OpenVPN TUN Reserves Multiple Gateways?

blabs · Oct 16, 2018, 10:15 PM

I have 6 OpenVPN TUN servers setup on our "pfSense OpenVPN hub" machine connecting multiple sites and clients, pfSense version 2.4.4. I need to define static IP's for many of the VPN clients as some are servers. I noticed that when an OpenVPN server is first created and no clients have connected, the gateway IP (for example) is 10.10.22.1. Once a client connects for the first time, the gateway for that OpenVPN server changes to 10.10.22.2 and stays like that even if the server is restarted. The interface for that OpenVPN server still shows as 10.10.22.1. Is this normal behavior? I have configured an interface assignment for each OpenVPN server to make managing firewall rules easier.

What is even more odd to me, I have one of our sites setup on the 10.10.22.0/24 network, the gateway shows as 10.10.22.2, I have statically assigned 10.10.22.2 to the client (using ifconfig-push in the client override), and everything works traffic flows/routes fine in both directions. I have that particular client setup as its own gateway with static routes to networks behind it as well, so two 10.10.22.2 gateways show up on the pfSense dashboard. If I try to edit the static client 10.10.22.2 gateway while the server is running, it give me an error stating that a gateway already exists with that IP (meaning it is conflicting with the dynamically created 10.10.22.2 gateway).

Are the first two IP's (x.x.x.1 and x.x.x.2) always reserved for use by the server in a TUN configuration? If I shell into pfSense I do see that the directive "ifconfig 10.10.22.1 10.10.22.2" is in the /var/etc/openvpn/server3.conf file. I have scoured the internet for hours trying to find documentation about how this actually works internally with no success.

blabs · Oct 19, 2018, 9:53 PM

Anybody?

jimp · Oct 22, 2018, 8:32 PM

The .1 address is on the interface itself. The .2 address is used by OpenVPN to nudge traffic across the VPN as needed. OpenVPN doesn't use the routing table internally, it uses iroutes to tell what traffic to send to which clients.

It doesn't matter what pfSense sees as the gateway for the VPN as long as it's some destination inside the VPN, so it uses .2 for that.

You shouldn't have anything like additional gateways or static routes setup in pfSense for the VPN, that will never work properly/reliably. Use OpenVPN's own settings for any routing you need. In some cases you might be able to use a routing protocol (For example, OSPF requires tap mode)

blabs · Oct 23, 2018, 1:55 PM

My next questions is, should I NOT be assigning .2 as a static IP to a client? Should I start static clients at .3?

I have additional routes/gateways setup to reach networks that are off a gateway behind the VPNs and not on the same subnet along with the proper route/iroute in OpenVPN itself.

jimp · Oct 23, 2018, 2:00 PM

In theory, it shouldn't matter that much.

That said, since OpenVPN will start randomly assigning from the start of the pool, putting static assignments at the start of the subnet is a poor practice anyhow. If the client is offline, a connecting client without an override assignment would land there.

blabs · Oct 23, 2018, 2:36 PM

In this case, there will never be any dynamic clients. All of the clients will be cloud servers/sites that require a static IP. I just wanted to cover all bases in case there is a situation in the future that would require dynamic clients on this particular OpenVPN server instance.