Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 5079 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSLVPN Subnet Size planning

seroal

Hi,

I experienced some problems with the sslvpn. In this case only a few users (I think it were 6) were able to login with the sslvpn, the configured subnet is an  /27.

So as a workarround I assigned a larger subnet and that helped. But after that I was interested, why this problem occured with only 6 users connected.... Now I´ve googled a little bit and i found some information about the openssl option "topology net30". I think its not configurable with webadmin, or did i miss a configuration point?

Here you can find a description for that.

https://community.openvpn.net/openvpn/wiki/Topology
http://www.novell.com/support/kb/doc.php?id=7014411

Does it mean, that in the planning phase, I have to consider 4x times the value of the expected maximum connected clients as the subnet size? 

Br

Sebastian



This thread was automatically locked due to age.
Parents
  • 0
    I'm new to Sophos, but _not_ new to Openvpn, used it for years. See the links below, but basically - yes, you are correct. This is the best way that I found to visualize what it is doing.

    "Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:

    [ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
    [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
    [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
    [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
    [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
    [101,102] [105,106] [109,110] [113,114] [117,118]
    [121,122] [125,126] [129,130] [133,134] [137,138]
    [141,142] [145,146] [149,150] [153,154] [157,158]
    [161,162] [165,166] [169,170] [173,174] [177,178]
    [181,182] [185,186] [189,190] [193,194] [197,198]
    [201,202] [205,206] [209,210] [213,214] [217,218]
    [221,222] [225,226] [229,230] [233,234] [237,238]
    [241,242] [245,246] [249,250] [253,254] "

    (above is from community.openvpn.net/.../HOWTO )

    And:

    community.openvpn.net/.../273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode
    (this was written by the original author of the windows openvpn client - and pay special attention if you _know_ that only non-windows clients will be connecting).
  • 0 in reply to DavidHeebner
    Thanks, David! I never considered the possibility that an organization that's likely to have 100+ users connected simultaneously would not be successful with a /24. It's great to have you around - welcome to the UTM Community!

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to DavidHeebner
    Thanks, David! I never considered the possibility that an organization that's likely to have 100+ users connected simultaneously would not be successful with a /24. It's great to have you around - welcome to the UTM Community!

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML