Pfsense OpenVPN : Why is a client IP used as a gateway?

0

I am wondering why a client IP (172.21.0.2) is used as a Gateway for the OpenVPN subnet (172.21.0.0/20) ? This IP is attributed to the first client connected.

Note that I did not encounter any issue with the clients and their connections.

Please find below some information to contextualize:

  • server.conf
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
multihome
tls-server
server 172.21.0.0 255.255.0.0
client-config-dir /var/etc/openvpn-csc/server1
lport 1194
management /var/etc/openvpn/server1.sock unix
client-to-client
duplicate-cn
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-128-GCM
topology subnet
  • $ ifconfig -a
ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet6 fe80::d81e:c576:5231:832e%ovpns1 prefixlen 64 scopeid 0x6
    inet 172.21.0.1 --> 172.21.0.2 netmask 0xffff0000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: tun openvpn
  • $ netstat -rn
Destination        Gateway            Flags     Netif Expire
172.21.0.0/16      172.21.0.2         UGS      ovpns1
172.21.0.1         link#6             UHS         lo0
172.21.0.2         link#6             UH       ovpns1
routing
openvpn
pfsense
asked on Server Fault Jan 20, 2021 by cyberhippo

1 Answer

0

Openvpn allocates a /30 network from its pool when a client connects. The first address will be assigned to the client, and the second to the server, and all communication between them will go over this link (to simplify routing internally I presume).

In your case 172.21.0.1/30 will be on the client, and 172.21.0.2/30 on the server, and that is why you see 172.21.0.2 as the gateway address (so the client can understand how to reach 172.21.0.0/16 network that you have assigned to the server).

It is possible to use other topologies than subnet, but I have never seen that or have had a need for it, feel free to read more about it here: OpenVPN Topology.

answered on Server Fault Feb 4, 2021 by Fredrik • edited Feb 5, 2021 by Fredrik

User contributions licensed under CC BY-SA 3.0