Openvpn multiple client same gateway

Question

I have two clients that need to connect to one OpenVPN server. Is it possible to use the same gateway for both clients in the ifconfig parameter?

Client A config file
[...]
ifconfig 10.0.0.2 10.0.0.1

Client B config file
[...]
ifconfig 10.0.0.3 10.0.0.1

The situation on the server is the following:

tun0
inet 10.10.0.1 destination 10.10.0.2

tun1
inet 10.10.0.1 destination 10.10.0.3

Now all is working fine but might it give some problem time going on?

I was told to use different gateway like this:

Client A config file
[...]
ifconfig 10.0.0.2 10.0.0.1

Client B config file
[...]
ifconfig 10.0.1.2 10.0.1.1

But I thought different gateway are needed just for routing purpose, if I want to add a route and forward my traffic on a specific tun interface I indeed need different gateway or the server does not know which one to send the packets, but if I don't need a specific route can I use my first configuration?

Thank you

score 0 · Answer 1 · answered Jun 19 '22 at 21:30

Typically, a point to point interface, such as tun0 or any other tunnel-like interface needs a local address only for tunnel management purposes or a particular tunnel identification.

Think about a tunnel interface as a remote attached endpoint. This interface has two ends - you and the other end. In general, there's no need to use any addresses on interfaces like this when only two parties connected are involved in data exchange - you can just send a packet over this interface and it will be delivered to the other end, it has no other way around.

Things get a little more complicated if some third-party needs to be able to reach your remote attached endpoint. To get to this endpoint they'll need a remote address as a packet destination. Remote side, conversely, uses your local address in order to identify it's version of the other end when it needs to, i.e. it installs default route to it; however it could use the tunnel interface itself as the route destination without even knowing your local address and it would still work.

So unless you need to identify your tunnel interface by it's local endpoint (i.e. to use it as a source address for certain dynamic routing protocol scenarios over the tunnel) you could use any address you wish as the local address on the tunnel - it doesn't even need to be on the same subnet as the remote address.

Thank you! So if I got it right, the local adress of my interface eg. 10.0.0.1 is needed by my client just to send packets to my OpenVPN server, once the packets reach my server, my server will send the packets on the internet hiding my ip adress and then send them back to my client (I use openvpn with post routing masquerade iptables just to hide my client ip address). So if I have two clients connected to my openvpn server and they independent from each other, and my purpose is to only hide their IP adresses without using any routing protocol, I can specificy same gateway (10.0.0.1)for both. — Theodor, Jun 19 '22 at 22:32
Ok thank you very much, I was struggling about it because I was told that multiple interfaces can't have same ip address (and that's true as well it might cause collision or others issue), so I was wondering how could it work since "ifconfig" on my openvpn server gives the following: tun0 (windows machine) inet 10.0.0.1 netmask 255.255.255.255 destination 10.0.0.2 tun1 (linux machine) inet 10.0.0.1 netmask 255.255.255.255 destination 10.0.0.3 — Theodor, Jun 21 '22 at 11:59

score 0 · Accepted Answer · answered Jun 20 '22 at 09:04

It is possible and correct. The gateway parameter defines the configuration on the client which is used to send data to the VPN, to be possible to define routing as usual in IP. Once the packet is sent to the OpenVPN process, it takes care of its routing (until it leaves some other OpenVPN process).

In particular, you define:

ifconfig 10.10.0.3 10.10.0.1

The only result of this command is like you run the following commands on the client:

ip address add 10.10.0.3 dev tun0
ip route add 10.10.0.1 dev tun0

That's all. Other clients, a server, external systems — nobody else knows about this client configuration.

The only thing where gateway is used is to write routes towards VPN like this:

ip route add 192.168.0.0/24 via 10.10.0.1

e.g. to set this network to be accessible through VPN. For instance, the route to VPN server and other clients is done like this. Of course, if you have several clients, you may use the same gateway address on them (and you do this naturally, for example, for neighbour computers in the same LAN).

The same thing is applicable to a server as well. For example, I run several VPNs on a single machine (one is via UDP, the other is via TCP on port 443 with port-share option — to be able to sneak through firewalls that block usual ports but allow 443 and even check if there is a webserver). Those servers both have the same local address configured, and differ by remote (that makes possible to set which VPN I route packet through).

Now about problems that you'll encounter. With full-blown Linux OpenVPN no problems, of course. If you are going to use "OpenVPN Client", be it Linux, Windows, iOS/iPadOS/macOS or Android client, it depends on which topology you set. In net30 topology they will reject such configuration as invalid. In this case, client address and its remote should belong to the same /30 subnet.

Thank you! Then if I use a Windows host machine and a vmware Linux in bridged mode and on the Windows I set 10.0.0.2 as ip adress and 10.0.0. 1 the gateway, then on the Linux I set 10.0.0.3 as ip adress and 10.0.0.1 as the gateway and my purpose is only to send packets over vpn to hide the public ip adress on both Windows and Linux machine I should not encounter any problem right? On the server ifconfig command shows (tun0 10.0.02 via 10.0.01 (Windows), tun1 10.0.03 via 10.0.0.1 (Linux)). Its working fine but I just had the doubt that having two 10.0.0.1 for different interfaces could be bad — Theodor, Jun 20 '22 at 11:30
You overthink the problem. The "hiding" has nothing to do with this at all. It is all defined on server through which you are going to route packets (usually VPN server). If you don NAT there, IP addresses of clients will be hidden. — Nikita Kipriyanov, Jun 20 '22 at 12:24
Ok thank you it's all more clear now, so having this conf `Client A conf file remote dev tun ifconfig 10.0.0.2 10.0.0.1 redirect-gateway autolocal dhcp-option DNS 8.8.8.8 secret secret.txt` `Server A conf file dev tun ifconfig 10.0.0.1 10.0.0.2 secret static.key` `Client B conf file remote dev tun ifconfig 10.0.0.3 10.0.0.1 redirect-gateway autolocal dhcp-option DNS 8.8.8.8 secret secret.txt` `Server B conf file dev tun ifconfig 10.0.0.1 10.0.0.3 secret static.key` it's a correct configuration and shouldn't get any problems in using it. — Theodor, Jun 20 '22 at 14:24

Openvpn multiple client same gateway

2 Answers2