Your current OpenVPN configuration uses a standard /24 subnet (10.8.0.0/24) with dynamic IP assignment through the server directive. The reported client disconnection issues might stem from IP exhaustion or server resource limitations, despite no apparent IP conflicts.
Your proposed /23 subnet (10.8.0.0/255.255.254.0) provides 512 total addresses with this allocation strategy:
Server IPs: 10.8.0.1 - 10.8.0.2 (reserved)
Static IP pool: 10.8.0.3 - 10.8.0.255 (253 addresses)
Dynamic IP pool: 10.8.1.0 - 10.8.1.254 (255 addresses)Here's the updated server.conf with critical changes:
port 1194
proto udp
dev tun
# Certificate configuration remains unchanged
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# New subnet configuration
server 10.8.1.0 255.255.254.0
topology subnet
# Route the entire /23 network
push "route 10.8.0.0 255.255.254.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 300
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 6For static IPs in the 10.8.0.x range, create client-specific files in /etc/openvpn/ccd/:
# Example for client 'workstation1'
ifconfig-push 10.8.0.5 255.255.254.0After implementing these changes:
- Restart OpenVPN:
systemctl restart openvpn@server - Check the IP pool status:
cat /etc/openvpn/ipp.txt - Verify routing:
ip route showon both server and clients
For Windows clients, ensure the TAP adapter is configured with the correct subnet mask (255.255.254.0). Linux clients typically handle this automatically through the pushed routes.
If clients can't communicate across subnets:
# Enable IP forwarding if not already set
echo 1 > /proc/sys/net/ipv4/ip_forward
# Add persistent iptables rule (adjust interface names as needed)
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEThe existing OpenVPN server setup assigns IP addresses from a single /24 subnet (10.8.0.0/24) which can lead to management challenges when mixing static and dynamic clients. Let's examine the key parameters:
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccdTo properly separate dynamic and static IP ranges while maintaining routing efficiency, we'll implement a /23 subnet mask (255.255.254.0) that gives us 512 total addresses while logically dividing them into two functional ranges:
- Static IP pool: 10.8.0.4 - 10.8.0.255 (reserving .1-.3 for infrastructure)
- Dynamic IP pool: 10.8.1.0 - 10.8.1.254
Here's the complete updated server.conf that implements this segmentation:
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.254.0
topology subnet
push "route 10.8.0.0 255.255.254.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
ifconfig-pool 10.8.1.0 10.8.1.254
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 300
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 6For clients requiring static IPs, create individual configuration files in /etc/openvpn/ccd/ named after each client's Common Name (certificate CN). Example for client 'workstation1':
# /etc/openvpn/ccd/workstation1
ifconfig-push 10.8.0.5 255.255.254.0
push "route 10.8.0.0 255.255.254.0"After implementing these changes, verify the configuration:
sudo openvpn --config /etc/openvpn/server.conf --test
sudo systemctl restart openvpn@serverCheck IP assignments with:
cat /etc/openvpn/ipp.txt
tail -f /etc/openvpn/openvpn-status.logFor Windows clients, ensure the TAP adapter is configured with the correct subnet mask. Linux clients typically handle this automatically through the pushed DHCP options. The topology subnet setting ensures proper routing behavior across platforms.