ifconfig question

[wjhildreth]

Hello all,

When the server specifies in the server.conf file the following:

dev tun0
ifconfig 172.16.16.1 172.16.16.2
// I understand that this sets the servers interface to 172.16.16.1 and the clients to 172.16.16.2
push “route 172.16.16.1”
// I understand that this tells the client to route 172.16.16.1 /32 to its assigned interface 172.16.16.2
route 172.16.16.0 255.255.255.0
// And this tells the server to route the network to 172.16.16.1

I know that this assigns 172.16.16.1 to the server and 172.16.16.2 to the client, but when the server uses a client config file and does this:

ifconfig-push 172.16.16.5 172.16.16.6

are the ip addresses just replaced with the new ones? If it does, how does it affect the above push “route 172.16.16.1”, does it route to 172.16.16.2 or does it route to 172.16.16.5 the new address of the client? Or, does the ifconfig command in the server conf file replaced with the ifconfig-push directive in the client file?

Can someone please clear up the fog for me?

Regards,

Joe

[krzee]

you should really see --server in the manual
it basically replaces a ton of what you are manually doing.

I know that this assigns 172.16.16.1 to the server and 172.16.16.2 to the client

not true in dev tun by default
by default openvpn uses topology net30 http://openvpn.net/index.php/open-sourc ... ml#slash30

[wjhildreth]

kzree,

Thanks for getting back to me. I took your suggestion and read the --server option in the man page and read the FAQ entitled "ifconfig-pool" option use a /30 subnet (4 private IP addresses per client) when used in TUN mode?

I have been running Untangle with it's implementation of OpenVPN for the last couple of years with no issues, but decided I really wanted to learn how things worked so I can offer some support to a few friends of mine. Most of my study has been based on the config files that I have found on the server and a client. I will post the config files below. Maybe the implementation that they are using isn't as clean as it could be, but it gives me a starting point.

The Server Config

mode server
ca data/ca.cert
cert data/server.crt
key data/server.key
dh data/dh.pem
client-config-dir ccd
keepalive 10 120
cipher AES-128-CBC
user nobody
group nogroup
ccd-exclusive
tls-server
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 1
mute 20
management 127.0.0.1 1195
port 1194
dev tun0
ifconfig 172.16.16.1 172.16.16.2
push “route 172.16.16.1”
route 172.16.16.0 255.255.255.0
push “route 192.168.2.0 255.255.255.0”
max-clients 500


My client config file on the server has

ifconfig-push 172.16.16.5 172.16.16.6


The config file on the client has

client
proto udp
resolv-retry 20
keepalive 10 120
cipher AES-128-CBC
nobind
mute-replay-warnings
ns-cert-type server
comp-lzo
verb 2
persist-key
persist-tun
verb 1
tls-exit
dev tun0
cert untangle-vpn/three-rivers-hospital-joe_hildreth.crt

key untangle-vpn/three-rivers-hospital-joe_hildreth.key

ca untangle-vpn/three-rivers-hospital-ca.crt

remote xxx.xxx.xxx.xxx 1194



//End of config files.

With the above does it make my question any more clear? Does the assignment not even take place or is it replaced with the directive in the client file on the server?

Regards,

Joe

[krzee]

Here are my changes:
note, with topology subnet they will not each be on their own /30, the server will use .2 .3 .4

The Server Config

Code: Select all

mode server
ca   data/ca.cert
cert data/server.crt
key data/server.key
dh data/dh.pem
client-config-dir ccd
keepalive 10 120
cipher AES-128-CBC
user nobody
group nogroup
ccd-exclusive
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 1
mute 20
management 127.0.0.1 1195
port 1194
dev tun
server 172.16.16.0 255.255.255.0
topology subnet
push “route 192.168.2.0 255.255.255.0”
max-clients 500

Now that you are using topology subnet, static ips look different

Code: Select all

ifconfig-push 172.16.16.5 255.255.255.0