Need Clarity on IPv4 Tunnel Network Configuration for Peer-Peer Shared Key



  • If I am setting up a single peer-peer shared-key network with one server and two clients, should I specify the same exact subnet and mask value for the "IPv4 Tunnel Network" parameter in the OpenVPN configurations for the server and the two clients?  IOW does the OpenVPN process dynamically allocate p2p endpoint IP addresses for the OpenVPN tunnels or do I have to do this manually (statically)?  Is there an example somewhere?

    The reason I ask this is because looking at the routing tables, all of the remote and local subnets I also specify in the OpenVPN configuration for the server and the clients (for subnets on the lan side of each server and client) appear to have the same OpenVPN tunnel next hops (the OpenVPN next-hops do not vary by client like I would expect).



  • OK answered my own question.  For peer-peer shared key you need one openvpn process on the central server for each client.  What resource nightmare if the number of sites becomes large.  Was thinking it worked like PKI.



  • … so the answer to your question is/was?  This is exactly the issue I'm trying to figure out now.

    site 1 Server (IPv4 Local Network): 192.168.59.0/30
    IPv4 Tunnel Network: 192.168.50.0/31 <-- (this could be anything, really, as long as it's not a publicly rotatable network and not the same network as "IPv4 Local Network" and "IPv4 Remote Network" (?) )
    site 2 Client (IPv4 Remote Network): 192.168.58.0/24

    Is that the basic setup?



  • site 1 Server (IPv4 Local Network): 192.168.59.0/30

    Surprised your local LAN would be "/30" - perhaps you mean 192.168.59.0/24 ?

    IPv4 Tunnel Network: 192.168.50.0/31

    You need to use "/30" mask - that gives 4 IP addresses, top and bottom unused, OpenVPN gives .1 to server and .2 to client.

    Every peer-to-peer tunnel network server-client pair must use a different subnet.
    The local LAN at every office must use a different subnet.