OpenVPN Topology Subnet Configuration Migration

[Akito]

viewtopic.php?f=6&t=33728&p=104949#p104949

As seen above, I migrated for the most part from the now deprecated `net30` to the new default `subnet` network topology.

So far, migration is almost complete. There is only one thing that is left regarding routes created, when the client starts up and connects.

You can get the client and server config from above. The difference in the server config is now, that `push "route 10.35.0.0 255.255.255.0"` is commented out and the `topology subnet` option is added.

Due to the topology change, the custom client configuration had to be changed, as well.

Code: Select all

ifconfig-push 10.190.0.12 255.255.255.252

Now the issue looks like this. When the client starts up and connects, the routing table on the client looks like this:

Code: Select all

default via 10.35.0.1 dev eth0 
10.35.0.0/24 via 10.190.0.12 dev tun0 
10.35.0.0/16 via 10.35.0.1 dev eth0 
10.190.0.0/16 via 10.190.0.12 dev tun0 

But it needs to look like this:

Code: Select all

default via 10.35.0.1 dev eth0 
10.35.0.0/24 dev eth0 proto kernel scope link src 10.35.0.195
10.35.0.0/16 via 10.35.0.1 dev eth0 
10.190.0.0/16 via 10.190.0.12 dev tun0 

`10.35.0.195` being the client's native IP address (`eth0`).
`10.190.0.12` being the client's VPN IP address (`tun0`).

I am not sure what configuration I have to change to make the routes appear correct, even after the client has started up and connected. I am not sure, where and which routes are pushed where and from.
It would be nice, if I could be pointed into the direction of where I need to adjust the configuration, to make the routes appear correctly, as shown above.

[TinCanTech]

Code: Select all

ifconfig-push 10.190.0.12 255.255.255.252

You have misunderstood how --topology works.

You must replace all your net30 configuration with a subnet configuration.

If your server is:

Code: Select all

server 10.190.0.0 255.255.0.0

Then your client CCD file is:

Code: Select all

ifconfig-push 10.190.0.12 255.255.0.0

It may be possible to customise that, if you have a deep understanding of IP address space and routing.
But then you have to pull all the Openvpn code apart to manually do all the things that macros like --server do for you.

[Akito]

Code: Select all

ifconfig-push 10.190.0.12 255.255.255.252

You have misunderstood how --topology works.

You must replace all your net30 configuration with a subnet configuration.

You have misunderstood how my configuration works.

It was

Code: Select all

ifconfig-push 10.190.0.12 10.190.0.12

As in `IP` to `Remote IP`.

Then I changed to `subnet`, which means I changed the `Remote IP` part to the mask, as required by the `subnet` topology.

The whole purpose of the custom client configuration is that I require each client to have its own static IP. I don't want them to have a range of IPs available, but only the single IP I want them to have.
The reason why I gave more than a single one, is because apparently 4 is the minimum in this case.

Source:
https://serverfault.com/a/867558/405521

There is no point in my scenario to have a custom client config in the first place, if it does not assign a static IP, which never changes across reconnects, etc.

[TinCanTech]

You have misunderstood how my configuration works.

No I have not because I know why your configuration does not work.

[Pippin]

Akito,

The configuration for topology subnet is different.
In the client specific file (ccd file) you specify the client tun address with the same netmask stated in the directive --server.
An example is already given in the previous and this topic.
.

[Akito]

In the client specific file (ccd file) you specify the client tun address with the same netmask stated in the directive --server.

Then there is no point in using the CCD file in the first place, except it actually provides the static IP that is written in the CCD file with a generous netmask. The IPs need to be static -- that's the whole point why this particular CCD file exists in the first place...

[Pippin]

Hi,

Have you actually tried it?
What makes you think the netmask determines which IP the client gets?

The tunnel IP is static given by
ifconfig-push 10.190.0.12 255.255.0.0
You can kind of see --ifconfig-push as a DHCP reservation based on mac address.
Difference is that in Openvpn's case it is based on the clients common name in it's certificate (instead of mac address).

--topology subnet takes one IP (/32) from the tunnel net (whether with or without ccd).
It works like normal networking.

--topology net30 takes four (/30) IPs from the tunnel net.
It once was invented as a work around for how windows handled networking but is obsolete for some time now.
Best is to forget about net30...
.