0

I am configuring my OpenVPN server and my idea was to make different subnets for different needs: My main subnet for unprivileged DHCP users is 10.110.131.0/24 On server it is configured that way: server 10.110.131.0 255.255.255.0

Then I made some additional subnets for my privileged static IP users like: 10.110.128.0/24 10.110.129.0/24 10.110.130.0/24

I added routing to the server.conf: route 10.110.128.0 255.255.255.0 route 10.110.129.0 255.255.255.0 route 10.110.130.0 255.255.255.0

But the actual problem is I don't know how to configure Windows users. For example, when I use a mobile phone it connects without any problems and the only thing I provide in the ccd config is: ifconfig-push 10.110.129.10 255.255.255.0

But when using Windows laptop with the same ccd config it starts to give errors, like: Route: Waiting for TUN/TAP interface to come up... Warning: route gateway is not reachable on any active network adapters: 10.110.131.1

So it can't find VPN gateway which is 10.110.131.1

Then I change ccd config to: ifconfig-push 10.110.128.10 255.255.252.0 Which fixes my problem, but I don't like this approach and would like to provide my Windows clients my gateway in the config, but I can't find the way to do this, I tried route and iroute but none of them work

So any ideas?

Dave M
  • 4,514
  • 22
  • 31
  • 30
R3Natas
  • 1
  • Do you actually have ip address `10.110.131.1` bind to your tunnel interface on your OpenVPN server? – Anubioz Feb 10 '19 at 14:02
  • Not sure what you meant, but I think yes, because tun0 interface operates on 10.110.131.1 – R3Natas Feb 10 '19 at 14:46
  • Are you sure it's not `10.110.129.1`, which the phone connects fine to? Or do you have multiple IPs on the same interface? – Anubioz Feb 10 '19 at 15:53
  • As mentioned I configured main subnet 10.110.131.0/24 which works fine and acts like DHCP, gives free addresses from the pool, then I made additional subnets 10.110.128.0/24 10.110.129.0/24 and 10.110.130.0/24 my phone works well with them, but Windows or Linux clients don't – R3Natas Feb 10 '19 at 21:52
  • You can't have different subnets on a single OpenVPN adapter. You need to create 3 separate OpenVPN instances listening on different ports with a separate adapter for each of your subnets... – Anubioz Feb 10 '19 at 22:24
  • https://openvpn.net/community-resources/how-to/#policy I followed this tutorial which explains how to do it and you can't say it is impossible because I can connect from my laptop with 10.110.131.10 and from my mobile phone with 10.110.129.10 – R3Natas Feb 10 '19 at 22:32
  • In that tutorial each client is actually assigned a separate /30 subnet with a dedicated virtual gateway. So f.e. a client, which was assigned `10.110.131.6/30` will have `10.110.131.5` as its gateway, while `10.110.131.10/30` will have `10.110.131.9/30` as gateway. You can't actually use `10.110.131.1` as gateway, since it's not accessible for that client (to make that `.1` IP accessible you have to add a route via that dedicated virtual gateway of each client so for `10.110.131.6` you (windows) command is `route add 10.110.131.1 mask 255.255.255.255 10.110.131.5` – Anubioz Feb 10 '19 at 22:58
  • As for the `impossibility` part - just use `ip -br -f inet addr` and you will see, that OpenVPN `tun0` adapter actually has only a single subnet assigned to it, not all 3.. – Anubioz Feb 10 '19 at 23:02
  • Alright, got it, but still Windows won't connect, when I provide config `ifconfig-push 10.110.128.210 255.255.255.252` it says `ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to ...` if I use .209 instead of .210 it stuck on `Waiting for TUN/TAP interface to come up...` – R3Natas Feb 10 '19 at 23:19
  • Endpoint addresses must end with a digit from a fixed set, described [in the documentation](https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/), where the first number is the server-side IP address & the last one is client-side. So you actually need to `ifconfig-push 10.110.128.209 10.110.128.210` according to that set – Anubioz Feb 10 '19 at 23:53
  • Because I am using `--tolopogy subnet` I need to use client IP and the subnet mask like `10.110.128.209 255.255.255.0` but actually using your config I still get `Waiting for TUN/TAP interface to come up... ` – R3Natas Feb 11 '19 at 07:58

0 Answers0