Menu
What's new
By:
Filters Better Search

Tutorial Subnetting your openvpn server for dummies or also known as...

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

N

NOYFUB

New Around Here
subnetting the vpn tunnel for extra security and obfuscation in asuswrt-merlin.

Your satandard subnet has 254 usable addresses, But the vpn only allows 5 connections so why have all those other addresses your not using floating around. (I don't know, cause I'm still kind of stupid about alot of this). So I decreased the subnet to 8 or a total of 6 usable addresses, !st address and last address in subnet are used by something else (I don't know what, but you can't use them as addresses).
The easiest way i have found to shrinking the subnet is , half the distance to the goal. You start out with 254 usable addresses in the subnet, (0 and 255) belong something else, and is written with a 0 at the end of the subnet mask ie. 255.255.255.0. Half of 256, (0 is considered a address, so the 255 + 1) is 128 toatl addresses or 126 usable, who's subnet mask would be written as 255.255.255.128. but thats still to big for my tastes.

Netmask Quick Reference Chart

unixwiz.net unixwiz.net

Here is a nice chart for you .

I chose to subnet down to 6 usable addresses, which is the minimum that asuswrt-merlin will allow you to do. (fyi if you need to have more than 6 clients in your password list including the admin one you will have to increase the size of one of your subnets, as the password list won't let you add more users than the subnets will allow, so 6 addresses means six users, more than that and ONE of the servers has to have a higher number of addresses. both servers don't have to on the same subnet.) and 14 usable addresses on the other. one servers for teching and phones passing through and the others site to site. And heres the biggie the subnet DOES NOT have to start at 0.

so if you wanted to write this in the advanced server section. a example is 10.11.12.16 mask is 255.255.255.248 would give you 8 addresses , 6 of which are usable. with a starting usable address of 10.11.12.17

10.11.12.0 mask 255.255.255.248
10.11.12.8 mask 255.255.255.248
10.11.12.16 mask 255.255.255.248
10.11.12.24 mask 255.255.255.248
etc.
and if you consult the handy dandy chart above you will see that for a 16 usable addresses you put in a subnet mask of 255.255.255.240, and your starting addresses 10.11.12.0, 10.11.12.16, 10.11.12.32, etc. ect.

I hope it helps my fellow dummies out there. and I expect others might correct me if I wrong about something or left something out.
 
Might be easier and more effective to simply change to a net30 topology.

Code: 
topology net30

Now every client is allocated its own /30 subnet (4 IPs, low and high unusable, middle two allocated to each end of the tunnel). It effectively creates a P2P (point to point) connection.

You might not have noticed, but sometimes commercial OpenVPN providers do just that, rather than use subnet. By doing so, it's possible to vastly reduce the chances of an IP clash when you're connecting multiple, concurrent OpenVPN clients, esp. when it's the same server. If it's a subnet topology, you're likely to have issues since the entire subnet (e.g., /24) is defined across multiple network interfaces. This is one of those things users would be wise to notice when deciding on the choice of OpenVPN providers, and who plan to make multiple concurrent connections (unfortunately, few do).

When it comes to your own OpenVPN server, it's not particularly useful, unless perhaps you wish to provide your own OpenVPN server to others as a service. For the average home user, I don't see having additional unused IPs as a security risk.
 
Unfortunately I don't think i can do that net 30 thingy with the asus routers, and my limited but slowly increasing knowledge of networking. But tomorrow is another day, and you never know.
 
All you have to do is add that directive to the OpenVPN server custom config field.

I did notice the following in the syslog once I did.

Code: 
Nov 25 11:07:14 lab-merlin1-F5CDB2F-C ovpn-server1[18329]: WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.

So it looks as though eventually OpenVPN plans to eliminate this capability some time in the future anyway. Not sure why.
 
Last edited:
You must log in or register to reply here.

Similar threads

J
network IP address space seems odd
Replies
5
Views
312
ColinTaylor
C
P
Subnetting LAN isolation
Replies
2
Views
960
Pixwert
P
Z
Subnetting w/AXE16000 and MoCA
Replies
17
Views
386
Zim
Z
M
OpenVPN clients cannot connect to LAN computers.
Replies
0
Views
569
MNBob
M
P
Tutorial Subnetting isolation without a VLAN switch
Replies
6
Views
900
Justinh
J
Similar threads
Thread starter Title Forum Replies Date
P Subnetting LAN isolation Asuswrt-Merlin 2
T [Help] Problems setting up OpenVPN Asuswrt-Merlin 7
N dedicated router for OpenVPN Asuswrt-Merlin 4
N Solved OpenVPN Server split tunnell config Asuswrt-Merlin 5
C Connection to router by ip fails while remote over OpenVPN Asuswrt-Merlin 17
S OpenVPN LAN access + one external IP Asuswrt-Merlin 3
J VPN director Multiple OpenVPN clients Asuswrt-Merlin 7
G OpenVPN Server log, is this in error ? Asuswrt-Merlin 7
H Extremely low speed on ac86u with openvpn client Asuswrt-Merlin 7
H Can no longer get OpenVPN Server to work Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 909 (members: 14, guests: 895)
Top