Now I either totally suck at subnetting (used sipcalc to confirm it) or don’t understand how the IPv4 tunnel is supposed to work.
2) Secondly I am looking for a way how to force only specific traffic trough the vpn tunnel
I know I can set up firewall rules and only allow the clients to specific IP addresses. But that would block the client reaching those addresses altogether. I want them to be reachable via the local non-tunneled connection. I know it can be done via a local routing table, but I’d like to “embed” this configuration into the .ovpn profile (e.g. for mobile devices)
I think you need to use ifconfig-push 10.0.8.10 255.255.255.0 in the Advanced box in the client override. Static client addresses isn’t something available as a GUI item.
You can use a firewall rule, only allow connections from 10.0.8.10 to the specific destinations you want, and make sure to uncheck ‘Redirect Gateway’, and then add your subnets to the ‘IPv4 Local Network’ field in the OpenVPN server config. This won’t affect local devices since they will not be connected via OpenVPN, and will have local IPs instead.
I believe what you have circled is the “tunnel network” NOT the IP. /32 creates a network of a single IP. I suspect you want 10.0.8.0/24 or something similar.
This may be helpful as these options all map to this under the covers:
That option maps to this for instance:
Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from. The server will take 10.8.0.1 for itself, the rest will be made available to clients. Each client will be able to reach the server on 10.8.0.1. Comment this line out if you are ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
Note the help on the page is pretty good too:
This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)
use the client specific overrides based on common names (you’ll need unique common names / accounts for each connected device, obviously) to assign static IPs. It works, I promise. And youll want to use /24 not /32
You’re also probably assigning a unique subnet to each client, don’t do that (make sure topology is checked)
i did play around with WG during the weekend, wanted to enable it for my phone as a kind of pilot, but hated it even more than openvpn. i find the WG terminlogy completely stupid, settings that did not make any sense to me, very poor logging, etc.
i see no such option in client override. i found some mentions of it in some old forum posts at the opnsense site. i still happen to think that it was replaced by the IPv4 Tunnel Network setting…
i have circled the client settings. on the openvpn server page i have obisously set 10.0.8.1/24 as the VPN subnet. i believe I should set the static IP on the client side and not on the server side, given several clients connecting to that server
it was the Topology setting on the VPN server page that had to be enabled. afterwards defining ip address such as 10.0.8.10/24 works and assignes the given IP address to the client.
guess I’ve chosen a wrong time to mess around with this, immediately after the 23.7 release that changed a lot of things
