Openvpn site to site error



  • I am following the pfsense book to setup an openvpn site-to-site

    it is extremely helpful with full of details!!!  THANK YOU!!

    quick note though, on page 321 it says to use address pool: 172.31.55.0/30

    when i use this address on the server i get the error

    openvpn[22148]: Options error: –server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower

    if i change it to 172.31.55.0/29

    also....

    on the client side, if you configure a shared key, an interface ip is required before it will let you save the configuration

    it starts up perfectly ( am using a pki infrastructure instead of shared key )



  • A /30 will only work if you set up this with a shared key.
    For site-to-site you should use a shared key.
    Yes you will have to set an interface IP, because with a shared key no routes/IPs/DHCP-settings/anything will be pushed from the server.
    The configuration is only what you put into the config file.

    The reason why a /30 with a PKI won't work:
    In a PKI you have the x.1 IP for the server.
    Every time a client connects a new dynamic /30 subnet is added to the virtual interface.
    So
    x.0/30 initial IP of the Server.
    x.4/30 first client (x.5 server, x.6 client)
    x.8/30 second client (x.9 server, x.10 client)
    etc.
    This ensures that the clients can talk only with the server and not with each other directly.



  • thanks a lot for the response!

    that makes perfect sense!



  • also note

    following the books example for site-to-site vpn with a shared key ther eis one step missing

    on the client side interface ip must be set: 172.31.55.0/30

    the configuration file for openvpn client will not let you save anything until an interace ip is set on top of what the book mentions


  • Rebel Alliance Developer Netgate

    @UnderCover:

    also note

    following the books example for site-to-site vpn with a shared key ther eis one step missing

    on the client side interface ip must be set: 172.31.55.0/30

    the configuration file for openvpn client will not let you save anything until an interace ip is set on top of what the book mentions

    Thanks for catching that. We'll check into it and update the errata page if need be.


Log in to reply