8 Rebel Alliance
    last edited by Sep 19, 2018, 9:46 AM

    Hi,

    @jimp mentioned in one of his great OpenVPN hangouts that Servers can be Clients.
    I think this could perfecty fit in a Multi-WAN/Failover Scenario and I want to test around a bit with it. My Problem is...all my 50 Sites are connected in Subnet Style. Jim said this is only possible in SSL/TLS /30 mode.
    The point is I don't get why it should not be possible in subnet style mode...maybe someone can explain this a bit? Or is there any workaround to get it running in Subnet Style?

    Thanks!

    -Rico

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Sep 19, 2018, 12:25 PM

      With subnet style you have one server and many clients. If that one server is also a client, which "server" does it connect to? It can't connect to every other location as a single client, it can only be one client.

      With SSL/TLS /30 and shared key it's always 1:1 client:server, so you can easily determine where to connect since it's only one other peer.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 1
      • R
        Rico LAYER 8 Rebel Alliance
        last edited by Sep 19, 2018, 12:56 PM

        Thank you very much for the quick answer.
        In my Setup I have one separate OpenVPN Server Instance for each Site (mainly to get the load a bit balanced over multiple Cores), so it should be possible?
        Generally speaking I got your point, but still wondering because in /30 mode I could also fit 63 Clients in one Instance and would have the same problem then?

        Thanks again!

        -Rico

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Sep 19, 2018, 12:58 PM

          net30 mode is NOT the same as using a /30 tunnel network. Completely different worlds.

          net30 has a large tunnel network for multiple clients and each client is allocated a /30 inside the large tunnel network.

          /30 tunnel network is special as it works like shared key -- only one single client for one single server.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 1
          • R
            Rico LAYER 8 Rebel Alliance
            last edited by Sep 19, 2018, 1:02 PM

            Got it.
            But in my case with all the separate Instances it should be working? Because of the 1:1 Server/Client relationship?

            -Rico

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Sep 19, 2018, 1:03 PM

              If each site truly has one client going to one server and never multiple clients per server, then it should work so long as you change your tunnel networks to /30 networks first.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 1
              • R
                Rico LAYER 8 Rebel Alliance
                last edited by Sep 19, 2018, 1:07 PM

                So for example I change 10.10.93.0/24 to 10.10.93.0/30 for Site A on the Server Side (IPv4 Tunnel Network) and let it fly?
                Any other downside when doing that?

                -Rico

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Sep 19, 2018, 1:31 PM

                  As long as each pair has their own distinct tunnel network that would be fine. You will need to put the same tunnel network on both sides, and routes. /30 tunnel network mode cannot push settings from the server to the client so both must be configured fully.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 1
                  • R
                    Rico LAYER 8 Rebel Alliance
                    last edited by Sep 19, 2018, 2:58 PM

                    Thanks again for your quick help.
                    All my confusion was about thinking /30 = net30 😌
                    Keep up your good work, I like the hangouts very much.

                    -Rico

                    1 Reply Last reply Reply Quote 0
                    • R
                      Rico LAYER 8 Rebel Alliance
                      last edited by Rico Sep 20, 2018, 12:27 PM Sep 20, 2018, 10:02 AM

                      I do not need to have any iroutes (Client Specific Overrides) defined on the Server, because with the /30 tunnel network it already got a 1:1 relationship, right?

                      -Rico

                      1 Reply Last reply Reply Quote 0
                      • J
                        jimp Rebel Alliance Developer Netgate
                        last edited by Sep 20, 2018, 12:22 PM

                        No, iroutes are not needed in that mode.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 1
                        10 out of 11
                        • First post
                          10/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received