I have an OpenVPN server with an Inet address 10.8.0.1 serving the subnet 10.8.0.0/24. I have two clients connected to this server and the status log (/etc/openvpn/openvpn-status.log)reads as follows:
OpenVPN CLIENT LIST
Updated,Wed Aug 9 15:56:38 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client1,10.0.0.177:54810,4648,4853,Wed Aug 9 15:56:28 2017
client2,10.0.0.224:53999,4731,4935,Wed Aug 9 15:56:16 2017
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,client1,10.0.0.177:54810,Wed Aug 9 15:56:28 2017
10.8.0.10,client2,10.0.0.224:53999,Wed Aug 9 15:56:16 2017
GLOBAL STATS
Max bcast/mcast queue length,0
END
Now, on client 2 when I run (ifconfig) I get the following for the tun interface:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.10 P-t-P:10.8.0.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
The P-t-P inet address reads 10.8.0.9. Where is this interface present in the subnet? Is it in the client or the server? Traceroute on this interface from the client gives me the following:
traceroute to 10.8.0.9 (10.8.0.9), 64 hops max
1 10.8.0.1 0.348ms 0.210ms 0.163ms
2 * * *
3 * * *
4 * * *
5 * ^C
Now, if this is like a dummy inet address, can this inet address be used for a client by the OpenVPN server if it runs out of addresses in case it reaches a limit of 254 VPN clients?
Thanks in advance!
Best Answer
Your OpenVPN server seems to be setup using the topology net30. This topology is required for compatibility with really old clients running on older versions of Windows.
This topology basically takes the that
/24
subnet you assigned to the VPN and breaks it up into 64 subnets with 30 bit masks. Meaning you can have at most 63 connected clients.In the net30, the
00
(binary bits), and11
addresses are unused, the01
address is assigned to the PTP connect on the server and the10
address is used on the client.So given the
10.8.0.6,client1,...
client. the subnet is10.8.0.4
. The broadcast address is10.8.0.7
. The address that belongs to the OpenVPN server is10.8.0.5
(though you won't actually see it assigned on the server), and the address assigned to the client is10.8.0.6
.These days you would be far better off switching your server to use
topology subnet
. This option tells OpenVPN10.8.0.0/24
as one single subnet and not to break it up into a bunch of smaller subnets. Each client will only consume 1 address from the potential ~253 available in the subnet instead of basically 4, which happens with the net30.