Version 1 (modified by 10 years ago) (diff) | ,
---|
Addressing
This page discusses the concepts of addressing in OpenVPN
Addressing Basics
Addressing in OpenVPN depends on the Topology in use. The 3 types of possible addressing styles are explained in the Topology page and are:
- subnet
- The preferred topology for server/client steups
- net30
- The deprecated /30 subnet allocation (best to avoid this)
- p2p
- Used by non-server, peer-to-peer setups (non-Windows only; uses Point-To-Point, or PtP networking)
Note that with net30, non-Windows clients will configure addressing as PtP anyway; Windows uses the /30 as a virtual "network."
The Address Pool
In server mode, an addressing pool is commonly used; when used, clients that do not have server-side static addressing configured will be allocated an IP dynamically from this pool.
It is important to note that defining static addressing with an address that is also in the pool will result in problematic behavior if that IP was already allocated to another client. For this reason it is critical to reduce your pool range and assign static addresses that are outside the defined pool.
This means you cannot use the --server
directive with static addressing as it consumes the entire network for the pool; instead, expand the directive and reduce the pool range.
Examples
The examples below use 10.8.0.0/24 as the VPN network and include samples for both full-pool allocation, and a reduced allocation with static addressing for 2 clients called 'client1' and 'client2'.
Since the TLS setup is not the focus here, the --pkcs12
is used here; your setup will likely be different. Addressing is the important part of these examples. Also note that the --topology
directive is often pushed, and is in these examples.
Examples for subnet topology
subnet Example with full pool
- server config:
--server 10.8.0.0 255.255.255.0 --dev tun --topology subnet # TLS needs: --pkcs12 /vpn/server.p12 --dh /vpn/dh.pem
- client config:
--client --dev tun # TLS needs: --pkcs12 /vpn/client.p12
subnet Example with static ccd
- server config:
--mode server --tls-server --ifconfig 10.8.0.1 255.255.255.0 --push "route-gateway 10.8.0.1" --ifconfig-pool 10.8.0.2 10.8.0.199 255.255.255.0 --ccd /vpn/ccd-dir # TLS needs: --pkcs12 /vpn/server.p12 --dh /vpn/dh.pem
- server's
/vpn/ccd-dir/client1
file:ifconfig-push 10.8.0.201 255.255.255.0
- server's
/vpn/ccd-dir/client2
file:ifconfig-push 10.8.0.202 255.255.255.0
- client config:
--client --dev tun # TLS needs: --pkcs12 /vpn/client.p12