Hi Eike,
see comments/answers inline below
On 04/03/22 11:35, Eike Lohmann wrote:
Hi,
since 2006 we are using openvpn in topology net30, use all rfc1918
networks and configure the openvpn server process like this:
ifconfig 172.16.0.1 172.16.0.2
topology net30
and clients like this:
ifconfig-push 10.0.1.22 10.0.1.21
topology net30
ifconfig-push 172.21.5.222 172.21.5.221
topology net30
Routes into the server and routes, push commands to the client are set
by an external process.
Connected to our plattform are all operating systems with a wide
variety of openvpn versions.
Now net30 is deprecated and subnet will be the recommended way in future.
What is about p2p? In the past Arne wrote: "Currently P2P mode of
OpenVPN is on of the few places that cannot negotiate modern OpenVPN
features." Will it be save to use it in future or is it the next
deprecated topology?
"deprecated" means it will be removed in a future version of OpenVPN
subnet vs p2p from my point of view:
- With topology subnet I allways see that subnet as an route set on
client side. Can I bypass this behavior?
nope, not really: the OS needs a route to the OpenVPN server tun
adapter. Even in p2p mode I see this
10.200.0.1 via 10.200.0.5 dev tun0 proto static metric 50
10.200.0.5 dev tun0 proto kernel scope link src 10.200.0.6 metric 50
i.e. there is a separate (/32) route to the VPN server address.
Admittedly, you could try to set a direct route, then remove any /(30-)
routes but this will need to be done manually on each client and I would
not guarantee that it will work for all operating systems (Android? iOS?)
There was an attempt from David in 2016.
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/95da6b6cd15d574
- Windows can't do p2p or is it the TAP driver for windows?
the windows tap driver kan do p2p like it has done in the past; I am not
sure about the newer wintun driver - that one might not be able to do p2p
Is it possible to use both topologies on one openvpn server process?
AFAIK this is not possible with the current release
Is it possible to use small subnet topologies /31 and push the first
IP from that net as route-gw? Is this possible with windows?
Thank you in advance for any hint in this!
what is the problem with the subnet route on the client side anyways? it
is not as if the VPN clients can contact each other, provided you do not
set up routing and/or client-to-client.
If your network security depends on this route not being visible on your
VPN clients then your network security is broken - all a rogue client
needs to do is the appropriate 'route add ....' and {s}he would get
that route that you so desperately want to hide.
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
