wiki:Concepts-Addressing

Version 2 (modified by JoshC, 10 years ago) (diff)

fix ccd directive

Addressing

Table of Contents

  1. Addressing Basics
  2. The Address Pool
  3. Examples
    1. Examples for subnet topology

This page discusses the concepts of addressing in OpenVPN

Addressing Basics

Addressing in OpenVPN depends on the Topology in use. The 3 types of possible addressing styles are explained in the Topology page and are:

subnet
The preferred topology for server/client steups
net30
The deprecated /30 subnet allocation (best to avoid this)
p2p
Used by non-server, peer-to-peer setups (non-Windows only; uses Point-To-Point, or PtP networking)

Note that with net30, non-Windows clients will configure addressing as PtP anyway; Windows uses the /30 as a virtual "network."

The Address Pool

In server mode, an addressing pool is commonly used; when used, clients that do not have server-side static addressing configured will be allocated an IP dynamically from this pool.

It is important to note that defining static addressing with an address that is also in the pool will result in problematic behavior if that IP was already allocated to another client. For this reason it is critical to reduce your pool range and assign static addresses that are outside the defined pool.

This means you cannot use the --server directive with static addressing as it consumes the entire network for the pool; instead, expand the directive and reduce the pool range.

Examples

The examples below use 10.8.0.0/24 as the VPN network and include samples for both full-pool allocation, and a reduced allocation with static addressing for 2 clients called 'client1' and 'client2'.

Since the TLS setup is not the focus here, the --pkcs12 is used here; your setup will likely be different. Addressing is the important part of these examples. Also note that the --topology directive is often pushed, and is in these examples.

Examples for subnet topology

subnet Example with full pool

  • server config: 
    --server 10.8.0.0 255.255.255.0
--dev tun
--topology subnet

# TLS needs:
--pkcs12 /vpn/server.p12
--dh /vpn/dh.pem
  • client config: 
    --client
--dev tun

# TLS needs:
--pkcs12 /vpn/client.p12

subnet Example with static ccd

  • server config: 
    --mode server
--tls-server
--ifconfig 10.8.0.1 255.255.255.0
--push "route-gateway 10.8.0.1"
--ifconfig-pool 10.8.0.2 10.8.0.199 255.255.255.0
--client-config-dir /vpn/ccd-dir

# TLS needs:
--pkcs12 /vpn/server.p12
--dh /vpn/dh.pem
  • server's /vpn/ccd-dir/client1 file: 
    ifconfig-push 10.8.0.201 255.255.255.0
  • server's /vpn/ccd-dir/client2 file: 
    ifconfig-push 10.8.0.202 255.255.255.0
  • client config: 
    --client
--dev tun

# TLS needs:
--pkcs12 /vpn/client.p12