OpenVPN Support Forum

Hi there

I have setup a openvpn server on a remote server configured to allow clients to access each other's subnet.

Basic scenario like this:

Server: 192.168.120.0/24
Client1: 192.168.0.0/24
Client2: 10.78.20.0/24

I want client2 connect to the server and be able to access 192.168.0.0/24. I have added the following to server.conf:
in client1's ccd: I got this set up working fine. client2 can reach 192.168.0.0/24 and other devices in 192.168.0.0/24 can reach client2.

Then I wanted to configure static IP addresses for the clients. So I added ifconfig-push to the ccds. From that point client2 can't reach client1's subnet anymore, nor the server can.

I noticed that the samples in server.conf had the IP addresses swapped for ifconfig-push but it doesn't matter which way I put it they simply don't work. Remove ifconfig-push and everything worked as expected.

Can anyone think of any explanations?

what values did you use for the 'ifconfig-push' ?
If you're not using 'topology subnet' (which I guess you are not using) then you MUST push addresses from valid /30 network blocks. Each client is assigned a /30 network, which for the ifconfig-push means that

* for the first client you use 'ifconfig-push 192.168.120.6 192.168.120.5'
* for the second client you use 'ifconfig-push 192.168.120.10 192.168.120.9'
* for the third client you use 'ifconfig-push 192.168.120.14 192.168.120.13'

(i.e. +4 every time).

I am using the default which is net30. And I am doing /30 according to your example.

Would topology subnet be any good to try?

pick any valid /30 network which is different from what is assigned automatically, but which is still part of the original 'server x.x.x.x' range. Try and reconnect the client; post the relevant part of the server log file, esp the part where it is PUSHing out the configuration to the client. The .22 address should be mentioned there.

PUSH_REPLY,route 192.168.0.0 255.255.255.0 default 30,route 192.168.120.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.120.22 192.168.120.21

so the right info is pushed to the client - if the client does not use this new IP address then there's something weird going on at the client (is it configured to accept DHCP?).

The client is using the specified address.

The only difference is that if I use ifconfig-push then I can't reach other client's LAN subnet.

aha , now I get it...
can you try replacing

route 192.168.0.0 255.255.255.0 default 30

with 'default' is not a special keyword; also, after client1 has connected, what does the routing table look like (on client1) ?

Hm... I have tried that before. Basically I think I have RTFM and tried lots of different combinations. The issue is just if I use ifconfig-push then clients can't see each other's LAN. Actually nor the server can. But if I just let the server assign IPs to clients everything work as expected.

I have decided to live with dynamic IPs for now. I am just wondering if it is a known issue and have a solution.

I will go back and re-visit this if I have time later.

Thanks for your help though.

I have decided to live with dynamic IPs for now. I am just wondering if it is a known issue and have a solution.

it is not a known issue - I've just replicated your setup (without the "route 192.168.0.0 255.255.255.0 default 30") and it works fine : from one client I can ping hosts on the LAN behind another client, even though both clients are assigned static IPs using 'ifconfig-push' .

did you add 'client-to-client' on the server config ? or are you using other means to forward traffic between clients?

I do have client-to-client in the config.

hi there,

can you post both client/server configs?

Michael.