OpenVPN seems to push wrong subnet mask to clients

[janjust]

For the record:

net30 topology is more secure than subnet, to isolate different clients access each other.

is NOT true. 'topology subnet' is just as secure as 'topology net30'. Some things works a bit differently but it's just as easy to isolate clients as in either mode.

[Mimiko]

I see topology subnet as a switch, and topology net30 as a hub.

[Holmes.Sherlock]

@ Mimiko & janjust
Can you give me a clear comparison of both the topologies?

[Holmes.Sherlock]

Let me ask you one more question. From the diagram posted above, what you can see is that I'm creating one more OpenVPN subnet 10.172.0.0/24 on the server along with waht is already present subnet 10.100.0.0/24. The later is also an OpenVPN network, but I don't have access to its server. The client config file has been provided, which, on connection, is supposed to provide that 10.100.0.0/24 subnet to the connecting client. The OpenVPN server box is allocated 10.100.0.2 (Basically there is also an OpenVPN client process running in the server box). What I'm need to do is to give out IPs to the connecting client from this IP pool, i.e. 10.100.0.0/24. I was thinking of IP Aliasing. Is there any easier way to achieve the same?

[janjust]

Can you give me a clear comparison of both the topologies?

topology net30 is the default mode; each client is assigned a miniature /30 network containing 4 IP addresses
10.8.0.64 network address (not used, but required)
10.8.0.65 virtual endpoint address (needed, but not pingable)
10.8.0.66 client VPN IP address
10.8.0.67 net30 broadcast address (not used, but required)

The IP address of the client is always X.Y.Z.(4*n+2), netmask 255.255.255.252, where "n" is 1,2,3,4 etc

topology subnet assigns a single IP address to each client, with netmask 255.255.255.0; it closely resembles 'dev tap' mode but there are fundamental differences.