Can the inet address assigned to P-t-P tun interface be used for a client inet address if the server runs out of all addresses within a subnet?
Solution 1:
Your OpenVPN server seems to be setup using the topology net30. This topology is required for compatibility with really old clients running on older versions of Windows.
This topology basically takes the that /24
subnet you assigned to the VPN and breaks it up into 64 subnets with 30 bit masks. Meaning you can have at most 63 connected clients.
In the net30, the 00
(binary bits), and 11
addresses are unused, the 01
address is assigned to the PTP connect on the server and the 10
address is used on the client.
So given the 10.8.0.6,client1,...
client. the subnet is 10.8.0.4
. The broadcast address is 10.8.0.7
. The address that belongs to the OpenVPN server is 10.8.0.5
(though you won't actually see it assigned on the server), and the address assigned to the client is 10.8.0.6
.
$ ipcalc 10.8.0.4/30
Address: 10.8.0.4 00001010.00001000.00000000.000001 00
Netmask: 255.255.255.252 = 30 11111111.11111111.11111111.111111 00
Wildcard: 0.0.0.3 00000000.00000000.00000000.000000 11
=>
Network: 10.8.0.4/30 00001010.00001000.00000000.000001 00
HostMin: 10.8.0.5 00001010.00001000.00000000.000001 01
HostMax: 10.8.0.6 00001010.00001000.00000000.000001 10
Broadcast: 10.8.0.7 00001010.00001000.00000000.000001 11
These days you would be far better off switching your server to use topology subnet
. This option tells OpenVPN 10.8.0.0/24
as one single subnet and not to break it up into a bunch of smaller subnets. Each client will only consume 1 address from the potential ~253 available in the subnet instead of basically 4, which happens with the net30.
- https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
topology mode
Configure virtual addressing topology when running in --dev tun mode. This directive has no meaning in --dev tap mode, which always uses a subnet topology. If you set this directive on the server, the --server and --server-bridge directives will automatically push your chosen topology setting to clients as well. This directive can also be manually pushed to clients. Like the --dev directive, this directive must always be compatible between client and server.
mode can be one of:
net30 -- Use a point-to-point topology, by allocating one /30 subnet per client. This is designed to allow point-to-point semantics when some or all of the connecting clients might be Windows systems. This is the default on OpenVPN 2.0.
subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode allocates a single IP address per connecting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topology directive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a remote endpoint IP address.