Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unable setup IPv4 Tunnel Network /30

    OpenVPN
    5
    9
    98
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      M0L50N last edited by

      Hi,

      I created a P2P tunnel and it works like a charm!!!

      To fine tune it, I want to restrict my tunnel to only 2 IP address : 1 for my openVPN server and one for the remote. In Tunnel settings of my OpenVPN server, if I put 192.168.254.252/30 for the IPv4 Tunnel Network, I'm unable to restart that server. I put back 192.168.254.0/24 = everything restart to works.

      Concurrent connections is set to 1
      client settings Topology is set to "Subnet -- One IP address per client in a common subnet"
      I dont want to use the topology "net30" because some push function or client specific override options can't work with that, and I thnink that's an old technology!

      Someone got an idea?!

      Thanks!

      bingo600 1 Reply Last reply Reply Quote 0
      • bingo600
        bingo600 @M0L50N last edited by

        @m0l50n

        Why would you restrict it ?
        You could just control who can login

        To restrict i'd do a Client Specific Override , and give the allowed client a specific ip.
        Then on the openvpn interface i would only allow that ip

        /Bingo

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          I believe a /29 is the smallest you can use.

          If you try and set a /30, you get this error

          Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower

          JKnott 1 Reply Last reply Reply Quote 0
          • Pippin
            Pippin last edited by

            Yes correct.

            Topology subnet:
            Number of addresses in network - 4 = number of clients
            So /29 is the smallest.

            johnpoz 1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator @Pippin last edited by

              That is what I take from the error yes.. I just changed mine to .248/29 and it does come up.

              But I am with @bingo600 here, not understanding the need for not just using a /24

              The only reason I could see having to use smaller would be if you were limited to what range of IPs you could use and you had to break up say a single /24 for multiple different tunnels.

              You can limit the number of concurrent connections you can have, the users have to auth. And you can set specific overrides for clients to get a specific IP, which you could then use to filter their traffic. That specific IP doesn't really care if the netblock comes from a /29 or a /20, etc

              But from that error, is seems there is some openvpn limitation for /29 being the smallest - maybe something to make sure you can use a net30 setting for sure?

              You prob could take that question up on the openvpn forums. A quick google didn't find me any info - but I didn't look real hard ;)

              bingo600 Pippin 2 Replies Last reply Reply Quote 0
              • bingo600
                bingo600 @johnpoz last edited by

                @johnpoz
                Couldn't it be that OVPN sees a /30 as P2P only.
                And won't allow it as a RoadWarrior setup

                1 Reply Last reply Reply Quote 2
                • JKnott
                  JKnott @johnpoz last edited by

                  @johnpoz said in Unable setup IPv4 Tunnel Network /30:

                  I believe a /29 is the smallest you can use.

                  Actually, a /31 should be the smallest. It has been used for years, though some operating systems choke on that. If there's a a /29 requirement with OpenVPN, then it's an issue with it. For any point to point connection, you need 2 addresses. A /31 can provide that. The /30 requirement came from thinking network and broadcast addresses were also needed. Why would you need broadcasts on a connection with only 2 addresses?

                  johnpoz 1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator @JKnott last edited by johnpoz

                    Yes dude the thread is talking about openvpn server settings.. Not anything to do with normal networking masks. How would a /29 being the smallest you can use in network make any sense?

                    And yes its a openvpn thing - nothing to do with pfsense at all.

                    @bingo600 yeah your prob right about the p2p thing..

                    1 Reply Last reply Reply Quote 0
                    • Pippin
                      Pippin @johnpoz last edited by

                      @johnpoz said in Unable setup IPv4 Tunnel Network /30:

                      But from that error, is seems there is some openvpn limitation for /29 being the smallest - maybe something to make sure you can use a net30 setting for sure?

                      This is for any tunnel subnet, f.e. /24:
                      .0 = network
                      .1 = server address
                      .254 = dhcp
                      .255 = broadcast
                      Those four addresses cannot be used for clients.
                      One can confirm this in the server log, f.e. /24:

                      IFCONFIG POOL IPv4: base=10.8.0.2 size=252
                      

                      The deprecated /30 topology is from the past when Windows could not handle the subnet topology.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy