OpenVPN Gateway

Gil

I have multiple OpenVPN servers running some P2P, some RA.
The Gateways for all of the Peer to Peer servers report to be offline, even though everything functions correctly.
(I create Interfaces for each OpenVPN server and firewall them as needed)

As I understand; an OVPN Server with a Tunnel network of 10.20.10.0/24 should create a gateway of 10.20.10.1, but the Gateway reports as being 10.20.10.2 - and says its offline.
The Routing table shows that 10.20.10.2 is the Gateway for all of the "IPv4 Remote network(s)" that I listed within the OVPN P2P Server

I can browse to 10.20.10.1 and my server Web page is present, as expected.
Why do the Gateways do this for Peer to Peer Servers?

(Remote Access servers appear to be fine)

viragomann

Use a /30 tunnel for P2P as recommended. So the server will get the first usable IP of it and the client the second and the gateway will be shown as online.

Gil

@viragomann said in OpenVPN Gateway:

Use a /30 tunnel for P2P as recommended

The reason I have selected the Subnet option is for routing.
I have multiple P2P clients connecting on each OpenVPN server.
I use CSO's for each P2P client; to assign specific Tunnel IP's within the OpenVPN Tunnel range; and also assign their respective IPv4 Remote Network/s.
eg:
Router 5:
Tunnel IP: 10.20.10.5
Remote IP: 10.10.5.254
Router 12:
Tunnel IP: 10.20.10.12
Remote IP: 10.10.12.254

How can I achieve this using /30 tunnel ?

Gil

@viragomann I have tested an OpenVPN Server in /30 tunnel mode, and the routing is working fine.
I note that:
"with subnet topology, the VPN can have a maximum of 252 users but with net30, it can only have 63."

This will work fine for me, even though the Virtual IP's all report as 10.20.10.2.

Gil

Okay, I think I understand the /30, after a bit more reading.
But - Tell me please;

I assume that the server dictates the Tunnel Network Topography, so why is there a setting for this in the client OpenVPN config? It doesn't seem to matter ?

viragomann

Yes, the tunnel network is controlled by the server. I don't know what you can do with tunnel box in the client settings.
However, in CSO you can assign a specific tunnel subnet to a client. As far as I know, this also may be outside of the server tunnel network. Maybe the specific clients gateway responses if you set it up this way.

Gil

I still find it a little odd that the Gateway reporting is broken when you use a single IP tunnel network on P2P. Particularly given /30 networks are targeted at older versions of OpenVPN.
Not necessarily the fault of pfSense, it seems it is the way OpenVPN works.
Thanks @viragomann

Gil

Shouldn't the Gateway at least reply when you "monitor ip" for the OVPN Servers' tunnel address?