wiki:Concepts-Addressing

Addressing

This page discusses the concepts of addressing in OpenVPN.

Addressing Basics for Server/Client

Addressing in OpenVPN depends on the Topology in use. The 3 types of possible server/client addressing styles are explained in the Topology page and are:

subnet
The preferred topology for server/client steups
net30
The deprecated /30 subnet allocation (best to avoid this)
p2p
peer-to-peer addressed setups (non-Windows only; uses Point-To-Point, or PtP networking)

Note that with net30, non-Windows clients will configure addressing as PtP anyway; Windows uses the /30 as a virtual "network."

Addressing in p2p (non-server) mode

Another operating mode is when you don't run either side as a server, which is when both are using --mode p2p --topology p2p. In this case, each end sets its own addressing. The addresses chosen here are completely arbitrary and only define the local verses remote sides. Addressing doesn't even need to be adjacent and "any" 2 addresses can be used.

If you intend to create a server that multiple clients connect to, you cannot use this mode. Also note that Windows clients do not support this.

The Address Pool

In server mode, an addressing pool is commonly used; when used, clients that do not have server-side static addressing configured will be allocated an IP dynamically from this pool.

Static Address Assignment

It is possible to have the server allocate a static IP to a client based on its commonName. This is done by way of an --ifconfig-push command in either a ccd file or (as an advanced alternative) by --client-connect script.

It is important to note that defining static addressing with an address that is also in the pool will result in problematic behavior if that IP was already allocated to another client. For this reason it is critical to reduce your pool range and assign static addresses that are outside the defined pool.

This means you cannot use the --server directive with static addressing as it consumes the entire network for the pool; instead, expand the directive and reduce the pool range to avoid problems.

Examples

The examples below use 10.8.0.0/24 as the VPN network and include samples for both full-pool allocation, and a reduced allocation with static addressing for 2 clients called 'client1' and 'client2'.

Since the TLS setup is not the focus here, the --pkcs12 is used here; your setup will likely be different. Addressing is the important part of these examples. Also note that the --topology directive is often pushed, and is in these examples.

Examples for subnet topology

subnet Example with full pool

  • server config:
    --server 10.8.0.0 255.255.255.0
    --dev tun
    --topology subnet
    
    # TLS needs:
    --pkcs12 /vpn/server.p12
    --dh /vpn/dh.pem
    
  • client config:
    --client
    --dev tun
    
    # TLS needs:
    --pkcs12 /vpn/client.p12
    

subnet Example with static ccd

  • server config:
    --mode server
    --tls-server
    --dev tun
    --topology "subnet"
    --push "topology subnet"
    --ifconfig 10.8.0.1 255.255.255.0
    --push "route-gateway 10.8.0.1"
    --ifconfig-pool 10.8.0.2 10.8.0.199 255.255.255.0
    --client-config-dir /vpn/ccd-dir
    
    # TLS needs:
    --pkcs12 /vpn/server.p12
    --dh /vpn/dh.pem
    
  • server's /vpn/ccd-dir/client1 file:
    ifconfig-push 10.8.0.201 255.255.255.0
    
  • server's /vpn/ccd-dir/client2 file:
    ifconfig-push 10.8.0.202 255.255.255.0
    
  • client config:
    --client
    --dev tun
    
    # TLS needs:
    --pkcs12 /vpn/client.p12
    

Examples for net30 topology

Read the Topology page for more details on net30. In short, each client (and the server itself) is allocated a virtual /30 network for compatibility with very old Windows versions. Addressing pushed to Windows clients must use the center 2 IPs of this subnet.

Note that net30 is the default topology (as of OpenVPN 2.3) and need not be declared explicitly with --topology.

net30 Example with full pool

  • server config:
    --server 10.8.0.0 255.255.255.0
    --dev tun
    
    # TLS needs:
    --pkcs12 /vpn/server.p12
    --dh /vpn/dh.pem
    
  • client config:
    --client
    --dev tun
    
    # TLS needs:
    --pkcs12 /vpn/client.p12
    

net30 Example with static ccd

  • server config:
    --mode server
    --tls-server
    --ifconfig 10.8.0.1 10.8.0.2
    --push "route-gateway 10.8.0.1"
    --ifconfig-pool 10.8.0.4 10.8.0.199 255.255.255.0
    --client-config-dir /vpn/ccd-dir
    
    # TLS needs:
    --pkcs12 /vpn/server.p12
    --dh /vpn/dh.pem
    
  • server's /vpn/ccd-dir/client1 file:
    ifconfig-push 10.8.0.202 10.8.0.201
    
  • server's /vpn/ccd-dir/client2 file:
    ifconfig-push 10.8.0.206 10.8.0.205
    
  • client config:
    --client
    --dev tun
    
    # TLS needs:
    --pkcs12 /vpn/client.p12
    

Examples for p2p topology

This topology is only valid when none of your clients are Windows. The benefit is that you can use the entire network range. This can be beneficial when using smaller networks, such as a /29, /30, or even a /31 (normally unusable on "traditional" Ethernet-style networks.)

An advanced example is also shown at the end where you can use 100% of a given network for client IPs since PtP addressing does not have to be contiguous.

All these examples push the assigned IPs from the server, so they use a single client config common to all examples:

Common client config for p2p examples

  • client config:
    --client
    --dev tun
    
    # TLS needs:
    --pkcs12 /vpn/client.p12
    

Using a /24

In this example, we assign the following addressing:

  • VPN server: 10.8.0.0
  • client1: 10.8.0.1
  • client2: 10.8.0.2
  • dynamic IPs assigned to other clients: 10.8.0.100 - 10.8.0.199
  • (The IP 10.8.0.255 is used as a common peering IP and not routable)
  • server config:
    --mode server
    --tls-server
    --dev tun
    --topology "p2p"
    --push "topology p2p"
    --ifconfig 10.8.0.0 10.8.0.255
    --push "route-gateway 10.8.0.0"
    --ifconfig-pool 10.8.0.100 10.8.0.199
    --client-config-dir /vpn/ccd-dir
    
    # TLS needs:
    --pkcs12 /vpn/server.p12
    --dh /vpn/dh.pem
    
  • server's /vpn/ccd-dir/client1 file:
    ifconfig-push 10.8.0.1 10.8.0.0
    
  • server's /vpn/ccd-dir/client2 file:
    ifconfig-push 10.8.0.2 10.8.0.0
    

Advanced example: utilizing a /30

In this example, we assign the following addressing, assigning 4 clients out of the network 203.0.113.252/30. The VPN server uses RFC1918 locally, and a matching RFC1918 is used by clients as the peering address.

  • VPN server: 192.168.222.0 (peering with 192.168.222.1)
  • client1: 203.0.113.252
  • client2: 203.0.113.253
  • client3: 203.0.113.254
  • client4: 203.0.113.255
  • server config:
    --mode server
    --tls-server
    --dev tun
    --topology "p2p"
    --push "topology p2p"
    --ifconfig 192.168.222.0 192.168.222.1
    --push "route-gateway 192.168.222.0"
    --client-config-dir /vpn/ccd-dir
    
    # TLS needs:
    --pkcs12 /vpn/server.p12
    --dh /vpn/dh.pem
    
  • server's /vpn/ccd-dir/client1 file:
    ifconfig-push 203.0.113.252 192.168.222.0
    
  • server's /vpn/ccd-dir/client2 file:
    ifconfig-push 203.0.113.253 192.168.222.0
    
  • server's /vpn/ccd-dir/client3 file:
    ifconfig-push 203.0.113.254 192.168.222.0
    
  • server's /vpn/ccd-dir/client4 file:
    ifconfig-push 203.0.113.255 192.168.222.0
    
Last modified 4 years ago Last modified on 06/04/14 22:18:57