OpenVPN Server connecting to Clients only in Static Key or SSL/TLS /30 Mode?

jimp · Sep 19, 2018, 12:25 PM

With subnet style you have one server and many clients. If that one server is also a client, which "server" does it connect to? It can't connect to every other location as a single client, it can only be one client.

With SSL/TLS /30 and shared key it's always 1:1 client:server, so you can easily determine where to connect since it's only one other peer.

Rico · Sep 19, 2018, 12:56 PM

Thank you very much for the quick answer.
In my Setup I have one separate OpenVPN Server Instance for each Site (mainly to get the load a bit balanced over multiple Cores), so it should be possible?
Generally speaking I got your point, but still wondering because in /30 mode I could also fit 63 Clients in one Instance and would have the same problem then?

Thanks again!

-Rico

jimp · Sep 19, 2018, 12:58 PM

net30 mode is NOT the same as using a /30 tunnel network. Completely different worlds.

net30 has a large tunnel network for multiple clients and each client is allocated a /30 inside the large tunnel network.

/30 tunnel network is special as it works like shared key -- only one single client for one single server.

Rico · Sep 19, 2018, 1:02 PM

Got it.
But in my case with all the separate Instances it should be working? Because of the 1:1 Server/Client relationship?

-Rico

jimp · Sep 19, 2018, 1:03 PM

If each site truly has one client going to one server and never multiple clients per server, then it should work so long as you change your tunnel networks to /30 networks first.

Rico · Sep 19, 2018, 1:07 PM

So for example I change 10.10.93.0/24 to 10.10.93.0/30 for Site A on the Server Side (IPv4 Tunnel Network) and let it fly?
Any other downside when doing that?

-Rico

jimp · Sep 19, 2018, 1:31 PM

As long as each pair has their own distinct tunnel network that would be fine. You will need to put the same tunnel network on both sides, and routes. /30 tunnel network mode cannot push settings from the server to the client so both must be configured fully.

Rico · Sep 19, 2018, 2:58 PM

Thanks again for your quick help.
All my confusion was about thinking /30 = net30
Keep up your good work, I like the hangouts very much.

-Rico

Rico · Sep 20, 2018, 12:27 PM

I do not need to have any iroutes (Client Specific Overrides) defined on the Server, because with the /30 tunnel network it already got a 1:1 relationship, right?

-Rico

jimp · Sep 20, 2018, 12:22 PM

No, iroutes are not needed in that mode.