Openvpn – Why does this allocation of client static IP in OpenVPN fail

ipopenvpnsubnet

I am running an OpenVPN server, and I want to assign a specific client a static IP.

This is my server.conf. I think this configures the pool of virtual IPs to span from 10.5.24.209 to 10.5.24.223.

port 443
proto tcp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.5.24.208 255.255.255.240
#This netmask should span IPs .208-.223.
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 168.xx.xx.xx"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
client-to-client
client-config-dir ccd

This is the contents of /etc/openvpn/ccd/W7LocalVM, where W7LocalVM is the Common Name of my client. I don't quite understand what this directive does, but I think the first IP should be the desired static IP of my client, and the second IP should be the IP of my server.

ifconfig-push 10.5.24.210 10.5.24.209

However, when I try to connect my client with this server configuration, I get the following error:

Mon Aug 07 14:07:34 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.5.24.208/10.5.24.210/10.5.24.209 [SUCCEEDED]
Mon Aug 07 14:07:34 2017 MANAGEMENT: Client disconnected
Mon Aug 07 14:07:34 2017 ERROR: --ip-win32 dynamic [offset] : offset is outside of --ifconfig subnet
Mon Aug 07 14:07:34 2017 Exiting due to fatal error

I thought the IP 10.5.24.210 would be within the subnet defined on the server side, and I don't understand why I'm getting this error. Could anyone help me out on this?

Best Answer

This problem is created because openvpn is trying to parse your ifconfig options as an ip followed by an subnet mask.

According to the man page:

--topology mode

...

subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode allocates a single IP address per connecting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topology directive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a remote endpoint IP address.

This option exists in OpenVPN 2.1 or higher.

Note: Using --topology subnet changes the interpretation of the arguments of --ifconfig to mean "address netmask", no longer "local remote".

--ifconfig l rn

Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices in point-to-point mode, rn is the IP address of the remote VPN endpoint. For TAP devices, or TUN devices used with --topology subnet, rn is the subnet mask of the virtual network segment which is being created or connected to. For TUN devices, which facilitate virtual point-to-point IP connections (when used in --topology net30 or p2p mode), the proper usage of --ifconfig is to use two private IP addresses which are not a member of any existing subnet which is in use. The IP addresses may be consecutive and should have their order reversed on the remote peer. After the VPN is established, by pinging rn, you will be pinging across the VPN.

For TAP devices, which provide the....

Inside you server code, you set your topology to subnet, and then push it to the client using the server statement.

According to the above documentation, instead of pushing your ifconfig using "local", "remote" address, you need to add the following to "/etc/openvpn/ccd/W7LocalVM":

ifconfig-push 10.5.24.210 255.255.255.252
push route 10.5.24.210 255.255.255.252
# ifconfig 10.5.24.209 255.255.255.252

The last line is probably not needed, but is left as an example what ifconfig-push "should" do on the server side to make the connection work.

Related Solutions

OpenVPN connection from within 2nd subnet in office

As it said, add a float option to the client config and try again.

--float

Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client.

Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option.

Linux – openvpn multiple instances route issue

You are basically trying to set two default gateway. Even if you could add both routes, only one of them would work correctly.

You probably should remove the push "redirect-gateway def1 bypass-dhcp" from the server, and simply set up a route on the client side for which ever VPN should be the default.

Best Answer

Related Solutions

OpenVPN connection from within 2nd subnet in office

Linux – openvpn multiple instances route issue

Related Topic