Issues getting more than 63 OpenVPN phones connected successfully.

Products Affected:

5000i G(igibit)  and 9800 series IP phones configured for OpenVPN on Wave 4.0 and later.
 

Issue

At larger installations, when allocating more than 63 OpenVPN phones, they will not all come up at once.

Symptoms

In Global Administrator, viewing Station Monitor, it is noted that IP addresses for the OpenVPN phones are allocated such that they are all 4 IP addresses apart. 

Example: Using the default OpenVPN subnet of 10.10.2.0 /24, IP addresses may be handed out as follows.

  • 10.10.2.2
  • 10.10.2.6
  • 10.10.2.10

Cause

The reasoning behind this is that OpenVPN makes allowances for Windows clients, which due to the way it is allocated requires a /30 network (4 IP address segments) for a private point to point tunnel. 

Resolution

There are two ways to go about resolving this.  Either solution below will cause existing OpenVPN phones to be disconnected to implement.

  1. When configuring your OpenVPN subnet, allocate a larger subnet.  i.e. don't use a /24 mask, use a /23 (255.255.254.0) or /22 (255.255.252.0).  This has the drawback of possibly overlapping a clients existing network; but it simple to implement.
  2. As we are not using (or supporting) Windows based clients in our OpenVPN implementation, we can reconfigure it to not follow this /30 allocation.  Directions for this are below.

Reconfiguring OpenVPN to make use of all client IPs in a subnet.

login as openvpn, then use 'su -' and enter the root user password.

NOTE:  While you can currently just login as root initially, that is not best practice & a later OpenVPN image provided by Vertical may not allow this.

Change to the OpenVPN configuration directory.

cd /etc/openvpn

Create a copy of the openvpn.conf before you edit.

cp openvpn.conf openvpn.bkup

Edit the OpenVPN configuration file:

vim openvpn.conf

i – for insert

topology p2p - add line at bottom

esc key

:wq! (then press enter) – save and exit

NOTE: this next step will cause all OpenVPN connected phones to be dropped immediately.

service openvpn restart