topology subnet

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
kovica
OpenVpn Newbie
Posts: 13
Joined: Tue Nov 13, 2012 12:31 am

topology subnet

Post by kovica » Fri Sep 16, 2022 2:24 pm

Hi,
I have problems configuring topology subnet in a way that server and client have different IPs.
server.conf:

Code: Select all

dev ovpns3
verb 1
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local XXX.XXX.XXX.XXX
engine rdrand
tls-server
server 172.30.10.0 255.255.255.0
client-config-dir /var/etc/openvpn/server3/csc
ifconfig 172.30.10.1 172.30.10.2
lport 1196
management /var/etc/openvpn/server3/sock unix
capath /var/etc/openvpn/server3/ca
cert /var/etc/openvpn/server3/cert
key /var/etc/openvpn/server3/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server3/tls-auth 0
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
persist-remote-ip
float
topology subnet
explicit-exit-notify 1
inactive 300
client.conf:

Code: Select all

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote XXX.XXX.XXX.XXX 1196 udp4
nobind
remote-cert-tls server
explicit-exit-notify
verb 4
Server also pushes stuff to client:

Code: Select all

ifconfig-push 172.30.20.10 255.255.255.0
push "route 172.20.11.0 255.255.0.0"
Client can connect to server, but setting that route gives:

Code: Select all

2022-09-16 16:19:15 us=228587 net_addr_v4_add: 172.30.20.10/24 dev tun1
2022-09-16 16:19:15 us=228922 net_route_v4_add: 172.20.11.0/16 via 172.30.10.1 dev [NULL] table 0 metric -1
2022-09-16 16:19:15 us=228976 sitnl_send: rtnl: generic error (-22): Invalid argument
2022-09-16 16:19:15 us=229033 ERROR: Linux route add command failed
PUSH on the client side looks like this:

Code: Select all

PUSH: Received control message: 'PUSH_REPLY,route-gateway 172.30.10.1,topology subnet,ping 10,ping-restart 60,route 172.20.11.0 255.255.0.0,ifconfig 172.30.20.10 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Is it even possible to have server on IP 172.30.10.1 and client on IP 172.30.20.10? If yes, how? Using topology subnet.

Best regards,
Kovi

User avatar
Pippin
Forum Team
Posts: 1200
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: topology subnet

Post by Pippin » Fri Sep 16, 2022 5:12 pm

Hi,

You are using pfSense, you probably will have more success on Netgate forums also because it's using a WebGUI:
https://forum.netgate.com/
https://docs.netgate.com/pfsense/en/lat ... index.html

.
Is it even possible to have server on IP 172.30.10.1 and client on IP 172.30.20.10? If yes, how? Using topology subnet.
They must have an IP in the same tunnel subnet, so no.

These two might help understand:
https://community.openvpn.net/openvpn/w ... acketsFlow
https://community.openvpn.net/openvpn/w ... gConflicts
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

kovica
OpenVpn Newbie
Posts: 13
Joined: Tue Nov 13, 2012 12:31 am

Re: topology subnet

Post by kovica » Tue Sep 20, 2022 9:00 pm

Hi,
sorry for late reply, but thank you for clearing things up. So I guess I'm stuck with net30 for now.

Post Reply