Can the inet address assigned to P-t-P tun interface be used for a client inet address if the server runs out of all addresses within a subnet?

linux routing openvpn tun

Solution 1:

Your OpenVPN server seems to be setup using the topology net30. This topology is required for compatibility with really old clients running on older versions of Windows.

This topology basically takes the that /24 subnet you assigned to the VPN and breaks it up into 64 subnets with 30 bit masks. Meaning you can have at most 63 connected clients.

In the net30, the 00 (binary bits), and 11 addresses are unused, the 01 address is assigned to the PTP connect on the server and the 10 address is used on the client.

So given the 10.8.0.6,client1,... client. the subnet is 10.8.0.4. The broadcast address is 10.8.0.7. The address that belongs to the OpenVPN server is 10.8.0.5 (though you won't actually see it assigned on the server), and the address assigned to the client is 10.8.0.6.

$ ipcalc 10.8.0.4/30

Address:   10.8.0.4             00001010.00001000.00000000.000001 00
Netmask:   255.255.255.252 = 30 11111111.11111111.11111111.111111 00
Wildcard:  0.0.0.3              00000000.00000000.00000000.000000 11
=>
Network:   10.8.0.4/30          00001010.00001000.00000000.000001 00
HostMin:   10.8.0.5             00001010.00001000.00000000.000001 01
HostMax:   10.8.0.6             00001010.00001000.00000000.000001 10
Broadcast: 10.8.0.7             00001010.00001000.00000000.000001 11

These days you would be far better off switching your server to use topology subnet. This option tells OpenVPN 10.8.0.0/24 as one single subnet and not to break it up into a bunch of smaller subnets. Each client will only consume 1 address from the potential ~253 available in the subnet instead of basically 4, which happens with the net30.

  • https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

topology mode

Configure virtual addressing topology when running in --dev tun mode. This directive has no meaning in --dev tap mode, which always uses a subnet topology. If you set this directive on the server, the --server and --server-bridge directives will automatically push your chosen topology setting to clients as well. This directive can also be manually pushed to clients. Like the --dev directive, this directive must always be compatible between client and server.

mode can be one of:

net30 -- Use a point-to-point topology, by allocating one /30 subnet per client. This is designed to allow point-to-point semantics when some or all of the connecting clients might be Windows systems. This is the default on OpenVPN 2.0.

subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode allocates a single IP address per connecting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topology directive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a remote endpoint IP address.

Related

HP Proliant DL 380 G7 Over Temp issue - doesn't boot
Automatically provisioning a Windows Server at OVH
How to use nginx to proxy to a host requiring NTLM authentication?
Why is port 587 preferred over port 465 in SMTP?
How can I get docker build to overwrite a file?
How to enable debug logging for GRE?
Corrupted index cache file in Dovecot
Update sudoers file in multiple servers with a bash script
How do I delete/remove a SUSE 10.3 user?
How can I set up my own VPN service that looks like in another country?
Grafana behind AWS ALB
Share gcp external load balancer across multiple projects