Discussion:
[Openvpn-users] Managing the server's IP pool
SaAtomic
2017-06-28 08:17:47 UTC
Permalink
Hello,
what is the correct way of managing/observing the IP pool on an OpenVPN server?

I'm not sure if this is manged by OpenVPN or the underlying operating system.

With this server configuration:
    port 443
    proto udp
    dev tun
    server 172.16.0.0 255.255.255.0
    tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    tls-version-min 1.2
    cipher AES-256-GCM
    auth SHA512
    comp-lzo
    duplicate-cn

    ca <file>
    cert <file>
    key <file>
    dh <file>
    tls-crypt <file>

How can I observe how many/which IP addresses currently used - possibly by whom.
How could I flush/release the leases?

Kind regards,
SaAtomic
Joe Patterson
2017-06-28 13:25:45 UTC
Permalink
I don't think you can with that config, but there are things that you could
do to change it so you can. If you add a "status" line, you'll get a
status file listing connected systems and their IP's. If you add a
"management" line, you can telnet in and run the "status" command, and get
a list of connected systems and their IP's. If you add an
'ifconfig-pool-persist" line, you will get a file with user-to-IP mappings,
though there will be no indication of which are currently connected.
*without* the ifconfig-pool-persist, then there isn't really a concept of
a "lease", IP addresses go back into the pool as soon as the client
disconnects (at least I'm fairly sure of that). But with the management
interface, you can both see connected clients and their IP addresses, and,
if you wish, kill their connection.

And, of course, you can combine all three and have access to tons of info
in multiple ways.

-Joe
Post by SaAtomic
Hello,
what is the correct way of managing/observing the IP pool on an OpenVPN server?
I'm not sure if this is manged by OpenVPN or the underlying operating system.
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
cipher AES-256-GCM
auth SHA512
comp-lzo
duplicate-cn
ca <file>
cert <file>
key <file>
dh <file>
tls-crypt <file>
How can I observe how many/which IP addresses currently used - possibly by whom.
How could I flush/release the leases?
Kind regards,
SaAtomic
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Leonardo Rodrigues
2017-06-28 15:40:56 UTC
Permalink
and keep in mind that even 'ifconfig-pool-persist' do not GUARANTEE
the same client will always get the same IP address. From manual page:

Note that the entries in this file are treated by OpenVPN as suggestions
only, based on past associations between a common name and IP address.
They do not guarantee that the given common name will always receive the
given IP address. If you want guaranteed assignment, use *--ifconfig-push*
Post by Joe Patterson
I don't think you can with that config, but there are things that you
could do to change it so you can. If you add a "status" line, you'll
get a status file listing connected systems and their IP's. If you
add a "management" line, you can telnet in and run the "status"
command, and get a list of connected systems and their IP's. If you
add an 'ifconfig-pool-persist" line, you will get a file with
user-to-IP mappings, though there will be no indication of which are
currently connected. *without* the ifconfig-pool-persist, then there
isn't really a concept of a "lease", IP addresses go back into the
pool as soon as the client disconnects (at least I'm fairly sure of
that). But with the management interface, you can both see connected
clients and their IP addresses, and, if you wish, kill their connection.
And, of course, you can combine all three and have access to tons of
info in multiple ways.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
***@solutti.com.br
My SPAMTRAP, do not email it
David Sommerseth
2017-06-28 20:28:08 UTC
Permalink
Post by SaAtomic
Hello,
what is the correct way of managing/observing the IP pool on an OpenVPN server?
I'm not sure if this is manged by OpenVPN or the underlying operating system.
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
The --server line above defines the IP address pool OpenVPN will use.
With that line, OpenVPN takes responsibility for all IP addresses
provided to VPN clients.

This can be overruled by having either static CCD files (see the
--client-config-dir entry in the man page) where you can push a specific
IP address. That IP address can also be outside the scope of
--ifconfig-pool (which --server automatically configures).

Another approach is to use a --plugin or --client-connect script which
can dynamically create CCD files on-the-fly, where your script can
manage and control which IP address the client should use.

For both CCD approach, also read up on the --ifconfig-push entry in the
man page.
--
kind regards,

David Sommerseth
OpenVPN Technologies, Inc
Continue reading on narkive:
Loading...