Fixed IP range per OpenVPN [IPv4 Tunnel Network Setting]

[securvark 16]

Edit: Actually I want to edit the title because it is misleading. See the post below for more info and better explanation.

 

I am running several VPN's to different countries. I am using the FQDN for each country so that on a client restart, it might resolve to another server. I need each tunnel on the same range between reboots.

 

Each VPN client is configured on a net30 topology, an isolated network per client.

 

Below Tunnel Settings, at IPv4 Tunnel Network, I fill in 10.4.0.0/30 for one of the VPN clients. Each client uses a unique range, not conflicting with my internal network or with other VPN clients.

 

After a reboot, this client is running on 10.14.0.1.

 

How do I fix each client to a range I specify?

 

It looks like your servers are pushing /16 subnets to clients. See below.

 

Thanks in advance!

[securvark 16]

Apparently your servers are pushing client options that I can't block or override.

 

You are allowing 5 simultaneous connections, but this is causing my clients to use overlapping /16 subnets. At first I thought it was my client settings that were messed up and I asked on the pfsense forums for some help:

 

https://forum.pfsense.org/index.php?topic=148149.0

 

However, when your server is configured to push settings, openvpn uses those and ignores mine. Here's the result:

 

 

Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS         re0
10.4.0.0/16        10.4.0.1           UGS      ovpnc2
10.4.0.1           link#8             UH       ovpnc2
10.4.27.248        link#8             UHS         lo0
10.6.0.0/16        10.6.0.1           UGS      ovpnc1
10.6.0.1           link#7             UH       ovpnc1
10.6.0.27          link#7             UHS         lo0
10.26.13.0/24      link#2             U           re1
10.26.13.254       link#2             UHS         lo0
10.30.0.0/16       10.30.0.1          UGS      ovpnc3
10.30.0.1          link#9             UH       ovpnc3
10.30.0.214        link#10            UHS         lo0
10.30.1.2          link#9             UHS         lo0
10.30.1.95         link#11            UHS         lo0
127.0.0.1          link#4             UH          lo0
192.168.1.0/24     link#1             U           re0
192.168.1.254      link#1             UHS         lo0
194.187.251.154/32 192.168.1.1        UGS         re0
 

 

 

AirVPN Belgium	UDP4	up 	Mon May 21 11:47:02 2018 	192.168.1.254:56152 	10.6.0.27 	194.187.251.162:80 	13 KiB / 28 KiB
AirVPN Germany	UDP4 	up 	Mon May 21 11:46:46 2018 	192.168.1.254:55677 	10.4.27.248 	185.189.112.26:443 	17 KiB / 34 KiB
AirVPN Sweden	UDP4 	up 	Mon May 21 11:46:45 2018 	192.168.1.254:41699 	10.30.1.2 	62.102.148.144:1194 	23 KiB / 14 KiB
AirVPN Swits	UDP4 	up 	Mon May 21 11:46:45 2018 	192.168.1.254:38526 	10.30.0.214 	185.156.175.34:2018 	41 KiB / 38 KiB
AirVPN GB	UDP4 	up 	Mon May 21 11:46:47 2018 	192.168.1.254:24082 	10.30.1.95 	185.103.96.132:41185 	25 KiB / 19 KiB

 

As you can see, BE and DE have their own /16 subnet and from the routing table you can see they have their own routes.

For SE, CH and GB they are all in 10.30.0.0/16 and only CH is actually up. The other "appear" to be up, but their traffic is ending up in CH as they all have their gateway to 10.30.0.1.

 

Please can you fix this on your servers and allow clients to override using the IPv4 Tunnel network setting? set a unique /30 subnet for each client so I have a reliable and dependable configuration for setting DNS and gateway monitoring.

 

If I am misunderstanding, or there is a fix for this, please help me understand!

 

Thank you!

[NaDre 157]

This may be helpful:

 

https://airvpn.org/topic/25148-ipv6-support-experimental-phase/page-3?do=findComment&comment=71564

 

 

I noticed that both Charra and Castor give out the same IPV4 subnet

 

10.110.0.x

 

...

I count 220 servers. Giving each its own sub-net may not be practical. That would make the limit 255 servers.

 

Using the usual UDP 443 connections on non-experimental servers, I find that so long as the actual addresses on the client side are not the same, even if the sub-net is the same, I can bind my torrent client to one and SQUID to the other with no problems. I never have either VPN connection be the default gateway. I leave the real gateway as the default gateway by adding more specific routing table entries than the ones that OpenVPN adds (with the 128.0.0.0 netmask for IPv4 or the ::/3, 2000::/4, 3000::/4 and fc00::/7 entries for IPv6) pointing back to my real interface.

 

If there was an address conflict, and just changing one of the servers is not an option, you can use the "client-nat" option for the OpenVPN client to make it appear that one VPN connection is on a different sub-net. To use "client-nat" you also have to suppress the "ifconfig" option pushed from the server using the "pull-filter" option, and specify your own "ifconfig ". Unfortunately "client-nat" only works for IPv4.

 

 

The problem is that the value you use with your "ifconfig" has to match what the server wants after the subnet. But if you use "pull-filter" to suppress the pushed "ifconfig", then that information will not be available in an environment variable.

 

I had (still have but don't use any more) a script that connects once to the server with "--ifconfig-noexec" to retrieve that info and pass it on to a second connection. But this won't work with IPv6 since "client-nat" only works for IPv4.

 

The OpneVPN manual page is here:

 

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

 

EDIT: This may also interest you:

 

https://airvpn.org/topic/14314-static-internal-ip/?do=findComment&comment=28045

 

...

I have begun using a version of OpenVPN that I patched to add a new configuration command I have tentatively called "ifconfig-nat". It is fairly easy to build OpenVPN from source for Linux yourself (although I have built it for Windows too). So I will paste the patch in at the end of this, in case you want to try it.

 

With the patch applied, I add this line to my configuration files:

ifconfig-nat 10.44.0.2 10.44.0.1

My local address now appears to be 10.44.0.2. And the remote/gateway address appears to be 10.44.0.1.

...

 

 

I have a more up to date version of that patch. But it only works for IPv4 since there is no "client-nat" for IPv6.

[securvark 16]

This may be helpful:

 

<snip>

 

Thanks for your reply.

 

I've been reading one of your older posts:

https://airvpn.org/topic/9518-faking-static-local-vpn-addess-using-client-nat-and-ifconfig/

 

Have you ever done this on pfsense and would you know whether that could work or not?

[NaDre 157]

...

I've been reading one of your older posts:

https://airvpn.org/topic/9518-faking-static-local-vpn-addess-using-client-nat-and-ifconfig/

 

Have you ever done this on pfsense and would you know whether that could work or not?

 

I have used OpenVPN extensively with Windows and Linux, but not so much with BSD.

 

I think the basic idea should work - connect once to get the IP address/subnet that AirVPN expects, then generate (part of) the configuration file for a second connection.

 

The discussion in that older post assumes that you are using a GUI on Windows to make connections, and you close connections manually. In a script, I suggest that the first connection use "--ifconfig-noexec" and return with "exit 1" from the "--up" script, which writes needed info from the push response somewhere so that the script can retrieve this and make the second/real connection.