Re: [Openvpn-devel] Netmask OpenVPN Server
Hi, On Wed, Sep 01, 2010 at 10:38:01AM +0200, Eike Lohmann wrote: > We are working with static assignments and if the 2 networks are side by > side I can recompile the code and define a larger mask. > > We don't have client-2-client and didn't use the ifconfig-pool. In that case, all this doesn't really matter. Just add as many "route" and "push route" statements as you have networks. (There's no size limit for "route"). The limitation in the "server" statement for the network is there because it implicitely defines the ifconfig-pool - "server" is a macro that translates "server " to mode server tls-server push "topology " ifconfig ifconfig-pool push "route " So for your setup, you could do: # first network, used for tun on server and for pool (if needed) server 172.16.0.0 255.255.0.0 # second network: routed to openvpn process, available for ifconfig-push route 10.1.0.0 255.255.0.0 push "route 10.1.0.0 255.255.0.0" # third network # ... (this is the lazy way, still using "server" with the first network, but you could indeed do it without any pool on the server side by explicitely spelling everything out that "server" configures for you) > Is this also working if I have 2 networks far away from each other (10.x > and 192.168.x), with defining a 'all your base belong to us' netmask in > the code e.g. 0.0.0.0 :) No, because then OpenVPN would signal the Linux side "the internet is behind OpenVPN, route everything to me!". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpGWXf5UBzUY.pgp Description: PGP signature
Re: [Openvpn-devel] Netmask OpenVPN Server
Hi Eike, Eike Lohmann wrote: We are working with static assignments and if the 2 networks are side by side I can recompile the code and define a larger mask. Is this also working if I have 2 networks far away from each other (10.x and 192.168.x), with defining a 'all your base belong to us' netmask in the code e.g. 0.0.0.0 :) We don't have client-2-client and didn't use the ifconfig-pool. if you're not using ifconfig-pool then you can do this without recompiling anything; use a 'learn-addr' script or 'client-connect' script to assign addresses and do NOT use the 'server' statement (see my previous posting). cheers, JJK Am 01.09.2010 10:22, schrieb Gert Doering: Well, this really depends on what you want to do with it. If you want to do static assignments (ifconfig-push in ccd/ or via radius-plugin), this can be done today. If you want the ifconfig-pool to span two different networks, this can not be done today - there can only be one pool, and it must be contiguous.
Re: [Openvpn-devel] Netmask OpenVPN Server
We are also using old openvpn clients with windows, there we have to use /30 netmasks (4 ip's) and can only configure 4096 users. To handle the load on the machines we build a cluster with dynamic routing and yes, we are getting close to the /16 network limit. Am 31.08.2010 13:31, schrieb Gert Doering: Hi, On Tue, Aug 31, 2010 at 12:35:03PM +0200, Eike Lohmann wrote: In the past only /16 networks were possibel per openvpn instance. Is it now possibel to define larger networks or define 2x /16 networks on one openvpn instance? I assume that you're talking about this error message: --server directive netmask allows for too many host addresses (subnet must be %s or higher) right? If yes, it should work to change #define IFCONFIG_POOL_MIN_NETBITS16 in pool.h to "14" (etc) and recompile - every extra bit will double memory consumption [for the pool handling, of I remember right], so use with care. (You really have more than 16000 users on a single OpenVPN instance? Wow, I'm impressed!) gert
Re: [Openvpn-devel] Netmask OpenVPN Server
Gert Doering wrote: Hi, On Tue, Aug 31, 2010 at 12:35:03PM +0200, Eike Lohmann wrote: In the past only /16 networks were possibel per openvpn instance. Is it now possibel to define larger networks or define 2x /16 networks on one openvpn instance? I assume that you're talking about this error message: --server directive netmask allows for too many host addresses (subnet must be %s or higher) right? If yes, it should work to change #define IFCONFIG_POOL_MIN_NETBITS16 in pool.h to "14" (etc) and recompile - every extra bit will double memory consumption [for the pool handling, of I remember right], so use with care. (You really have more than 16000 users on a single OpenVPN instance? Wow, I'm impressed!) alternatively, if you have fewer than 16000 users but want to have a very large network anyways then don't use 'server 10.192.0.0 255.240.0.0' but try something like ifconfig 10.192.0.1 10.192.0.2 ifconfig-pool 10.192.100.100 10.192.100.192 route 10.192.0.0 255.240.0.0 push "route 10.192.0.1" # if client-to-client is not used push "route 10.192.0.0 255.240.0.0" # this is used for client-to-client this sets up the network 10.192.0.0/12 but allocates a much smaller pool for the clients inside this network. HTH, JJK
Re: [Openvpn-devel] Netmask OpenVPN Server
Hi, On Tue, Aug 31, 2010 at 12:35:03PM +0200, Eike Lohmann wrote: > In the past only /16 networks were possibel per openvpn instance. > Is it now possibel to define larger networks or define 2x /16 networks > on one openvpn instance? I assume that you're talking about this error message: --server directive netmask allows for too many host addresses (subnet must be %s or higher) right? If yes, it should work to change #define IFCONFIG_POOL_MIN_NETBITS16 in pool.h to "14" (etc) and recompile - every extra bit will double memory consumption [for the pool handling, of I remember right], so use with care. (You really have more than 16000 users on a single OpenVPN instance? Wow, I'm impressed!) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp9HhXjZM4t5.pgp Description: PGP signature