Skip to main content
Super User

Return to Answer

route needed for inter-client communication
Source Link
user149408
user149408
  • 1.1k
  • 3
  • 17
  • 32

I have found a different approach which turned out to be easier than setting up dynamic DNS: configure client-specific overrides so that certain clients will be assigned a static address, then register the (now static) client address in DNS.

With the net30 topology (default in OPNsense), each client connection gets its own subnet with a 30-bit mask. Of the two addresses (not counting the network and broadcast address), the first is the server and the second is the client.

Addresses used in client-specific overrides must be outside the IPv4 tunnel network configured for the server.

Steps to configure:

  • Increase the subnet mask for the IPv4 tunnel network by one. This means that only half of the range will still be used for dynamically assigned addresses, the rest is now free for client-specific ones. This way, all rules and other configurations based on IP ranges (including elsewhere on your network) will continue to work for clients with static addresses. Optionally, change the network address so only the second half of the former range will be used.
  • Add the old IPv4 tunnel network address (with the shorter subnet mask) as an IPv4 remote network. This way, traffic to the entire range (both static and dynamic asdressesaddresses) will be routed through OpenVPN. (Without this setting, OpenVPN will not be able to reach a client with an address set through a client-specific override.)
  • Add a client override for each client to which you wish to assign a static address:
    • Server: choose your OpenVPN server instance
    • Common name: common name as used by the client certificate
    • IPv4 Tunnel Network: assign a portion of the network you freed up in the previous step; it must have a subnet mask of 30 and the last octet must be a multiple of 4.
  • If you need communication between VPN clients, add the full range (static and non-static) to the IPv4 Local Networks in your server config. (This will also apply to clients with specific overrides).
  • Finally, register the client address (subnet address for that client, plus 2 in the last octet) in DNS.

I have found a different approach which turned out to be easier than setting up dynamic DNS: configure client-specific overrides so that certain clients will be assigned a static address, then register the (now static) client address in DNS.

With the net30 topology (default in OPNsense), each client connection gets its own subnet with a 30-bit mask. Of the two addresses (not counting the network and broadcast address), the first is the server and the second is the client.

Addresses used in client-specific overrides must be outside the IPv4 tunnel network configured for the server.

Steps to configure:

  • Increase the subnet mask for the IPv4 tunnel network by one. This means that only half of the range will still be used for dynamically assigned addresses, the rest is now free for client-specific ones. This way, all rules and other configurations based on IP ranges (including elsewhere on your network) will continue to work for clients with static addresses. Optionally, change the network address so only the second half of the former range will be used.
  • Add the old IPv4 tunnel network address (with the shorter subnet mask) as an IPv4 remote network. This way, traffic to the entire range (both static and dynamic asdresses) will be routed through OpenVPN. (Without this setting, OpenVPN will not be able to reach a client with an address set through a client-specific override.)
  • Add a client override for each client to which you wish to assign a static address:
    • Server: choose your OpenVPN server instance
    • Common name: common name as used by the client certificate
    • IPv4 Tunnel Network: assign a portion of the network you freed up in the previous step; it must have a subnet mask of 30 and the last octet must be a multiple of 4.
  • Finally, register the client address (subnet address for that client, plus 2 in the last octet) in DNS.

I have found a different approach which turned out to be easier than setting up dynamic DNS: configure client-specific overrides so that certain clients will be assigned a static address, then register the (now static) client address in DNS.

With the net30 topology (default in OPNsense), each client connection gets its own subnet with a 30-bit mask. Of the two addresses (not counting the network and broadcast address), the first is the server and the second is the client.

Addresses used in client-specific overrides must be outside the IPv4 tunnel network configured for the server.

Steps to configure:

  • Increase the subnet mask for the IPv4 tunnel network by one. This means that only half of the range will still be used for dynamically assigned addresses, the rest is now free for client-specific ones. This way, all rules and other configurations based on IP ranges (including elsewhere on your network) will continue to work for clients with static addresses. Optionally, change the network address so only the second half of the former range will be used.
  • Add the old IPv4 tunnel network address (with the shorter subnet mask) as an IPv4 remote network. This way, traffic to the entire range (both static and dynamic addresses) will be routed through OpenVPN. (Without this setting, OpenVPN will not be able to reach a client with an address set through a client-specific override.)
  • Add a client override for each client to which you wish to assign a static address:
    • Server: choose your OpenVPN server instance
    • Common name: common name as used by the client certificate
    • IPv4 Tunnel Network: assign a portion of the network you freed up in the previous step; it must have a subnet mask of 30 and the last octet must be a multiple of 4.
  • If you need communication between VPN clients, add the full range (static and non-static) to the IPv4 Local Networks in your server config. (This will also apply to clients with specific overrides).
  • Finally, register the client address (subnet address for that client, plus 2 in the last octet) in DNS.
Source Link
user149408
user149408
  • 1.1k
  • 3
  • 17
  • 32

I have found a different approach which turned out to be easier than setting up dynamic DNS: configure client-specific overrides so that certain clients will be assigned a static address, then register the (now static) client address in DNS.

With the net30 topology (default in OPNsense), each client connection gets its own subnet with a 30-bit mask. Of the two addresses (not counting the network and broadcast address), the first is the server and the second is the client.

Addresses used in client-specific overrides must be outside the IPv4 tunnel network configured for the server.

Steps to configure:

  • Increase the subnet mask for the IPv4 tunnel network by one. This means that only half of the range will still be used for dynamically assigned addresses, the rest is now free for client-specific ones. This way, all rules and other configurations based on IP ranges (including elsewhere on your network) will continue to work for clients with static addresses. Optionally, change the network address so only the second half of the former range will be used.
  • Add the old IPv4 tunnel network address (with the shorter subnet mask) as an IPv4 remote network. This way, traffic to the entire range (both static and dynamic asdresses) will be routed through OpenVPN. (Without this setting, OpenVPN will not be able to reach a client with an address set through a client-specific override.)
  • Add a client override for each client to which you wish to assign a static address:
    • Server: choose your OpenVPN server instance
    • Common name: common name as used by the client certificate
    • IPv4 Tunnel Network: assign a portion of the network you freed up in the previous step; it must have a subnet mask of 30 and the last octet must be a multiple of 4.
  • Finally, register the client address (subnet address for that client, plus 2 in the last octet) in DNS.