I need to setup a OpenVPN network which will probably grow to a serval hundreds of clients in the next few months. Some of the clients are servers and others are devices that need services, hosted on the server(s).
The idea is to use a 10.10.0.0/16 network where all clients are into. The servers shoud have a static VPN IP in the range 10.10.0.1 - 10.10.0.254 and the should have DHCP VPN IP's in the range 10.10.1.1 - 10.10.255.254. The OpenVPN server (currently 1) has IP 10.10.0.1
To distribute the static "server" IP's, i uncommented client-config-dir in the OpenVPN server.conf , created a config file for each server in ccd with the servers CN name as filename and added route 10.10.0.0 255.255.0.0 to server.conf. Each client file contains something like this:
ifconfig-push 10.10.0.x 10.10.0.1
iroute 10.10.0.0 255.255.0.0
When i try to ping 10.10.0.1 from one of the servers with an static VPN IP, i the ping is successfull.
For the DHCP clients i set some configurations in server.conf:
dev tun
proto udp
dev tun
mode server
tls-server
ifconfig 10.10.0.1 255.255.0.0
ifconfig-pool 10.10.1.1 10.10.255.254
route-gateway 10.10.0.1
push "route-gateway 10.10.0.1"
push "route 10.10.0.0 255.255.0.0 10.10.0.1"
The clients connect correctly and get an IP in the expected range (e.g 10.10.1.61) but when i try to ping to 10.10.0.1, the ping times out. When i check the gateways with route -n i see that the wrong gateway is set:
root@somedevice:/home/pi# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.128.60.1 0.0.0.0 UG 202 0 0 eth0
10.10.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 <-- should be 10.10.0.1 ?
10.128.60.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
When i add the gateway manually route add 10.10.0.1 tun0 i'm able to ping the VPN server. I still cannot ping the servers (e.g. 10.10.0.20). When i check routel, i notice that the a route to 10.10.0.0/16 is missing.
root@somedevice:/home/pi# routel
target gateway source proto scope dev tbl
default 10.128.60.1 10.128.60.33 dhcp eth0
10.10.0.1 link tun0
10.10.1.1 10.10.1.2 kernel link tun0
10.128.60.0/ 24 10.128.60.33 dhcp link eth0
10.10.1.2 local 10.10.1.2 kernel host tun0 local
10.128.60.0 broadcast 10.128.60.33 kernel link eth0 local
10.128.60.33 local 10.128.60.33 kernel host eth0 local
10.128.60.255 broadcast 10.128.60.33 kernel link eth0 local
127.0.0.0 broadcast 127.0.0.1 kernel link lo local
127.0.0.0/ 8 local 127.0.0.1 kernel host lo local
127.0.0.1 local 127.0.0.1 kernel host lo local
127.255.255.255 broadcast 127.0.0.1 kernel link lo local
::1 kernel lo
fe80::/ 64 kernel eth0
fe80::/ 64 kernel tun0
::1 local kernel lo local
fe80::65cf:ce3:fc9f:20fa local kernel eth0 local
fe80::c648:ccba:8f47:86b7 local kernel tun0 local
ff00::/ 8 eth0 local
ff00::/ 8 tun0 local
When i add this route manually ip route add 10.10.0.0/16 via 10.10.0.1 i can ping the servers (e.g. 10.10.0.20) :-D
Questions:
- How can i push the correct gateway (
10.10.0.1instead of10.10.1.1) to the clients with DHCP addresses? - How can i push the route
10.10.0.0/16 via 10.10.0.1to the clients with DHCP addresses?
I thought it was done with
push "route-gateway 10.10.0.1"
push "route 10.10.0.0 255.255.0.0 10.10.0.1"
but that doesn't work, what i'm doing wrong?
----------- UPDATE -----------
I just noticed that push "route-gateway 10.10.0.1" and push "route 10.10.0.0 255.255.0.0 10.10.0.1" pushes the gateway/route to the "static server clients" but not to the clients that receive their VPN IP via DHCP. Why are they not also applied to the DHCP clients?
