OpenVPN默认的子网掩码是/30 也就是255.255.255.252 在这样的情况下 只有两个地址实际可以用 一个给服务器端 一个给客户端。
这样是很浪费地址的。
这是受到windows下面TAP驱动限制导致的。因为windows下的TUN模式是TAP驱动模拟出来的。如果不考虑Windows客户端,万全可以启用ifconfig-pool-linear 这样的话 由于Linux下面的TUN没有这个问题,就不会浪费地址了。坏处也显而易见。
经过咨询@yegle,得知可以使用topology subnet 来解决。这是OpenVPN 2.1开始引入的新功能 描述见此。
--topology mode
Configure virtual addressing topology when running in --dev tun mode. This directive has no meaning in --dev tap mode, which always uses a subnet topology.
If you set this directive on the server, the --server and --server-bridge directives will automatically push your chosen topology setting to clients as well. This directive can also be manually pushed to clients. Like the --dev directive, this directive must always be compatible between client and server.
mode can be one of:
net30 -- Use a point-to-point topology, by allocating one /30 subnet per client. This is designed to allow point-to-point semantics when some or all of the connecting clients might be Windows systems. This is the default on OpenVPN 2.0.
p2p -- Use a point-to-point topology where the remote endpoint of the client's tun interface always points to the local endpoint of the server's tun interface. This mode allocates a single IP address per connecting client. Only use when none of the connecting clients are Windows systems. This mode is functionally equivalent to the --ifconfig-pool-linear directive which is available in OpenVPN 2.0 and is now deprecated.
subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode allocates a single IP address per connecting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topology directive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a remote endpoint IP address.
This option exists in OpenVPN 2.1 or higher.
topology 的三种模式中,net30 是默认模式p2p 相当于ifconfig-pool-linear,但是windows客户端不支持,而subnet这是我需要的模式。但是也有条件: TAP-Win32 driver要大于8.2版本才可以。
感谢@yegle
使用了topology subnet,分配给client的还是/30地址,怎么破?