Page 1 of 1

Increasing number of clients past 63

Posted: Wed Dec 13, 2017 2:38 pm
by maxburn
I'm using a pretty basic config, almost exactly what is talked about in the HOWTO article. If I'm reading this right I am limited to 63 clients max according to the table in this section of the HOWTO, correct? https://openvpn.net/index.php/open-sour ... tml#policy

How would I edit config files to allow for more clients? I am allowing client to client traffic. I have Ubiquiti routers connecting back to a windows server. The HOWTO file suggests that the windows tap driver might be a limiting factor here?


My CCD files look like this now

client1

Code: Select all

iroute 10.105.101.0 255.255.255.0
ifconfig-push 10.8.0.5 10.8.0.6
client2

Code: Select all

iroute 10.105.102.0 255.255.255.0
ifconfig-push 10.8.0.9 10.8.0.10
client3 and so on etc.

Code: Select all

iroute 10.105.103.0 255.255.255.0
ifconfig-push 10.8.0.13 10.8.0.14
Server file

Code: Select all

port 1194
proto tcp-server
dev tun
ca "path"
cert "path"
key "path"
dh "path"
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

# with this server always grabs 10.8.0.1
server 10.8.0.0 255.255.255.0

# read this to see what clients are connected
# Windows requires double \\ here to path
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"

# OpenVPN log goes to C:\Program Files\OpenVPN\log\* whatever this ovpn file is named
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# telnet management interface, disable for normal use, use server cmd on server?
;management localhost 10020

# ovpn server pushes config info to clients from files in ccd dir. 
# Matches are based on CN in connecting key, so CN in key must match file name exactly. 
# Static VPN addressing and Client LAN routing is controlled in these files.
# client configuration directory (home is config dir, so rel path ok here)
client-config-dir ccd

# Allow LAN routing between clients
client-to-client
# Push routes to connecting clients, they need to know about all other LANs
push "route 10.105.101.0 255.255.255.0"
push "route 10.105.102.0 255.255.255.0"
push "route 10.105.103.0 255.255.255.0"
push "route 10.105.104.0 255.255.255.0"
push "route 10.105.105.0 255.255.255.0"
push "route 10.105.106.0 255.255.255.0"
push "route 10.105.107.0 255.255.255.0"
# Allow the server to route traffic to client LANs
route 10.105.101.0 255.255.255.0
route 10.105.102.0 255.255.255.0
route 10.105.103.0 255.255.255.0
route 10.105.104.0 255.255.255.0
route 10.105.105.0 255.255.255.0
route 10.105.106.0 255.255.255.0
route 10.105.107.0 255.255.255.0

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth "path" 0 # This file is secret
-edit, seems the oconf= button is broken.

Re: Increasing number of clients past 63

Posted: Wed Dec 13, 2017 2:44 pm
by Pippin

Re: Increasing number of clients past 63

Posted: Wed Dec 13, 2017 8:11 pm
by maxburn
OK so I'm assuming that the "old" "net30" is still the default in current versions and that's what I'm using as I haven't specified "--topology ~" in the config file, correct?

Without disturbing anything else are these valid configs? I'm not sure I have my head wrapped around this yet.
Server (edited, removing quotes and --)

Code: Select all

topology subnet
push topology subnet
ifconfig 10.8.0.1 255.255.0.0
push route-gateway 10.8.0.1
#ifconfig-pool 10.8.0.2 10.8.10.199 255.255.0.0
First CCD file

Code: Select all

iroute 10.105.101.0 255.255.255.0
ifconfig-push 10.8.0.3 255.255.0.0
Second

Code: Select all

iroute 10.105.102.0 255.255.255.0
ifconfig-push 10.8.0.4 255.255.0.0
I would then have higher numbers looking like this

Code: Select all

iroute 10.105.199.0 255.255.255.0
ifconfig-push 10.8.0.201 255.255.0.0
higher

Code: Select all

iroute 10.106.101.0 255.255.255.0
ifconfig-push 10.8.1.3 255.255.0.0

Re: Increasing number of clients past 63

Posted: Wed Dec 13, 2017 9:12 pm
by Pippin
Remove -- from the directives and remove ifconfig-pool-persist from server config since you use ccd.
A /24 can house 252 clients, you really need a /16?
If have so many clients then maybe better start more OpenVPN instances...but I have no experience with that.

Re: Increasing number of clients past 63

Posted: Wed Dec 13, 2017 9:27 pm
by maxburn
Pippin wrote:
Wed Dec 13, 2017 9:12 pm
Remove -- from the directives and remove ifconfig-pool-persist from server config since you use ccd.
I must have been editing while you were replying, I realized that later. Also remarked out the pool, that was the one you meant?
Pippin wrote:
Wed Dec 13, 2017 9:12 pm
A /24 can house 252 clients, you really need a /16?
Highly likely not. It would even be rare I would exceed the limits of net30 but not improbable so that's why I'm exploring.
Pippin wrote:
Wed Dec 13, 2017 9:12 pm
If have so many clients then maybe better start more OpenVPN instances...but I have no experience with that.
Anything that level I'd likely reach out to our consultants.

Re: Increasing number of clients past 63

Posted: Thu Dec 14, 2017 2:05 pm
by maxburn
Edit; worked through the config file errors and wound up with this config. It starts, runs and client routers connect. Next problem is I can't reach any LAN devices from the VPN server (required). I can reach the routers through their VPN IP though. Not seeing any route warnings or errors in the logs.

Server

Code: Select all

# leave port alone, for harris hosting we are directing external 
# ports 10000-10009 external to 1194 for each server internal
port 1194
# OpenVPN server can only listen to one port/protocol at a time. Choose. 
;proto udp
proto tcp-server
# TCP is a Connection-Oriented protocol .. 
# There is no requirement for --explicit-exit-notify as the TCP protocol handles the 
# connection state. If TCP specified above comment next line out.
;explicit-exit-notify 1
dev tun
ca "windows path"
cert "windows path"
key "windows path"
dh "windows path"
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

# this changes from net30 topology to regular sebnet for VPN IPs
mode server
tls-server
topology "subnet"
push "topology subnet"
ifconfig 10.8.0.253 255.255.255.0  #this is the server VPN IP. Note; the DHCP server is on 10.8.0.254. 
route-gateway 10.8.0.253
push "route-gateway 10.8.0.253"
ifconfig-pool 10.8.0.220 10.8.0.250 255.255.255.0 #useable for roadwarrior


# read this to see what clients are connected
# Windows requires double \\ here to path
status "windows path"


# OpenVPN log goes to C:\Program Files\OpenVPN\log\* whatever this ovpn file is named
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# telnet management interface, disable for normal use, use server cmd on server?
;management localhost 10020

# ovpn server pushes config info to clients from files in ccd dir. 
# Matches are based on CN in connecting key, so CN in key must match file name exactly. 
# Static VPN addressing and Client LAN routing is controlled in these files.
# client configuration directory (home is config dir, so rel path ok here)
client-config-dir ccd

# Allow LAN routing between clients
client-to-client
# Push routes to connecting clients, they need to know about all other LANs
push "route 10.105.101.0 255.255.255.0"
push "route 10.105.102.0 255.255.255.0"
push "route 10.105.103.0 255.255.255.0"
push "route 10.105.104.0 255.255.255.0"
push "route 10.105.105.0 255.255.255.0"
push "route 10.105.106.0 255.255.255.0"
push "route 10.105.107.0 255.255.255.0"
# Allow the server to route traffic to client LANs
route 10.105.101.0 255.255.255.0
route 10.105.102.0 255.255.255.0
route 10.105.103.0 255.255.255.0
route 10.105.104.0 255.255.255.0
route 10.105.105.0 255.255.255.0
route 10.105.106.0 255.255.255.0
route 10.105.107.0 255.255.255.0

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth "windows path" 0 # This file is secret
CCD1

Code: Select all

iroute 10.105.101.0 255.255.255.0
ifconfig-push 10.8.0.1 255.255.255.0
CCD2 and so on

Code: Select all

iroute 10.105.102.0 255.255.255.0
ifconfig-push 10.8.0.2 255.255.255.0

Re: Increasing number of clients past 63

Posted: Thu Dec 14, 2017 3:16 pm
by TinCanTech

Re: Increasing number of clients past 63

Posted: Thu Dec 14, 2017 3:29 pm
by maxburn
TinCanTech wrote:
Thu Dec 14, 2017 3:16 pm
Please see https://openvpn.net/index.php/open-sour ... html#scope
Please be more specific? I've followed that section and it was working with the net30 configuration. You can see my iroute, route, client-to-client settings in those config files. The local LAN subnets aren't changing so I don't see any changes necessary in those config file options?