Single Multi-Purpose OpenVPN Instance Example in Documentation



  • I have been reviewing this article in the Netgate Documentation Configuring a Single Multi-Purpose OpenVPN Instance" and I just wanted to clarify my understanding. I am a bit confused with the various address ranges quoted. Referring to the example:

    1. Is this scenario a "Remote Access ("Roadwarrier)" type configuration, or ratheritalicised text a Site-to-Site type configuration?

    2. If the former, can one access the internal network(s) at the Cient end behind the OVPN Client?

    3. "****... IPV4 Tunnel Network as something similar to 10.33.249.0/2." and "This means that all connections will get an address from a global pool." I presume that the "global pool" is in fact the tunnel network, therefore the OVPN Server would be assigned the first address in the range (10.33.249.1) and each connecting OVPN remote Client would be assigned a unique tunnel address in sequence from the range separated from the other Clients by 4 (being the characteristics of a /30 network)?

    4. "Pick a subnet such as 10.33.250.0/24 which is not in use. This will be broken up into /30 mini subnets - one per client." I presume that these are in fact the "Local Networks" assigned at the OVPN Server end for each Client? So if I have 50 Clients, I'll end up with 50 LAN's at the OVPN Server router, one for each remote OVPN Client site?

    5. I get confused in the "Client specific override" section where it again talks about the Tunnel Network but with a different network address (10.33.127.0) which is different from the "10.33.249.0" network address discussed earlier for the tunnel. I can understand the /30 vs /24 concept but there's only one tunnel to each Client so why are two different address ranges mentioned in the example? Is this just another example of an appropriate tunnel network address in respect of "route aggregation"?

    I appreciate the inclusion of the example, but I'm a bit of a "visual person" so a diagram (such as included with the Remote Access and Site-to-Site examples) showing the server and say two Client and depicting the various address assignments would be helpful.


  • Rebel Alliance Developer Netgate

    That doc is quite a bit out of date. I'm not sure I'd recommend following it.

    1. It looks like it's for two different types of RA -- some general purpose users and some static assignments for clients with different access.
    2. There is nothing in there about iroutes or remote networks in the overrides, so it could not reach subnets behind clients
    3. It depends if you're using net30 mode or the new subnet mode (which is now default). In net30 mode, yes, it would carve out /30 networks for each connecting client.
    4. These routes are all internal to openvpn, you'd not see anything about these in the actual routing table or in the OS interfaces, but internal to openvpn, yes it would see 50 separate /30 networks.
    5. The network in the override is what that specific client will pull an address from. It's just an example but it needs to be different than the one in the main settings.

    As I said though that whole design is suspect given modern capabilities of OpenVPN and what most people need, and best security practices. For example if you have users with two different levels of access the best practice is not to isolate them with static addresses but to have two completely different VPN instances.



  • Thank you for the response, all of which makes sense. I must do some reading on iroutes.

    The examples would benefit from the inclusion of a "last edited" date as its not evident otherwise just how current they are.