Hi Jan,
your suggestion works perfect with linux!
(And yes, we are slowly moving towards ipv6. :-) )
I do:
mode server
ifconfig 10.0.0.1 255.255.255.255
push "topology subnet"
and then from ccd:
ifconfig-push 192.168.1.67 255.255.255.254
push "route 10.0.0.1 255.255.255.255 192.168.1.67"
and even a client on .66 works and can e.g. ping .67
ifconfig-push 192.168.1.66 255.255.255.254
push "route 10.0.0.1 255.255.255.255 192.168.1.66"
But Windows make me headaches, on a fresh installed Win10 Professional
with openvpn 2.5.4 and tap 9.24 i get:
Wed Apr 06 09:33:20 2022 C:\Windows\system32\route.exe ADD 10.0.0.1 MASK
255.255.255.255 192.168.1.67
Wed Apr 06 09:33:20 2022 Warning: route gateway is not reachable on any
active network adapters: 192.168.1.67
Wed Apr 06 09:33:20 2022 Route addition via service failed
On another Win10 Professional (installed long time ago and testet a lot
with openvpn versions) with openvpn 2.5.4 and tap 9.24 i get:
2022-04-01 11:51:14 us=845369 Set TAP-Windows TUN subnet mode
network/local/netmask = 192.168.1.66/192.168.1.67/255.255.255.254
[SUCCEEDED]
2022-04-01 11:51:14 us=845369 Notified TAP-Windows driver to set a DHCP
IP/netmask of 192.168.1.67/255.255.255.254 on interface
{762859F0-B58D-4A48-8B7E-A63B0ED5D1ED} [DHCP-serv: 192.168.1.66,
lease-time: 31536000]
2022-04-01 11:51:14 us=845369 DHCP option string: 0f076d64 65782e64
6506082e 10d8c92e 10dcc9
2022-04-01 11:51:14 us=845369 Successful ARP Flush on interface [22]
{762859F0-B58D-4A48-8B7E-A63B0ED5D1ED}
2022-04-01 11:51:14 us=860941 do_ifconfig, ipv4=1, ipv6=0
2022-04-01 11:51:14 us=860941 MANAGEMENT:
>STATE:1648806674,ASSIGN_IP,,192.168.1.67,,,,
2022-04-01 11:51:14 us=860941 IPv4 MTU set to 1500 on interface 22 using
service
2022-04-01 11:51:20 us=45978 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0
u/d=down
2022-04-01 11:51:20 us=45978 Route: Waiting for TUN/TAP interface to
come up...
2022-04-01 11:51:26 us=254106 TEST ROUTES: 0/0 succeeded len=-1 ret=0
a=0 u/d=down
2022-04-01 11:51:26 us=254106 MANAGEMENT: >STATE:1648806686,ADD_ROUTES,,,,,,
*2022-04-01 11:51:26 us=254106 C:\WINDOWS\system32\route.exe ADD
10.0.0.1 MASK 255.255.255.255 192.168.1.67**
**2022-04-01 11:51:26 us=254106 Route addition via service succeeded*
...
TAP-Windows Adapter V9
Index = 22
GUID = {762859F0-B58D-4A48-8B7E-A63B0ED5D1ED}
IP = 0.0.0.0/0.0.0.0
MAC = 00:ff:76:28:59:f0
GATEWAY = 0.0.0.0/255.255.255.255
DHCP SERV = 0.0.0.0/255.255.255.255
DHCP LEASE OBTAINED = 2022-04-01 11:51:26
DHCP LEASE EXPIRES = 2022-04-01 11:51:26
DNS SERV =
...
2022-04-01 11:51:26 us=401216 Initialization Sequence Completed With
Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
2022-04-01 11:51:26 us=401216 MANAGEMENT:
>STATE:1648806686,CONNECTED,ERROR,192.168.1.67,46.16.220.221,1195,,
In this case the connection keep in state "yellow" and is not working.
On the fresh installation I changed many things to reproduce this behavoir.
- start GUI with and without Adminrights
- enable/disable Firewall
- changed several tap interface settings
Without success.
Do you have any hints on that for me?
Does full logs will help?
Thanks in advance, Eike.
Am 08.03.22 um 23:00 schrieb Jan Just Keijser:
Hi Eike,
On 08/03/22 10:48, Eike Lohmann wrote:
Hi Jan,
thank you for your reply.
I will comment also inline below and will describe what we do with
openvpn.
We are connecting devices (e.g. mobile router with sim) via openvpn
(in tun mode only) for our customers and create "vpns" on our plattform.
On our "shared" plattform all devices from our customers connect to
the same group of connected/routed openvpn servers.
After a connection is done, we add routing for that device and
provide firewall rules.
In many cases our customers have a "control server" and a lot of
mobile routers connected to our plattform.
While the mobile routers have only 1x LAN behind with less devices,
the "control server" are inside the customers network.
Therefore we just want to push small network ranges to the "control
servers" to avoid any conflict. The subnet topology does not match
what we want to achieve.
this config seems to do what you want **on linux** for a single client:
server config:
################
proto udp
port 1194
dev tun
server 10.222.0.0 255.255.255.0
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
cipher aes-256-cbc
auth sha256
persist-key
persist-tun
keepalive 10 60
topology subnet
user nobody
group nobody # use "group nogroup" on some distros
client-config-dir /etc/openvpn/mini
ccd-exclusive
################
and then
# cat /etc/openvpn/mini/client1
ifconfig-push 10.222.0.100 255.255.255.254
push "route 10.222.0.1 255.255.255.255 10.222.0.100"
i.e. the client certificate name is "client1" and it gets pushed IP
10.222.0.100/31
The extra route is needed to ensure that the client can reach the VPN
gateway. You will need to test it on Windows, of course.
Most likely it will be very cumbersome to maintain lots of CCD files
this way, but you can also use a client-connect script to write out
the above lines.
As an alternative, why not switch to use IPv6 exclusively for the VPN
- then you can pick your own IPv6 address range and not bother with
IPv4 clashes at all.
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users