Unable setup IPv4 Tunnel Network /30

M0L50N · Dec 31, 2020, 3:11 PM

Hi,

I created a P2P tunnel and it works like a charm!!!

To fine tune it, I want to restrict my tunnel to only 2 IP address : 1 for my openVPN server and one for the remote. In Tunnel settings of my OpenVPN server, if I put 192.168.254.252/30 for the IPv4 Tunnel Network, I'm unable to restart that server. I put back 192.168.254.0/24 = everything restart to works.

Concurrent connections is set to 1
client settings Topology is set to "Subnet -- One IP address per client in a common subnet"
I dont want to use the topology "net30" because some push function or client specific override options can't work with that, and I thnink that's an old technology!

Someone got an idea?!

Thanks!

bingo600 · Dec 31, 2020, 3:29 PM

@m0l50n

Why would you restrict it ?
You could just control who can login

To restrict i'd do a Client Specific Override , and give the allowed client a specific ip.
Then on the openvpn interface i would only allow that ip

/Bingo

johnpoz · Dec 31, 2020, 3:36 PM

I believe a /29 is the smallest you can use.

If you try and set a /30, you get this error

Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower

Pippin · Dec 31, 2020, 3:47 PM

Yes correct.

Topology subnet:
Number of addresses in network - 4 = number of clients
So /29 is the smallest.

johnpoz · Dec 31, 2020, 4:03 PM

That is what I take from the error yes.. I just changed mine to .248/29 and it does come up.

But I am with @bingo600 here, not understanding the need for not just using a /24

The only reason I could see having to use smaller would be if you were limited to what range of IPs you could use and you had to break up say a single /24 for multiple different tunnels.

You can limit the number of concurrent connections you can have, the users have to auth. And you can set specific overrides for clients to get a specific IP, which you could then use to filter their traffic. That specific IP doesn't really care if the netblock comes from a /29 or a /20, etc

But from that error, is seems there is some openvpn limitation for /29 being the smallest - maybe something to make sure you can use a net30 setting for sure?

You prob could take that question up on the openvpn forums. A quick google didn't find me any info - but I didn't look real hard ;)

bingo600 · Dec 31, 2020, 4:14 PM

@johnpoz
Couldn't it be that OVPN sees a /30 as P2P only.
And won't allow it as a RoadWarrior setup

JKnott · Dec 31, 2020, 4:27 PM

@johnpoz said in Unable setup IPv4 Tunnel Network /30:

I believe a /29 is the smallest you can use.

Actually, a /31 should be the smallest. It has been used for years, though some operating systems choke on that. If there's a a /29 requirement with OpenVPN, then it's an issue with it. For any point to point connection, you need 2 addresses. A /31 can provide that. The /30 requirement came from thinking network and broadcast addresses were also needed. Why would you need broadcasts on a connection with only 2 addresses?

johnpoz · Dec 31, 2020, 6:39 PM

Yes dude the thread is talking about openvpn server settings.. Not anything to do with normal networking masks. How would a /29 being the smallest you can use in network make any sense?

And yes its a openvpn thing - nothing to do with pfsense at all.

@bingo600 yeah your prob right about the p2p thing..

Pippin · Jan 2, 2021, 5:07 PM

@johnpoz said in Unable setup IPv4 Tunnel Network /30:

But from that error, is seems there is some openvpn limitation for /29 being the smallest - maybe something to make sure you can use a net30 setting for sure?

This is for any tunnel subnet, f.e. /24:
.0 = network
.1 = server address
.254 = dhcp
.255 = broadcast
Those four addresses cannot be used for clients.
One can confirm this in the server log, f.e. /24:

IFCONFIG POOL IPv4: base=10.8.0.2 size=252

The deprecated /30 topology is from the past when Windows could not handle the subnet topology.