Openvpn exclude ip in pool
I have an OpenVPN server running on a Linux Ubuntu box. Multiple clients connect to this server (500+) and that is why I set the server-bridge option like this:
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
This works perfectly. The clients get a dynamic IP address, and it goes from the 200 block to the 201 block when the number of client exceed 255.
I have an internal application that connects to these clients, but this application crashes on IP addresses 10.0.200.255 and 10.0.201.0.
These IP addresses are in the range I supplied, but I can't use them.
Is there a way to exclude them from my pool?
Or do I need change my setup?
ubuntu ip openvpn
asked May 17 '16 at 10:39
spambasspambas
51113
bumped to the homepage by Community♦ 4 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have an OpenVPN server running on a Linux Ubuntu box. Multiple clients connect to this server (500+) and that is why I set the server-bridge option like this:
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
This works perfectly. The clients get a dynamic IP address, and it goes from the 200 block to the 201 block when the number of client exceed 255.
I have an internal application that connects to these clients, but this application crashes on IP addresses 10.0.200.255 and 10.0.201.0.
These IP addresses are in the range I supplied, but I can't use them.
Is there a way to exclude them from my pool?
Or do I need change my setup?
ubuntu ip openvpn
asked May 17 '16 at 10:39
spambasspambas
51113
bumped to the homepage by Community♦ 4 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).
– EightBitTony
May 17 '16 at 11:05
Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc
– spambas
May 17 '16 at 11:21
add a comment |
I have an OpenVPN server running on a Linux Ubuntu box. Multiple clients connect to this server (500+) and that is why I set the server-bridge option like this:
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
This works perfectly. The clients get a dynamic IP address, and it goes from the 200 block to the 201 block when the number of client exceed 255.
I have an internal application that connects to these clients, but this application crashes on IP addresses 10.0.200.255 and 10.0.201.0.
These IP addresses are in the range I supplied, but I can't use them.
Is there a way to exclude them from my pool?
Or do I need change my setup?
ubuntu ip openvpn
asked May 17 '16 at 10:39
spambasspambas
51113
I have an OpenVPN server running on a Linux Ubuntu box. Multiple clients connect to this server (500+) and that is why I set the server-bridge option like this:
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
This works perfectly. The clients get a dynamic IP address, and it goes from the 200 block to the 201 block when the number of client exceed 255.
I have an internal application that connects to these clients, but this application crashes on IP addresses 10.0.200.255 and 10.0.201.0.
These IP addresses are in the range I supplied, but I can't use them.
Is there a way to exclude them from my pool?
Or do I need change my setup?
ubuntu ip openvpn
ubuntu ip openvpn
asked May 17 '16 at 10:39
spambasspambas
51113
asked May 17 '16 at 10:39
spambasspambas
51113
asked May 17 '16 at 10:39
spambasspambas
51113
asked May 17 '16 at 10:39
spambasspambas
51113
asked May 17 '16 at 10:39
spambasspambas
51113
51113
bumped to the homepage by Community♦ 4 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 4 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).
– EightBitTony
May 17 '16 at 11:05
Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc
– spambas
May 17 '16 at 11:21
add a comment |
The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).
– EightBitTony
May 17 '16 at 11:05
Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc
– spambas
May 17 '16 at 11:21
The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).
– EightBitTony
May 17 '16 at 11:05
The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).
– EightBitTony
May 17 '16 at 11:05
Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc
– spambas
May 17 '16 at 11:21
Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc
– spambas
May 17 '16 at 11:21
add a comment |
1 Answer
1
active
oldest
votes
Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.
I propose 3 possible solutions:
Workaround, but not guaranteed to work
DHCP-proxy mode, simple, clean and lots of other options
Multiple instances, more complex, could have performance benefits
However, I recommend to fix the root cause of the problem, the internal application that is flawed.
Workaround
In the server configuration file add:
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0
The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.
Create a file /etc/openvpn/ipp.txt:
reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...
Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.
This is not guaranteed to work always, as stated in the OpenVPN manpage:
Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use
--ifconfig-push
DHCP-proxy mode
Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.
OpenVPN server config:
server-bridge
This directive expands as follows:
mode server
tls-server
push "route-gateway dhcp"
DHCPD server config:
subnet 10.0.100.1 netmask 255.255.0.0 {
range 10.0.200.1 10.0.200.254;
range 10.0.201.1 10.0.201.254;
range 10.0.202.1 10.0.202.254;
range 10.0.203.1 10.0.203.254;
...
}
Multiple instances
An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.
Instance 1 config file:
port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254
Instance 2 config file:
port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254
...
This would require:
- either IP-range specific client configurations with the respective port numbers,
- or e.g. to use
iptablesload balancing on incoming connections on port1194and distribute them evenly across the instances
This solution could have performance benefits, as explained here.
answered May 18 '16 at 20:16
rdarda
635514
I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.
– spambas
Jun 3 '16 at 11:49
Then I guess this method does not work when you are using--duplicate-cn.
– rda
Jun 3 '16 at 12:19
@spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked withclient-connectandclient-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write theifconfig-pushdirective in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control
– rda
Jun 3 '16 at 13:20
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f283619%2fopenvpn-exclude-ip-in-pool%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.
I propose 3 possible solutions:
Workaround, but not guaranteed to work
DHCP-proxy mode, simple, clean and lots of other options
Multiple instances, more complex, could have performance benefits
However, I recommend to fix the root cause of the problem, the internal application that is flawed.
Workaround
In the server configuration file add:
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0
The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.
Create a file /etc/openvpn/ipp.txt:
reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...
Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.
This is not guaranteed to work always, as stated in the OpenVPN manpage:
Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use
--ifconfig-push
DHCP-proxy mode
Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.
OpenVPN server config:
server-bridge
This directive expands as follows:
mode server
tls-server
push "route-gateway dhcp"
DHCPD server config:
subnet 10.0.100.1 netmask 255.255.0.0 {
range 10.0.200.1 10.0.200.254;
range 10.0.201.1 10.0.201.254;
range 10.0.202.1 10.0.202.254;
range 10.0.203.1 10.0.203.254;
...
}
Multiple instances
An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.
Instance 1 config file:
port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254
Instance 2 config file:
port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254
...
This would require:
- either IP-range specific client configurations with the respective port numbers,
- or e.g. to use
iptablesload balancing on incoming connections on port1194and distribute them evenly across the instances
This solution could have performance benefits, as explained here.
answered May 18 '16 at 20:16
rdarda
635514
I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.
– spambas
Jun 3 '16 at 11:49
Then I guess this method does not work when you are using--duplicate-cn.
– rda
Jun 3 '16 at 12:19
@spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked withclient-connectandclient-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write theifconfig-pushdirective in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control
– rda
Jun 3 '16 at 13:20
add a comment |
Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.
I propose 3 possible solutions:
Workaround, but not guaranteed to work
DHCP-proxy mode, simple, clean and lots of other options
Multiple instances, more complex, could have performance benefits
However, I recommend to fix the root cause of the problem, the internal application that is flawed.
Workaround
In the server configuration file add:
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0
The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.
Create a file /etc/openvpn/ipp.txt:
reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...
Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.
This is not guaranteed to work always, as stated in the OpenVPN manpage:
Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use
--ifconfig-push
DHCP-proxy mode
Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.
OpenVPN server config:
server-bridge
This directive expands as follows:
mode server
tls-server
push "route-gateway dhcp"
DHCPD server config:
subnet 10.0.100.1 netmask 255.255.0.0 {
range 10.0.200.1 10.0.200.254;
range 10.0.201.1 10.0.201.254;
range 10.0.202.1 10.0.202.254;
range 10.0.203.1 10.0.203.254;
...
}
Multiple instances
An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.
Instance 1 config file:
port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254
Instance 2 config file:
port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254
...
This would require:
- either IP-range specific client configurations with the respective port numbers,
- or e.g. to use
iptablesload balancing on incoming connections on port1194and distribute them evenly across the instances
This solution could have performance benefits, as explained here.
answered May 18 '16 at 20:16
rdarda
635514
I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.
– spambas
Jun 3 '16 at 11:49
Then I guess this method does not work when you are using--duplicate-cn.
– rda
Jun 3 '16 at 12:19
@spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked withclient-connectandclient-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write theifconfig-pushdirective in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control
– rda
Jun 3 '16 at 13:20
add a comment |
Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.
I propose 3 possible solutions:
Workaround, but not guaranteed to work
DHCP-proxy mode, simple, clean and lots of other options
Multiple instances, more complex, could have performance benefits
However, I recommend to fix the root cause of the problem, the internal application that is flawed.
Workaround
In the server configuration file add:
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0
The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.
Create a file /etc/openvpn/ipp.txt:
reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...
Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.
This is not guaranteed to work always, as stated in the OpenVPN manpage:
Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use
--ifconfig-push
DHCP-proxy mode
Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.
OpenVPN server config:
server-bridge
This directive expands as follows:
mode server
tls-server
push "route-gateway dhcp"
DHCPD server config:
subnet 10.0.100.1 netmask 255.255.0.0 {
range 10.0.200.1 10.0.200.254;
range 10.0.201.1 10.0.201.254;
range 10.0.202.1 10.0.202.254;
range 10.0.203.1 10.0.203.254;
...
}
Multiple instances
An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.
Instance 1 config file:
port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254
Instance 2 config file:
port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254
...
This would require:
- either IP-range specific client configurations with the respective port numbers,
- or e.g. to use
iptablesload balancing on incoming connections on port1194and distribute them evenly across the instances
This solution could have performance benefits, as explained here.
answered May 18 '16 at 20:16
rdarda
635514
Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.
I propose 3 possible solutions:
Workaround, but not guaranteed to work
DHCP-proxy mode, simple, clean and lots of other options
Multiple instances, more complex, could have performance benefits
However, I recommend to fix the root cause of the problem, the internal application that is flawed.
Workaround
In the server configuration file add:
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0
The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.
Create a file /etc/openvpn/ipp.txt:
reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...
Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.
This is not guaranteed to work always, as stated in the OpenVPN manpage:
Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use
--ifconfig-push
DHCP-proxy mode
Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.
OpenVPN server config:
server-bridge
This directive expands as follows:
mode server
tls-server
push "route-gateway dhcp"
DHCPD server config:
subnet 10.0.100.1 netmask 255.255.0.0 {
range 10.0.200.1 10.0.200.254;
range 10.0.201.1 10.0.201.254;
range 10.0.202.1 10.0.202.254;
range 10.0.203.1 10.0.203.254;
...
}
Multiple instances
An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.
Instance 1 config file:
port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254
Instance 2 config file:
port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254
...
This would require:
- either IP-range specific client configurations with the respective port numbers,
- or e.g. to use
iptablesload balancing on incoming connections on port1194and distribute them evenly across the instances
This solution could have performance benefits, as explained here.
answered May 18 '16 at 20:16
rdarda
635514
edited May 24 '16 at 10:27
answered May 18 '16 at 20:16
rdarda
635514
answered May 18 '16 at 20:16
rdarda
635514
answered May 18 '16 at 20:16
rdarda
635514
635514
I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.
– spambas
Jun 3 '16 at 11:49
Then I guess this method does not work when you are using--duplicate-cn.
– rda
Jun 3 '16 at 12:19
@spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked withclient-connectandclient-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write theifconfig-pushdirective in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control
– rda
Jun 3 '16 at 13:20
add a comment |
I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.
– spambas
Jun 3 '16 at 11:49
Then I guess this method does not work when you are using--duplicate-cn.
– rda
Jun 3 '16 at 12:19
@spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked withclient-connectandclient-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write theifconfig-pushdirective in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control
– rda
Jun 3 '16 at 13:20
I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.
– spambas
Jun 3 '16 at 11:49
I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.
– spambas
Jun 3 '16 at 11:49
Then I guess this method does not work when you are using
--duplicate-cn.– rda
Jun 3 '16 at 12:19
Then I guess this method does not work when you are using
--duplicate-cn.– rda
Jun 3 '16 at 12:19
@spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked with
client-connect and client-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write the ifconfig-push directive in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control– rda
Jun 3 '16 at 13:20
@spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked with
client-connect and client-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write the ifconfig-push directive in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control– rda
Jun 3 '16 at 13:20
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f283619%2fopenvpn-exclude-ip-in-pool%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).
– EightBitTony
May 17 '16 at 11:05
Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc
– spambas
May 17 '16 at 11:21