Hi Jan,
thank you for your reply.
I will comment also inline below and will describe what we do with openvpn.
We are connecting devices (e.g. mobile router with sim) via openvpn (in
tun mode only) for our customers and create "vpns" on our plattform.
On our "shared" plattform all devices from our customers connect to the
same group of connected/routed openvpn servers.
After a connection is done, we add routing for that device and provide
firewall rules.
In many cases our customers have a "control server" and a lot of mobile
routers connected to our plattform.
While the mobile routers have only 1x LAN behind with less devices, the
"control server" are inside the customers network.
Therefore we just want to push small network ranges to the "control
servers" to avoid any conflict. The subnet topology does not match what
we want to achieve.
From the network point of view the p2p topology is the best, but most
of the "control servers" are windows and does not support p2p.
Right now we use net30 for all products. If this will be deprecated or
less supported (e.g. crypto) in future we need to prepare for it.
We need to migrate many thousand connections to subnet and/or p2p
topologies.
Am 04.03.22 um 13:06 schrieb Jan Just Keijser:
Hi Eike,
see comments/answers inline below
On 04/03/22 11:35, Eike Lohmann wrote:
Hi,
since 2006 we are using openvpn in topology net30, use all rfc1918
networks and configure the openvpn server process like this:
ifconfig 172.16.0.1 172.16.0.2
topology net30
and clients like this:
ifconfig-push 10.0.1.22 10.0.1.21
topology net30
ifconfig-push 172.21.5.222 172.21.5.221
topology net30
Routes into the server and routes, push commands to the client are
set by an external process.
Connected to our plattform are all operating systems with a wide
variety of openvpn versions.
Now net30 is deprecated and subnet will be the recommended way in
future.
What is about p2p? In the past Arne wrote: "Currently P2P mode of
OpenVPN is on of the few places that cannot negotiate modern OpenVPN
features." Will it be save to use it in future or is it the next
deprecated topology?
"deprecated" means it will be removed in a future version of OpenVPN
subnet vs p2p from my point of view:
- With topology subnet I allways see that subnet as an route set on
client side. Can I bypass this behavior?
nope, not really: the OS needs a route to the OpenVPN server tun
adapter. Even in p2p mode I see this
10.200.0.1 via 10.200.0.5 dev tun0 proto static metric 50
10.200.0.5 dev tun0 proto kernel scope link src 10.200.0.6 metric 50
i.e. there is a separate (/32) route to the VPN server address.
Admittedly, you could try to set a direct route, then remove any
/(30-) routes but this will need to be done manually on each client
and I would not guarantee that it will work for all operating systems
(Android? iOS?)
There was an attempt from David in 2016.
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/95da6b6cd15d574
- Windows can't do p2p or is it the TAP driver for windows?
the windows tap driver kan do p2p like it has done in the past; I am
not sure about the newer wintun driver - that one might not be able to
do p2p
Is it possible to use both topologies on one openvpn server process?
AFAIK this is not possible with the current release
Is it possible to use small subnet topologies /31 and push the first
IP from that net as route-gw? Is this possible with windows?
Thank you in advance for any hint in this!
what is the problem with the subnet route on the client side anyways?
I hope I could describe it above.
it is not as if the VPN clients can contact each other, provided you
do not set up routing and/or client-to-client.
If your network security depends on this route not being visible on
your VPN clients then your network security is broken - all a rogue
client needs to do is the appropriate 'route add ....' and {s}he
would get that route that you so desperately want to hide.
Nope, we try not to do security by obscurity. :-)
Regards, Eike
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
