Re: [Openvpn-users] Switch from net30 to subnet vs p2p

Tue, 08 Mar 2022 14:03:03 -0800 

Hi Eike,

On 08/03/22 10:48, Eike Lohmann wrote:

Hi Jan,

thank you for your reply.
I will comment also inline below and will describe what we do with openvpn.
We are connecting devices (e.g. mobile router with sim) via openvpn (in tun mode only) for our customers and create "vpns" on our plattform.
On our "shared" plattform all devices from our customers connect to the same group of connected/routed openvpn servers.
After a connection is done, we add routing for that device and provide firewall rules.
In many cases our customers have a "control server" and a lot of mobile routers connected to our plattform.
While the mobile routers have only 1x LAN behind with less devices, the "control server" are inside the customers network.
Therefore we just want to push small network ranges to the "control servers" to avoid any conflict. The subnet topology does not match what we want to achieve. 


this config seems to do what you want **on linux** for a single client:

server config:

################
proto udp
port 1194
dev tun

server 10.222.0.0 255.255.255.0

dh       /etc/openvpn/dh2048.pem
ca       /etc/openvpn/ca.crt
cert     /etc/openvpn/server.crt
key      /etc/openvpn/server.key

cipher aes-256-cbc
auth   sha256

persist-key
persist-tun
keepalive 10 60

topology subnet

user  nobody
group nobody  # use "group nogroup" on some distros

client-config-dir /etc/openvpn/mini
ccd-exclusive

################

and then
  # cat /etc/openvpn/mini/client1
  ifconfig-push 10.222.0.100 255.255.255.254
  push "route 10.222.0.1 255.255.255.255 10.222.0.100"
i.e. the client certificate name is "client1" and it gets pushed IP 10.222.0.100/31
The extra route is needed to ensure that the client can reach the VPN gateway. You will need to test it on Windows, of course.
Most likely it will be very cumbersome to maintain lots of CCD files this way, but you can also use a client-connect script to write out the above lines.
As an alternative, why not switch to use IPv6 exclusively for the VPN - then you can pick your own IPv6 address range and not bother with IPv4 clashes at all. 

HTH,

JJK



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to