Tutorial Subnetting your openvpn server for dummies or also known as...

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


New Around Here
subnetting the vpn tunnel for extra security and obfuscation in asuswrt-merlin.

Your satandard subnet has 254 usable addresses, But the vpn only allows 5 connections so why have all those other addresses your not using floating around. (I don't know, cause I'm still kind of stupid about alot of this). So I decreased the subnet to 8 or a total of 6 usable addresses, !st address and last address in subnet are used by something else (I don't know what, but you can't use them as addresses).
The easiest way i have found to shrinking the subnet is , half the distance to the goal. You start out with 254 usable addresses in the subnet, (0 and 255) belong something else, and is written with a 0 at the end of the subnet mask ie. Half of 256, (0 is considered a address, so the 255 + 1) is 128 toatl addresses or 126 usable, who's subnet mask would be written as but thats still to big for my tastes.

Here is a nice chart for you .

I chose to subnet down to 6 usable addresses, which is the minimum that asuswrt-merlin will allow you to do. (fyi if you need to have more than 6 clients in your password list including the admin one you will have to increase the size of one of your subnets, as the password list won't let you add more users than the subnets will allow, so 6 addresses means six users, more than that and ONE of the servers has to have a higher number of addresses. both servers don't have to on the same subnet.) and 14 usable addresses on the other. one servers for teching and phones passing through and the others site to site. And heres the biggie the subnet DOES NOT have to start at 0.

so if you wanted to write this in the advanced server section. a example is mask is would give you 8 addresses , 6 of which are usable. with a starting usable address of mask mask mask mask
and if you consult the handy dandy chart above you will see that for a 16 usable addresses you put in a subnet mask of, and your starting addresses,,, etc. ect.

I hope it helps my fellow dummies out there. and I expect others might correct me if I wrong about something or left something out.


Very Senior Member
Might be easier and more effective to simply change to a net30 topology.

topology net30

Now every client is allocated its own /30 subnet (4 IPs, low and high unusable, middle two allocated to each end of the tunnel). It effectively creates a P2P (point to point) connection.

You might not have noticed, but sometimes commercial OpenVPN providers do just that, rather than use subnet. By doing so, it's possible to vastly reduce the chances of an IP clash when you're connecting multiple, concurrent OpenVPN clients, esp. when it's the same server. If it's a subnet topology, you're likely to have issues since the entire subnet (e.g., /24) is defined across multiple network interfaces. This is one of those things users would be wise to notice when deciding on the choice of OpenVPN providers, and who plan to make multiple concurrent connections (unfortunately, few do).

When it comes to your own OpenVPN server, it's not particularly useful, unless perhaps you wish to provide your own OpenVPN server to others as a service. For the average home user, I don't see having additional unused IPs as a security risk.


New Around Here
Unfortunately I don't think i can do that net 30 thingy with the asus routers, and my limited but slowly increasing knowledge of networking. But tomorrow is another day, and you never know.


Very Senior Member
All you have to do is add that directive to the OpenVPN server custom config field.

I did notice the following in the syslog once I did.

Nov 25 11:07:14 lab-merlin1-F5CDB2F-C ovpn-server1[18329]: WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.

So it looks as though eventually OpenVPN plans to eliminate this capability some time in the future anyway. Not sure why.
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!