Bug #14680
closed
server/client openvpn /30
0%
Description
server/client does not work if the Tunnel Network is not /30 in ssl/tls , it works with shared key .
- create OpenVPN server and OpenVPN client SSL/TLS.
- make the Tunnel Network /24.
- do not enable DCO. (enabling DCO will not change the behavior).
- add remote/local networks. (LANs)
- check the Routing Table (routes should be added in both sides).
- ping the remote LAN IP (source : local LAN). (it is not working)
- PCAP shows ICMP requests on openvpn interface , the other side cannot see it.
change the Tunnel Network to be /30 and repeat the steps (it will work) .
return the Tunnel Network to be /24 and the mode is shared key (it will work)
Updated by Kris Phillips over 2 years ago
Based on the note below the Tunnel Network field, this might be expected behavior:
A tunnel network of /30 or smaller puts OpenVPN into a special peer-to-peer mode which cannot push settings to clients. This mode is not compatible with several options, including DCO, Exit Notify, and Inactive.
However, if this is expected behavior, we should add a check to ensure the end user is warned of the invalid config without a /30, as it's really easy to mess this up with the wrong subnet.
I tested this and can confirm this broken functionality with anything except a /30. The OpenVPN client can ping the OpenVPN server, but not the other way around until it's set to /30.
Updated by Jim Pingle over 2 years ago
- Status changed from New to Not a Bug
- Target version deleted (
23.05.1)
This is just how OpenVPN works. With a /24 subnet, SSL/TLS, and no DCO you have to have Overrides to setup iroutes because it's in client/server mode internally in OpenVPN.
With a /30 it's in "peer to peer" mode internally in OpenVPN, not client/server mode, so it doesn't need iroutes.
Shared key is always in peer to peer mode no matter what size subnet you specify, it operates the same way.
There is no way to warn the user about this because there are legitimate use cases for all sorts of combinations here.
This is all covered in the docs in detail.