Why does this allocation of client static IP in OpenVPN fail?

ip subnet openvpn
11,777

This problem is created because openvpn is trying to parse your ifconfig options as an ip followed by an subnet mask.

According to the man page:

--topology mode

...

subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode allocates a single IP address per connecting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topology directive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a remote endpoint IP address.

This option exists in OpenVPN 2.1 or higher.

Note: Using --topology subnet changes the interpretation of the arguments of --ifconfig to mean "address netmask", no longer "local remote".

--ifconfig l rn

Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices in point-to-point mode, rn is the IP address of the remote VPN endpoint. For TAP devices, or TUN devices used with --topology subnet, rn is the subnet mask of the virtual network segment which is being created or connected to. For TUN devices, which facilitate virtual point-to-point IP connections (when used in --topology net30 or p2p mode), the proper usage of --ifconfig is to use two private IP addresses which are not a member of any existing subnet which is in use. The IP addresses may be consecutive and should have their order reversed on the remote peer. After the VPN is established, by pinging rn, you will be pinging across the VPN.

For TAP devices, which provide the....

Inside you server code, you set your topology to subnet, and then push it to the client using the server statement.

According to the above documentation, instead of pushing your ifconfig using "local", "remote" address, you need to add the following to "/etc/openvpn/ccd/W7LocalVM":

ifconfig-push 10.5.24.210 255.255.255.252
push route 10.5.24.210 255.255.255.252
# ifconfig 10.5.24.209 255.255.255.252

The last line is probably not needed, but is left as an example what ifconfig-push "should" do on the server side to make the connection work.

Share:
11,777
Magnus
Author by

Magnus

Updated on September 18, 2022

Comments

  • Magnus
    Magnus over 1 year

    I am running an OpenVPN server, and I want to assign a specific client a static IP.

    This is my server.conf. I think this configures the pool of virtual IPs to span from 10.5.24.209 to 10.5.24.223.

    port 443
proto tcp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.5.24.208 255.255.255.240
#This netmask should span IPs .208-.223.
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 168.xx.xx.xx"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
client-to-client
client-config-dir ccd

    This is the contents of /etc/openvpn/ccd/W7LocalVM, where W7LocalVM is the Common Name of my client. I don't quite understand what this directive does, but I think the first IP should be the desired static IP of my client, and the second IP should be the IP of my server.

    ifconfig-push 10.5.24.210 10.5.24.209

    However, when I try to connect my client with this server configuration, I get the following error:

    Mon Aug 07 14:07:34 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.5.24.208/10.5.24.210/10.5.24.209 [SUCCEEDED]
Mon Aug 07 14:07:34 2017 MANAGEMENT: Client disconnected
Mon Aug 07 14:07:34 2017 ERROR: --ip-win32 dynamic [offset] : offset is outside of --ifconfig subnet
Mon Aug 07 14:07:34 2017 Exiting due to fatal error

    I thought the IP 10.5.24.210 would be within the subnet defined on the server side, and I don't understand why I'm getting this error. Could anyone help me out on this?

    • EJoshuaS - Stand with Ukraine
      EJoshuaS - Stand with Ukraine almost 7 years
      I'd suggest asking this on Server Fault instead, could get more helpful of feedback since that site is dedicated to server administration issues.
    • Magnus
      Magnus almost 7 years
      Ok. Thank you. Didn't know about that community. Should I repost, or is there some feature that lets me migrate the post?
    • EJoshuaS - Stand with Ukraine
      EJoshuaS - Stand with Ukraine almost 7 years
      You can flag for moderator intervention and ask them to migrate. (For a few sites, like Super User, the community can vote to migrate, but migration to that site has to be done by moderators).
  • Magnus
    Magnus over 6 years
    I wrote a comment here asking why you suggested allocating four IPs per client, but I was industrious enough to find the answer for that in the FAQ. Thank you for solving the riddle!
  • Akito
    Akito about 2 years
    @Magnus Which FAQ are you referring to? This one? community.openvpn.net/openvpn/wiki/…? Or another one?
  • Magnus
    Magnus about 2 years
    It's been a while @Akito, and I've forgotten which FAQ it was. I should have had the foresight to link it for future readers. However, I remember that each of the four IPs was required by OpenVPN in some fashion.
  • Akito
    Akito about 2 years
    @Magnus I see. It's alright. That already helps. Thank you!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

how to get subnet from ip address in java
How can i calculate ip address range from subnet mask
Check if IP is in subnet
Calculate IP range by subnet mask
How does an OpenVPN client know the public IP address of my server?
Connect to my entire LAN through OpenVPN, QNAP
Quick way to calculate subnet IP and broadcast IP
What is major network mask and subnet mask
Two hosts on same subnet can't see each other
Network addressing without wasting IP addresses