OpenVPN Assign IP addresses with non-contiguous netmask

0

I'm working on using OpenVPN to connect several access points in different locations. I had intended to assign IP addresses to devices so that NAT was not used within the network by using the 10.0.0.0/16 block in the following way: 

10.0.0.1 OpenVPN Server
10.0.1.1 OpenVPN Client/Access Point
10.0.2.1 OpenVPN Client/Access Point

Each access point (OpenVPN client) would assign IP addresses from 10.0.x.2 to 10.0.x.254 to its clients.

For this system to work, OpenVPN would need to hand out IP addresses to OpenVPN clients (i.e., access points) with a subnet mask of 255.255.0.255. However, when I attempt this, I get the following error:

Options error: --server directive network/netmask combination is invalid

Is there a way to make the OpenVPN server assign IP addresses using a netmask with non-contiguous bits? For instance, it would give each OpenVPN client an address of the form 10.0.x.1.

Breq16

Posted 2018-06-18T01:54:31.340

Reputation: 198

I don’t understand. An IP address range from 10.0.x.2 to 10.0.x.254 is still a netmask of 255.255.255.0. Can you clarify?  Please do not respond in comments; [edit] your question to make it clearer and more complete. – G-Man Says 'Reinstate Monica' – 2018-06-18T02:13:11.500

For what he wants to do the netmask would likely be 255.255.0.0 because his DHCP should assign not only addresses form the last octet but also from the third one. The problem would be that (likely) OpenVPN would assign a random IP from that pool. So you might have 10.0.32.77 and not just 10.0.32.1 assigned. For routing it would be 255.255.255.0, that's right. – Seth – 2018-06-18T06:39:42.230

If your Access Points are to assign addresses themselves you cannot use dynamic assignment on the VPN network anyway. // Using 10.0/16 on the interconnect won’t work like you expect it to, by the way: How would the AP at 10.0.1.1 know that 10.0.2.123 is reachable through 10.0.2.1? You’d have to use proxy_arp or the like. – Daniel B – 2018-06-18T08:33:05.783

Thanks for letting me know about proxy_arp; I was planning to just go crazy with ip route add to make the routing work. You've saved me a lot of time :) – Breq16 – 2018-06-18T14:01:18.220

Yeah, my advice was more along the lines of “don’t”. You’re designing a network that is completely under your control. Why bother with hacks? – Daniel B – 2018-06-19T07:47:37.853

I wasn't aware of another way to set it up so that any device could connect to any other device; is there a better way to go about doing this? – Breq16 – 2018-06-19T13:03:35.237

That would be an excellent topic for a new question. It can’t be explained properly in the comment section. – Daniel B – 2018-06-19T15:29:36.000

Answers

1

You can't have a netmask of 255.255.0.255. It's technically not possible and not supported. A netmask describes which bits of an address are used to identify a host in contrast to the network itself. If you're interested in this lookup how subnetting works. There are plenty of articles about it.

If you're looking at a fixed number of clients just use a fixed IP configuration instead of a DHCP configuration. Have a look at How to set a static IP (client side) in OpenVPN? on ServerFault for some more information. One of the answers could be a good fit for your case.

Seth

Posted 2018-06-18T01:54:31.340

Reputation: 7 657

Asked: 2018-06-18T01:54:31.340

Viewed: 512 times

Active: 2018-06-18T06:45:48.097