Menu
▾
▴
Re: [Openvpn-users] show-valid-subnets
|
From: Jan J. K. <ja...@ni...> - 2009-03-16 08:09:08
|
Hi, kwa...@ya... wrote: > Trying to setup a small OpenVPN network. > > I need to assign a static IP address to an OpenVPN client. > > ##------SERVER.conf on Linux > local 192.168.2.151 > dev tun051 > proto udp > port 45162 > ifconfig 192.168.21.1 192.168.21.52 > secret BlahBlah.key > verb 3 > comp-lzo > keepalive 10 60 > ping-timer-rem > persist-tun > persist-key > user openvpn > group openvpn > daemon > ##------ > > So this OpenVPN server is running along. > > > > ##------CLIENT.ovpn on Windows > remote ********.com > dev tun051 > proto udp > port 45162 > ifconfig 192.168.21.52 192.168.21.1 > secret BlahBlah.key > verb 3 > comp-lzo > keepalive 10 60 > ping-timer-rem > persist-tun > persist-key > ##------ > > But on this Windows client side, it fails. > The log contains: > > Sun Mar 15 17:39:32 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 > Sun Mar 15 17:39:32 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key > Sun Mar 15 17:39:32 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication > Sun Mar 15 17:39:32 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key > Sun Mar 15 17:39:32 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication > Sun Mar 15 17:39:32 2009 LZO compression initialized > Sun Mar 15 17:39:32 2009 There is a problem in your selection of --ifconfig > endpoints [local=192.168.21.52, remote=192.168.21.1]. The local and remote > VPN endpoints must exist within the same 255.255.255.252 subnet. This is a > limitation of --dev tun when used with the TAP-WIN32 driver. Try > 'openvpn --show-valid-subnets' option for more info. > Sun Mar 15 17:39:32 2009 Exiting > > So then: > --show-valid-subnets (Standalone) Show valid subnets for --dev tun emulation. > Since the TAP-Win32 driver exports an ethernet interface to > Windows, and since TUN devices are point-to-point in nature, > it is necessary for the TAP-Win32 driver to impose certain > constraints on TUN endpoint address selection. Namely, the > point-to-point endpoints used in TUN device emulation must > be the middle two addresses of a /30 subnet (netmask 255.255.255.252). > > This is the part where I am stuck. > What changes should be made to the ifconfig statements > in both the configuration files so that a static IP > address can be assigned to the Windows system? > > > a /30 network means you get 4 IP addresses which all have to be adjacent. In your case you'd end up using 192.168.21.1 192.168.21.2 the /30 network in this case is the 192.168.21.0 network with addresses 192.168.21.0 network adress 192.168.21.1 VPN server 192.168.21.2 VPN client 192.168.21.3 network broadcast adress Multiple networks in this setup means multiple tun devices with multiple IP addresses, e.g. the second VPN would/could use 192.168.21.4 network adress 192.168.21.5 VPN server 192.168.21.6 VPN client 192.168.21.7 network broadcast adress etc HTH, JJK |
