Unable setup IPv4 Tunnel Network /30


  • Hi,

    I created a P2P tunnel and it works like a charm!!!

    To fine tune it, I want to restrict my tunnel to only 2 IP address : 1 for my openVPN server and one for the remote. In Tunnel settings of my OpenVPN server, if I put 192.168.254.252/30 for the IPv4 Tunnel Network, I'm unable to restart that server. I put back 192.168.254.0/24 = everything restart to works.

    Concurrent connections is set to 1
    client settings Topology is set to "Subnet -- One IP address per client in a common subnet"
    I dont want to use the topology "net30" because some push function or client specific override options can't work with that, and I thnink that's an old technology!

    Someone got an idea?!

    Thanks!


  • @m0l50n

    Why would you restrict it ?
    You could just control who can login

    To restrict i'd do a Client Specific Override , and give the allowed client a specific ip.
    Then on the openvpn interface i would only allow that ip

    /Bingo

  • LAYER 8 Global Moderator

    I believe a /29 is the smallest you can use.

    If you try and set a /30, you get this error

    Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower


  • Yes correct.

    Topology subnet:
    Number of addresses in network - 4 = number of clients
    So /29 is the smallest.

  • LAYER 8 Global Moderator

    That is what I take from the error yes.. I just changed mine to .248/29 and it does come up.

    But I am with @bingo600 here, not understanding the need for not just using a /24

    The only reason I could see having to use smaller would be if you were limited to what range of IPs you could use and you had to break up say a single /24 for multiple different tunnels.

    You can limit the number of concurrent connections you can have, the users have to auth. And you can set specific overrides for clients to get a specific IP, which you could then use to filter their traffic. That specific IP doesn't really care if the netblock comes from a /29 or a /20, etc

    But from that error, is seems there is some openvpn limitation for /29 being the smallest - maybe something to make sure you can use a net30 setting for sure?

    You prob could take that question up on the openvpn forums. A quick google didn't find me any info - but I didn't look real hard ;)


  • @johnpoz
    Couldn't it be that OVPN sees a /30 as P2P only.
    And won't allow it as a RoadWarrior setup


  • @johnpoz said in Unable setup IPv4 Tunnel Network /30:

    I believe a /29 is the smallest you can use.

    Actually, a /31 should be the smallest. It has been used for years, though some operating systems choke on that. If there's a a /29 requirement with OpenVPN, then it's an issue with it. For any point to point connection, you need 2 addresses. A /31 can provide that. The /30 requirement came from thinking network and broadcast addresses were also needed. Why would you need broadcasts on a connection with only 2 addresses?

  • LAYER 8 Global Moderator

    Yes dude the thread is talking about openvpn server settings.. Not anything to do with normal networking masks. How would a /29 being the smallest you can use in network make any sense?

    And yes its a openvpn thing - nothing to do with pfsense at all.

    @bingo600 yeah your prob right about the p2p thing..


  • @johnpoz said in Unable setup IPv4 Tunnel Network /30:

    But from that error, is seems there is some openvpn limitation for /29 being the smallest - maybe something to make sure you can use a net30 setting for sure?

    This is for any tunnel subnet, f.e. /24:
    .0 = network
    .1 = server address
    .254 = dhcp
    .255 = broadcast
    Those four addresses cannot be used for clients.
    One can confirm this in the server log, f.e. /24:

    IFCONFIG POOL IPv4: base=10.8.0.2 size=252
    

    The deprecated /30 topology is from the past when Windows could not handle the subnet topology.