R Mullen wrote:
Hello,There's a hardcoded size limit in pool.h when assigning the netmask to your VPN. It only allows you to have /16 networks or smaller, and I think this should be increased to /8 so that you can use the whole 10.0.0.0/8 subnet as described by RFC 1918 concerning dedicated private subnets. Naturally, there's no reason anyone would have a network that size (that's a lot of hosts!) on a VPN because it's completely asinine to think that your hardware could support a network like that running on a single daemon. However, if you are assigning static IP addresses per host and you have a good reason to want to put specific hosts on their own smaller /24 subnets, those might add up if you don't want more than a handful of machines on each /24 net.
What you describe doesn't require a larger ifconfig-pool size. Static addresses assigned via ccd or client-connect scripts should never use the same range from an ifconfig-pool directive because the IP may have been previously assigned from the pool. In this case you would choose a range of addresses to hand out dynamically through the ifconfig-pool option and set static addresses for clients that needed them. As you point out, there is no need to actually connect more than a /16 worth of VPN clients, which means there's no reason to allow an IP range larger than this to be used in ifconfig-pool.
This does *not* mean that you are prevented from using networks of any size with your VPN or pushing large routes. Normally you would never use the entire 10/8 network solely for the VPN network, but you could if you wanted to. In this case you couldn't use the "server" helper-directive since its expansion includes an ifconfig-pool directive that exceeds the maximum ifconfig-pool value. There's no logical reason to increase this value within the source, so if you really want to do this you should expand the "server" helper-directive yourself and set a more sane ifconfig-pool value.
Even in this case, what you probably want is to allocate a fairly small subnet within the 10/8 network for your VPN clients and push routes for the remainder of the network. You can certainly push networks of any size you want, including the 10/8 network.
I acknowledge the fact that a large network like this is not actually possible in implementation, but I'm not aware of a good reason why this hardcoded limit is in place. I've attached a patch created against version 2.1_rc7, but it should also apply against all versions in subversion as of today. If someone knows why this hardcoded limit is in place, I'd like to know if it's unsafe to run OpenVPN with my patch applied. Thanks, and great product!
-- Josh
signature.asc
Description: OpenPGP digital signature
