0
I'm working on using OpenVPN to connect several access points in different locations. I had intended to assign IP addresses to devices so that NAT was not used within the network by using the 10.0.0.0/16 block in the following way:
10.0.0.1 OpenVPN Server
10.0.1.1 OpenVPN Client/Access Point
10.0.2.1 OpenVPN Client/Access Point
Each access point (OpenVPN client) would assign IP addresses from 10.0.x.2 to 10.0.x.254 to its clients.
For this system to work, OpenVPN would need to hand out IP addresses to OpenVPN clients (i.e., access points) with a subnet mask of 255.255.0.255
. However, when I attempt this, I get the following error:
Options error: --server directive network/netmask combination is invalid
Is there a way to make the OpenVPN server assign IP addresses using a netmask with non-contiguous bits? For instance, it would give each OpenVPN client an address of the form 10.0.x.1
.
I don’t understand. An IP address range from 10.0.x.2 to 10.0.x.254 is still a netmask of 255.255.255.0. Can you clarify? Please do not respond in comments; [edit] your question to make it clearer and more complete. – G-Man Says 'Reinstate Monica' – 2018-06-18T02:13:11.500
For what he wants to do the netmask would likely be 255.255.0.0 because his DHCP should assign not only addresses form the last octet but also from the third one. The problem would be that (likely) OpenVPN would assign a random IP from that pool. So you might have 10.0.32.77 and not just 10.0.32.1 assigned. For routing it would be 255.255.255.0, that's right. – Seth – 2018-06-18T06:39:42.230
If your Access Points are to assign addresses themselves you cannot use dynamic assignment on the VPN network anyway. // Using
10.0/16
on the interconnect won’t work like you expect it to, by the way: How would the AP at10.0.1.1
know that10.0.2.123
is reachable through10.0.2.1
? You’d have to useproxy_arp
or the like. – Daniel B – 2018-06-18T08:33:05.783Thanks for letting me know about
proxy_arp
; I was planning to just go crazy withip route add
to make the routing work. You've saved me a lot of time :) – Breq16 – 2018-06-18T14:01:18.220Yeah, my advice was more along the lines of “don’t”. You’re designing a network that is completely under your control. Why bother with hacks? – Daniel B – 2018-06-19T07:47:37.853
I wasn't aware of another way to set it up so that any device could connect to any other device; is there a better way to go about doing this? – Breq16 – 2018-06-19T13:03:35.237
That would be an excellent topic for a new question. It can’t be explained properly in the comment section. – Daniel B – 2018-06-19T15:29:36.000