Openvpn exclude ip in poolRouting in OpenVPN between a private network and a clientOpenVPN strugglingfirewalld rules to route two user groups to different apps in OpenVPNHow does OpenVPN server assign client IP addresses in case of multiclient configuration?OpenVPN to access restriced pagesPort forwarding to two different VPN clients on the same serverRelease/Flush ifconfig pool of OpenVPN serverLinux gateway: how to route LAN-originated NATed connections through OpenVPN tunnel?Setting up OpenVPN for reverse VPN gatewayOpenVPN - Keep local routes

What is the purpose of a disclaimer like "this is not legal advice"?

Too soon for a plot twist?

Why aren't there more Gauls like Obelix?

What was so special about The Piano that Ada was willing to do anything to have it?

Has a sovereign Communist government ever run, and conceded loss, on a fair election?

What is Tony Stark injecting into himself in Iron Man 3?

Help! My Character is too much for her story!

Is there stress on two letters on the word стоят

Why does Central Limit Theorem break down in my simulation?

Is divide-by-zero a security vulnerability?

Is it a Cyclops number? "Nobody" knows!

Smooth vector fields on a surface modulo diffeomorphisms

Do black holes violate the conservation of mass?

Optimal Proportions for Flying Humans

What is this tube in a jet engine's air intake?

Are E natural minor and B harmonic minor related?

Should we avoid writing fiction about historical events without extensive research?

Is it appropriate to ask a former professor to order a book for me through an inter-library loan?

How do you make a gun that shoots melee weapons and/or swords?

What to do if my university does not offer any advanced math courses?

-1 to the power of a irrational number

Is there a way to make cleveref distinguish two environments with the same counter?

Cycles on the torus

Is it possible to clone a polymorphic object without manually adding overridden clone method into each derived class in C++?



Openvpn exclude ip in pool


Routing in OpenVPN between a private network and a clientOpenVPN strugglingfirewalld rules to route two user groups to different apps in OpenVPNHow does OpenVPN server assign client IP addresses in case of multiclient configuration?OpenVPN to access restriced pagesPort forwarding to two different VPN clients on the same serverRelease/Flush ifconfig pool of OpenVPN serverLinux gateway: how to route LAN-originated NATed connections through OpenVPN tunnel?Setting up OpenVPN for reverse VPN gatewayOpenVPN - Keep local routes













1















I have an OpenVPN server running on a Linux Ubuntu box. Multiple clients connect to this server (500+) and that is why I set the server-bridge option like this:



server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254


This works perfectly. The clients get a dynamic IP address, and it goes from the 200 block to the 201 block when the number of client exceed 255.



I have an internal application that connects to these clients, but this application crashes on IP addresses 10.0.200.255 and 10.0.201.0.



These IP addresses are in the range I supplied, but I can't use them.



Is there a way to exclude them from my pool?



Or do I need change my setup?






ubuntu ip openvpn







share|improve this question














bumped to the homepage by Community 1 hour ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).

    – EightBitTony
    May 17 '16 at 11:05












  • Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc

    – spambas
    May 17 '16 at 11:21
















1















I have an OpenVPN server running on a Linux Ubuntu box. Multiple clients connect to this server (500+) and that is why I set the server-bridge option like this:



server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254


This works perfectly. The clients get a dynamic IP address, and it goes from the 200 block to the 201 block when the number of client exceed 255.



I have an internal application that connects to these clients, but this application crashes on IP addresses 10.0.200.255 and 10.0.201.0.



These IP addresses are in the range I supplied, but I can't use them.



Is there a way to exclude them from my pool?



Or do I need change my setup?






ubuntu ip openvpn







share|improve this question














bumped to the homepage by Community 1 hour ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).

    – EightBitTony
    May 17 '16 at 11:05












  • Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc

    – spambas
    May 17 '16 at 11:21














1












1








1








I have an OpenVPN server running on a Linux Ubuntu box. Multiple clients connect to this server (500+) and that is why I set the server-bridge option like this:



server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254


This works perfectly. The clients get a dynamic IP address, and it goes from the 200 block to the 201 block when the number of client exceed 255.



I have an internal application that connects to these clients, but this application crashes on IP addresses 10.0.200.255 and 10.0.201.0.



These IP addresses are in the range I supplied, but I can't use them.



Is there a way to exclude them from my pool?



Or do I need change my setup?






ubuntu ip openvpn







share|improve this question














I have an OpenVPN server running on a Linux Ubuntu box. Multiple clients connect to this server (500+) and that is why I set the server-bridge option like this:



server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254


This works perfectly. The clients get a dynamic IP address, and it goes from the 200 block to the 201 block when the number of client exceed 255.



I have an internal application that connects to these clients, but this application crashes on IP addresses 10.0.200.255 and 10.0.201.0.



These IP addresses are in the range I supplied, but I can't use them.



Is there a way to exclude them from my pool?



Or do I need change my setup?






ubuntu ip openvpn




ubuntu ip openvpn






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked May 17 '16 at 10:39









spambasspambas

51113




51113





bumped to the homepage by Community 1 hour ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 1 hour ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.














  • The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).

    – EightBitTony
    May 17 '16 at 11:05












  • Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc

    – spambas
    May 17 '16 at 11:21


















  • The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).

    – EightBitTony
    May 17 '16 at 11:05












  • Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc

    – spambas
    May 17 '16 at 11:21

















The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).

– EightBitTony
May 17 '16 at 11:05






The internal application should be fixed. .0 and .255 are valid addresses as long as they do not start or end the network range (i.e. in your case 10.0.210.255 is not valid, but you have correctly excluded it, likewise 10.0.200.0).

– EightBitTony
May 17 '16 at 11:05














Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc

– spambas
May 17 '16 at 11:21






Thank you for your comment. I know they are valid addresses. That was not the question though. I would like to change the config of the OpenVPN server to fix this. for example in PPTP we could set remoteip like this: 10.0.200.1-254,10.0.201.1-254,10.0.202.1-254,etc

– spambas
May 17 '16 at 11:21











1 Answer
1






active

oldest

votes


















0














Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.



I propose 3 possible solutions:




  • Workaround, but not guaranteed to work


  • DHCP-proxy mode, simple, clean and lots of other options


  • Multiple instances, more complex, could have performance benefits

However, I recommend to fix the root cause of the problem, the internal application that is flawed.



Workaround



In the server configuration file add:



server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0


The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.



Create a file /etc/openvpn/ipp.txt:



reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...


Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.



This is not guaranteed to work always, as stated in the OpenVPN manpage:




Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push




DHCP-proxy mode



Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.



OpenVPN server config:



server-bridge


This directive expands as follows:



mode server
tls-server
push "route-gateway dhcp"


DHCPD server config:



subnet 10.0.100.1 netmask 255.255.0.0 
 range 10.0.200.1 10.0.200.254;
 range 10.0.201.1 10.0.201.254;
 range 10.0.202.1 10.0.202.254;
 range 10.0.203.1 10.0.203.254;
 ...



Multiple instances



An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.



Instance 1 config file:



port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254


Instance 2 config file:



port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254


...



This would require:



  • either IP-range specific client configurations with the respective port numbers,

  • or e.g. to use iptables load balancing on incoming connections on port 1194 and distribute them evenly across the instances

This solution could have performance benefits, as explained here.






share|improve this answer

























  • I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.

    – spambas
    Jun 3 '16 at 11:49












  • Then I guess this method does not work when you are using --duplicate-cn.

    – rda
    Jun 3 '16 at 12:19











  • @spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked with client-connect and client-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write the ifconfig-push directive in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control

    – rda
    Jun 3 '16 at 13:20










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f283619%2fopenvpn-exclude-ip-in-pool%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.



I propose 3 possible solutions:




  • Workaround, but not guaranteed to work


  • DHCP-proxy mode, simple, clean and lots of other options


  • Multiple instances, more complex, could have performance benefits

However, I recommend to fix the root cause of the problem, the internal application that is flawed.



Workaround



In the server configuration file add:



server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0


The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.



Create a file /etc/openvpn/ipp.txt:



reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...


Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.



This is not guaranteed to work always, as stated in the OpenVPN manpage:




Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push




DHCP-proxy mode



Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.



OpenVPN server config:



server-bridge


This directive expands as follows:



mode server
tls-server
push "route-gateway dhcp"


DHCPD server config:



subnet 10.0.100.1 netmask 255.255.0.0 
 range 10.0.200.1 10.0.200.254;
 range 10.0.201.1 10.0.201.254;
 range 10.0.202.1 10.0.202.254;
 range 10.0.203.1 10.0.203.254;
 ...



Multiple instances



An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.



Instance 1 config file:



port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254


Instance 2 config file:



port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254


...



This would require:



  • either IP-range specific client configurations with the respective port numbers,

  • or e.g. to use iptables load balancing on incoming connections on port 1194 and distribute them evenly across the instances

This solution could have performance benefits, as explained here.






share|improve this answer

























  • I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.

    – spambas
    Jun 3 '16 at 11:49












  • Then I guess this method does not work when you are using --duplicate-cn.

    – rda
    Jun 3 '16 at 12:19











  • @spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked with client-connect and client-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write the ifconfig-push directive in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control

    – rda
    Jun 3 '16 at 13:20















0














Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.



I propose 3 possible solutions:




  • Workaround, but not guaranteed to work


  • DHCP-proxy mode, simple, clean and lots of other options


  • Multiple instances, more complex, could have performance benefits

However, I recommend to fix the root cause of the problem, the internal application that is flawed.



Workaround



In the server configuration file add:



server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0


The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.



Create a file /etc/openvpn/ipp.txt:



reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...


Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.



This is not guaranteed to work always, as stated in the OpenVPN manpage:




Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push




DHCP-proxy mode



Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.



OpenVPN server config:



server-bridge


This directive expands as follows:



mode server
tls-server
push "route-gateway dhcp"


DHCPD server config:



subnet 10.0.100.1 netmask 255.255.0.0 
 range 10.0.200.1 10.0.200.254;
 range 10.0.201.1 10.0.201.254;
 range 10.0.202.1 10.0.202.254;
 range 10.0.203.1 10.0.203.254;
 ...



Multiple instances



An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.



Instance 1 config file:



port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254


Instance 2 config file:



port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254


...



This would require:



  • either IP-range specific client configurations with the respective port numbers,

  • or e.g. to use iptables load balancing on incoming connections on port 1194 and distribute them evenly across the instances

This solution could have performance benefits, as explained here.






share|improve this answer

























  • I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.

    – spambas
    Jun 3 '16 at 11:49












  • Then I guess this method does not work when you are using --duplicate-cn.

    – rda
    Jun 3 '16 at 12:19











  • @spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked with client-connect and client-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write the ifconfig-push directive in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control

    – rda
    Jun 3 '16 at 13:20













0












0








0







Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.



I propose 3 possible solutions:




  • Workaround, but not guaranteed to work


  • DHCP-proxy mode, simple, clean and lots of other options


  • Multiple instances, more complex, could have performance benefits

However, I recommend to fix the root cause of the problem, the internal application that is flawed.



Workaround



In the server configuration file add:



server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0


The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.



Create a file /etc/openvpn/ipp.txt:



reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...


Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.



This is not guaranteed to work always, as stated in the OpenVPN manpage:




Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push




DHCP-proxy mode



Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.



OpenVPN server config:



server-bridge


This directive expands as follows:



mode server
tls-server
push "route-gateway dhcp"


DHCPD server config:



subnet 10.0.100.1 netmask 255.255.0.0 
 range 10.0.200.1 10.0.200.254;
 range 10.0.201.1 10.0.201.254;
 range 10.0.202.1 10.0.202.254;
 range 10.0.203.1 10.0.203.254;
 ...



Multiple instances



An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.



Instance 1 config file:



port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254


Instance 2 config file:



port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254


...



This would require:



  • either IP-range specific client configurations with the respective port numbers,

  • or e.g. to use iptables load balancing on incoming connections on port 1194 and distribute them evenly across the instances

This solution could have performance benefits, as explained here.






share|improve this answer















Using multiple IP ranges or excluding certain IPs is not directly possible with OpenVPN's built-in DHCP server using a single configuration file.



I propose 3 possible solutions:




  • Workaround, but not guaranteed to work


  • DHCP-proxy mode, simple, clean and lots of other options


  • Multiple instances, more complex, could have performance benefits

However, I recommend to fix the root cause of the problem, the internal application that is flawed.



Workaround



In the server configuration file add:



server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.210.254
ifconfig-pool-persist ipp.txt 0


The 0 at the end of the directive ifconfig-pool-persist treats ipp.txt as a read-only configuration file.



Create a file /etc/openvpn/ipp.txt:



reserved-not-used-cn-1,10.0.200.255
reserved-not-used-cn-2,10.0.201.0
reserved-not-used-cn-3,10.0.201.255
...


Add all the reserved IP-addresses to this file, formatted as <Common-Name>,<IP-address>. For the value in field <Common-Name> choose something that will never by used in any client certificate.



This is not guaranteed to work always, as stated in the OpenVPN manpage:




Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push




DHCP-proxy mode



Since you are using a TAP setup, this might be the best solution. It allows to use a fully featured DHCP server on the server side subnet or on the server itself, depending on the configuration. To configure ethernet bridging, you must first use your OS's bridging capability to bridge the TAP interface with another interface.



OpenVPN server config:



server-bridge


This directive expands as follows:



mode server
tls-server
push "route-gateway dhcp"


DHCPD server config:



subnet 10.0.100.1 netmask 255.255.0.0 
 range 10.0.200.1 10.0.200.254;
 range 10.0.201.1 10.0.201.254;
 range 10.0.202.1 10.0.202.254;
 range 10.0.203.1 10.0.203.254;
 ...



Multiple instances



An alternative would be to create a separate openvpn instance for each /24 subnet, using multiple configuration files. But this requires using a different port for each instance.



Instance 1 config file:



port 11941
server-bridge 10.0.100.1 255.255.0.0 10.0.200.1 10.0.200.254


Instance 2 config file:



port 11942
server-bridge 10.0.100.1 255.255.0.0 10.0.201.1 10.0.201.254


...



This would require:



  • either IP-range specific client configurations with the respective port numbers,

  • or e.g. to use iptables load balancing on incoming connections on port 1194 and distribute them evenly across the instances

This solution could have performance benefits, as explained here.







share|improve this answer














share|improve this answer



share|improve this answer








edited May 24 '16 at 10:27

























answered May 18 '16 at 20:16









rdarda

635514




635514












  • I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.

    – spambas
    Jun 3 '16 at 11:49












  • Then I guess this method does not work when you are using --duplicate-cn.

    – rda
    Jun 3 '16 at 12:19











  • @spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked with client-connect and client-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write the ifconfig-push directive in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control

    – rda
    Jun 3 '16 at 13:20

















  • I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.

    – spambas
    Jun 3 '16 at 11:49












  • Then I guess this method does not work when you are using --duplicate-cn.

    – rda
    Jun 3 '16 at 12:19











  • @spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked with client-connect and client-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write the ifconfig-push directive in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control

    – rda
    Jun 3 '16 at 13:20
















I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.

– spambas
Jun 3 '16 at 11:49






I tried the first option, as it is the least drastic. I got this warning at start [ WARNING: --ifconfig-pool-persist will not work with --duplicate-cn]. Although it did loop through the file and gave me lines like these: [ifconfig_pool_read(), in='never-use-this-address-1,10.0.200.255'], it neglected to do anything with it.

– spambas
Jun 3 '16 at 11:49














Then I guess this method does not work when you are using --duplicate-cn.

– rda
Jun 3 '16 at 12:19





Then I guess this method does not work when you are using --duplicate-cn.

– rda
Jun 3 '16 at 12:19













@spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked with client-connect and client-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write the ifconfig-push directive in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control

– rda
Jun 3 '16 at 13:20





@spambas, I have just been thinking about another solution if you just want to make a workaround. You could write a script which handles the IP assignments and is invoked with client-connect and client-disconnect. The command is also passed the pathname of a freshly created temporary file as the last argument, to be used by the script to pass dynamically generated config file directives back to OpenVPN. Then you write the ifconfig-push directive in this temporary file for custom client configuration. In the script you would need to manage the IP pool manually. But you are in full control

– rda
Jun 3 '16 at 13:20

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f283619%2fopenvpn-exclude-ip-in-pool%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Creating 100m^2 grid automatically using QGIS?Creating grid constrained within polygon in QGIS?Createing polygon layer from point data using QGIS?Creating vector grid using QGIS?Creating grid polygons from coordinates using R or PythonCreating grid from spatio temporal point data?Creating fields in attributes table using other layers using QGISCreate .shp vector grid in QGISQGIS Creating 4km point grid within polygonsCreate a vector grid over a raster layerVector Grid Creates just one grid

Image
Pattern match does not work in bash script Mage Armor with Defense fighting style (for Adventurers League bladeslinger) LaTeX closing $ signs makes cursor jump String Manipulation Interpreter Can divisibility rules for digits be generalized to sum of digits I'm planning on buying a laser printer but concerned about the life cycle of toner in the machine What is the offset in a seaplane's hull? How can I make my BBEG immortal short of making them a Lich or Vampire? What are the differences between the usage of 'it' and 'they'? The use of multiple foreign keys on same column in SQL Server How did the USSR manage to innovate in an environment characterized by government censorship and high bureaucracy? Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws) Why Is Death Allowed In the Matrix? Minkowski space Why are 150k or 200k jobs considered good when there are 300k+ births a month? Why do f...
Read more

What is this called? Old film camera viewer?What makes a good film camera?What to do with an old film camera?What should one look for when buying a used film camera?What is the value and age of this pre-1967 Ricoh 35 mm camera?DSLR recommendation, question about old Canon 35mm film Camera & lensesCan anyone identify the silver rangefinder-style camera in this advertisement?What kind of a Polaroid 600-camera is this?Will an old film camera still work even when not used in a very long time?What is this camera / Can I develop the film?How to fit an action camera into antique (bellows) housing?What to check when buying used and old film bodies?

Image
Why is delta-v is the most useful quantity for planning space travel? How to color a zone in Tikz Is there enough fresh water in the world to eradicate the drinking water crisis? Adding empty element to declared container without declaring type of element Can I use my Chinese passport to enter China after I acquired another citizenship? Superhero words! What to do when my ideas aren't chosen, when I strongly disagree with the chosen solution? My boss asked me to take a one-day class, then signs it up as a day off Can a Bard use an arcane focus? Can a malicious addon access internet history and such in chrome/firefox? Pronouncing Homer as in modern Greek Java - What do constructor type arguments mean when placed *before* the type? Is there a good way to store credentials outside of a password manager? Why are all the doors on Ferenginar (the Ferengi home world) far shorter than the average Ferengi? Have I saved too much for retirement so far? Why Were M...
Read more

Why is this plane circling around the Lucknow airport every day?Why do aircraft on Flight Radar 24 jump around randomly sometimes?What airport has this walkway over a taxiway?How does Chicago O'Hare's tower sequence aircraft at peak capacity?Which airport is featured in this Delta commercial?After a crash, for how long is the airport closed?Can a passenger plane stand still in the air, or hover at a fixed location above a ground?What are those trucks towing around, and why?What is this airport outside of Cairo, Egypt?Which US airport has the lowest circling MDH?What is this airport video?

Image
Freedom of speech and where it applies THT: What is a squared annular “ring”? Hot bath for aluminium engine block and heads Delete database accidentally by a bash, rescue please Why do IPv6 unique local addresses have to have a /48 prefix? How can Trident be so inexpensive? Will it orbit Triton or just do a (slow) flyby? Customize circled numbers Drawing ramified coverings with tikz How does the reference system of the Majjhima Nikaya work? Why did the EU agree to delay the Brexit deadline? Melting point of aspirin, contradicting sources Is Asuka Langley-Soryu disgusted by Shinji? Did US corporations pay demonstrators in the German demonstrations against article 13? Is camera lens focus an exact point or a range? Does a 'pending' US visa application constitute a denial? GraphicsGrid with a Label for each Column and Row How do you respond to a colleague from another team when they're wrongly expecting that you'll help them? How is flybla...
Read more