[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] --ifconfig-pool in Bridge Mode [RESEND]


  • Subject: Re: [Openvpn-users] --ifconfig-pool in Bridge Mode [RESEND]
  • From: "Adam Pavelec" <adam@xxxxxxxxxxx>
  • Date: Mon, 12 Jul 2004 11:15:04 -0500
  • Bounce-to: "Adam Pavelec" <adam@pavelec.net>

<DISCLAIMER>I am resending this because it seems the original transmission
was returned.

   ----- The following addresses had permanent fatal errors -----
<openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
    (reason: 550 Administrative prohibition)

Please forgive me if this message makes it to the list twice.</DISCLAIMER>


On Saturday, July 10, 2004 7:52 PM [GMT-5=EST], James Yonan
<jim@xxxxxxxxx>
wrote:

[SNIP]

> So why is the OpenVPN server not pushing the ifconfig address to the
> client?
> 
> The answer is that it doesn't have enough information.  It needs an
> IP address and netmask to push to the client so that the client can
> configure the TCP/IP properties on the TAP adapter, but the server
> only has the IP address and not the appropriate netmask, so it is
> silently failing to push the ifconfig parms to the client.  Normally
> the server would get the netmask from the local "ifconfig" directive,
> i.e. the ifconfig which sets the IP/netmask for the TAP interface on
> the server, but in this case your slight deviation from the
> sample-config, i.e. removing the "ifconfig" from the server config,
> causes OpenVPN to not know the appropriate ifconfig-pool netmask.

Is this to say that I'm misconfigured for a bridged tunnel since "local
<ip.address.of.openvpn_server> is being used instead of an ifconfig
statement?  Please let me know if the "proper" way to set up a bridging
OpenVPN server is with an ifconfig directive, for I loosly based the
bridging configuration from the "OpenVPN bridge config, Linux side"
<http://openvpn.sourceforge.net/install32.html>

> Luckily there's an easy fix to this problem.  You can, of course, use
> "ifconfig" in the server config, but this might be harmful if the TAP
> interface is a bridge which doesn't need to be ifconfiged.  What you
> can do, however is something like this:
> 
>   ifconfig 192.168.39.10 255.255.255.0
>   ifconfig-noexec
> 
> This will give OpenVPN the information that it needs to understand
> the local TAP adapter settings without having it actually call the
> ifconfig command to configure those settings.
> 
> Now that OpenVPN has a known netmask for the ifconfig-pool, i.e.
> 255.255.255.0, it will respond correctly to the push-request message
> that comes from the client.

Since the ifconfig is presumably not being executed, is it safe to ignore
these messages?

WARNING: --local address [192.168.39.32] conflicts with --ifconfig subnet
[192.168.39.10, 255.255.255.0] -- local and remote addresses cannot be
inside of the --ifconfig subnet

******** NOTE:  Please manually set the IP/netmask of 'OpenVPN' to
192.168.39.10/255.255.255.0 (if it is not already set)


> This is sort of a bug in the sense that OpenVPN should at least
> generate a warning in this situation, or perhaps the ifconfig-pool
> directive should also have a netmask parameter if it's going to be a
> TAP pool.

That was my original thought, hence my prior attempt to add the netmask to
the end --ifconfig-pool.

-Adam