Discussion:
[Openvpn-users] Changing openvpn dhcp pool
Zoltán Szabó
2016-03-06 14:15:21 UTC
Permalink
I have a config at the moment which is working almost fine until some
clients connect, the server starts to kick the clients off from the server
or something like that. As I have checked every clients get a good IP
address and there is no IP address collision. The clients are using
different certificates to connect. However I want to change this config to
separate the dhcp range.

The current server config is this:

port 1194
proto udp

dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem

server 10.8.0.0 255.255.255.0
topology subnet

push "route 10.8.0.1 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

ifconfig-pool-persist ipp.txt

client-config-dir /etc/openvpn/ccd

client-to-client

keepalive 10 300
comp-lzo
user nobody
group nobody

persist-key
persist-tun

status /etc/openvpn/openvpn-status.log
verb 6

I would like to have dynamic IPs assigned from this range:
10.8.1.0 - 10.8.1.254

For this, I would like to use a /23, so 255.255.254.0

And I will assign static IPs from this range:
10.8.0.3 - 10.8.1.255 as 0.1 and 0.2 might be assigned to the server.

I will use this to push to client for static ip:

ifconfig-push 10.8.0.5 255.255.254.0

Could you please help me to modify my config to achieve this?

So split my 10.8.0.0-10.8.1.255 range to two:

- Static IPs: 10.8.0.4-10.8.0.255
- Dynamic IPs: 10.8.1.0-10.8.1.254

I will have Linux and Windows clients too.

Many thanks,

Zoltan
Selva Nair
2016-03-06 18:45:40 UTC
Permalink
Hi,
Post by Zoltán Szabó
10.8.1.0 - 10.8.1.254
For this, I would like to use a /23, so 255.255.254.0
Exclude the last address 10.8.1.254 from the range as that will clash with
the internal dhcp server address on windows -- it could be assigned to all
non-windows clients, but easier just to exclude it.
Post by Zoltán Szabó
10.8.0.3 - 10.8.1.255 as 0.1 and 0.2 might be assigned to the server.
You mean 10.8.0.3 to 10.8.0.255 ?
Post by Zoltán Szabó
ifconfig-push 10.8.0.5 255.255.254.0
Could you please help me to modify my config to achieve this?
I think replacing "server 10.8.0.0 255.255.255.0" in the server config by
the following lines should do it:

mode server
tls-server
push "topology subnet"
ifconfig 10.8.0.1 255.255.254.0
ifconfig-pool 10.8.1.0 10.8.1.253
route-gateway 10.8.0.1
push "route-gateway 10.8.0.1"

Then push the static ip's in the range 10.8.0.3 to 10.8.0.255 with
ifconfig-push in ccd files.

Though this should work, I've seen things like routing to networks behind a
client not work as expected with static ip's outside the pool, though
within the subnet (writing from memory). Alternatively, one could keep the
dynamic pool and static pool in separate subnets: i.e., keep the server
directive as is, and assign static ips from outside that /24. Then you'll
need some extra route directives to reach those clients.

Selva
Selva Nair
2016-03-06 19:33:44 UTC
Permalink
Sun Mar 06 19:33:39 2016 Set TAP-Windows TUN subnet mode
network/local/netmask = 10.8.1.0/10.8.1.2/10.8.1.1 [SUCCEEDED]
Sun Mar 06 19:33:39 2016 MANAGEMENT: Client disconnected
Sun Mar 06 19:33:39 2016 ERROR: --ip-win32 dynamic [offset] : offset is
outside of --ifconfig subnet
Sun Mar 06 19:33:39 2016 Exiting due to fatal error
push "topology subnet"
topology subnet
The push syntax is correct, but your client is getting the wrong netmask,
it seems. Please post the new server config.

Selva
Zoltán Szabó
2016-03-06 21:18:48 UTC
Permalink
Ok it is better now after some changes, IP addresses are assigned correctly
from the two ranges. but non of the clients can reach each other, even ping
is not working.

server config now:
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem

mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.8.0.1 255.255.254.0
ifconfig-pool 10.8.1.0 10.8.1.253
route-gateway 10.8.0.1
push "route-gateway 10.8.0.1"

ifconfig-pool-persist ipp.txt

client-config-dir /etc/openvpn/ccd

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-to-client

keepalive 10 300
comp-lzo

user nobody
group nobody
persist-key
persist-tun

status /etc/openvpn/openvpn-status.log

verb 6

DHCP client config file:
client
dev tun
proto udp
remote ************* 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca e:\\Temp\\vpn\\ca.crt
cert e:\\Temp\\vpn\\client2.crt
key e:\\Temp\\vpn\\client2.key

And I have one file in the ccd dir for one of the clients to set static IP:
ifconfig-push 10.8.0.5 255.255.254.0

The routing table on the dhcp client looks like this at the moment:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 5
10.8.0.4 255.255.255.252 On-link 10.8.0.6 276
10.8.0.6 255.255.255.255 On-link 10.8.0.6 276
10.8.0.7 255.255.255.255 On-link 10.8.0.6 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.101 261
192.168.1.101 255.255.255.255 On-link 192.168.1.101 261
192.168.1.255 255.255.255.255 On-link 192.168.1.101 261


And the routing table on the client with static ip:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 * 255.255.254.0 U 0 0 0 tun0
172.17.0.0 * 255.255.0.0 U 0 0 0
docker0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0


And I am trying to reach 10.8.0.5 from 10.8.1.1

And here is the log from the dhcp client when connecting:
Sun Mar 06 21:30:59 2016 PUSH: Received control message:
'PUSH_REPLY,topology subnet,route-gateway 10.8.0.1,dhcp-option DNS
8.8.8.8,dhcp-option DNS 8.8.4.4,ping 10,ping-restart 300,ifconfig 10.8.1.0
255.255.254.0'
Sun Mar 06 21:30:59 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Mar 06 21:30:59 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Mar 06 21:30:59 2016 OPTIONS IMPORT: route-related options modified
Sun Mar 06 21:30:59 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
Sun Mar 06 21:30:59 2016 do_ifconfig, tt->ipv6=0,
tt->did_ifconfig_ipv6_setup=0
Sun Mar 06 21:30:59 2016 MANAGEMENT: >STATE:1457299859,ASSIGN_IP,,10.8.1.0,
Sun Mar 06 21:30:59 2016 open_tun, tt->ipv6=0
Sun Mar 06 21:30:59 2016 TAP-WIN32 device [Ethernet 2] opened:
\\.\Global\{956E0460-9261-4CD3-A69F-D7B45057C62B}.tap
Sun Mar 06 21:30:59 2016 TAP-Windows Driver Version 9.21
Sun Mar 06 21:30:59 2016 Set TAP-Windows TUN subnet mode
network/local/netmask = 10.8.0.0/10.8.1.0/255.255.254.0 [SUCCEEDED]
Sun Mar 06 21:30:59 2016 Notified TAP-Windows driver to set a DHCP
IP/netmask of 10.8.1.0/255.255.254.0 on interface
{956E0460-9261-4CD3-A69F-D7B45057C62B} [DHCP-serv: 10.8.1.254, lease-time:
31536000]
Sun Mar 06 21:30:59 2016 Successful ARP Flush on interface [33]
{956E0460-9261-4CD3-A69F-D7B45057C62B}
Sun Mar 06 21:31:05 2016 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
Sun Mar 06 21:31:05 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Mar 06 21:31:32 2016 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
Sun Mar 06 21:31:32 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Mar 06 21:31:33 2016 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
Sun Mar 06 21:31:33 2016 Route: Waiting for TUN/TAP interface to come up...
Sun Mar 06 21:31:34 2016 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
SYSTEM ROUTING TABLE
0.0.0.0 0.0.0.0 192.168.1.1 p=0 i=3 t=4 pr=3 a=25282 h=0 m=5/0/0/0/0
10.8.0.4 255.255.255.252 10.8.0.6 p=0 i=33 t=3 pr=2 a=6211 h=0 m=276/0/0/0/0
10.8.0.6 255.255.255.255 10.8.0.6 p=0 i=33 t=3 pr=2 a=6211 h=0 m=276/0/0/0/0
10.8.0.7 255.255.255.255 10.8.0.6 p=0 i=33 t=3 pr=2 a=6211 h=0 m=276/0/0/0/0
127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=261734 h=0 m=306/0/0/0/0
127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=261734 h=0
m=306/0/0/0/0
127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=261734 h=0
m=306/0/0/0/0
192.168.1.0 255.255.255.0 192.168.1.101 p=0 i=3 t=3 pr=2 a=25282 h=0
m=261/0/0/0/0
192.168.1.101 255.255.255.255 192.168.1.101 p=0 i=3 t=3 pr=2 a=25282 h=0
m=261/0/0/0/0
192.168.1.255 255.255.255.255 192.168.1.101 p=0 i=3 t=3 pr=2 a=25282 h=0
m=261/0/0/0/0
192.168.196.0 255.255.255.0 192.168.196.1 p=0 i=47 t=3 pr=2 a=25285 h=0
m=276/0/0/0/0
192.168.196.1 255.255.255.255 192.168.196.1 p=0 i=47 t=3 pr=2 a=25285 h=0
m=276/0/0/0/0
192.168.196.255 255.255.255.255 192.168.196.1 p=0 i=47 t=3 pr=2 a=25285 h=0
m=276/0/0/0/0
192.168.241.0 255.255.255.0 192.168.241.1 p=0 i=46 t=3 pr=2 a=25285 h=0
m=276/0/0/0/0
192.168.241.1 255.255.255.255 192.168.241.1 p=0 i=46 t=3 pr=2 a=25285 h=0
m=276/0/0/0/0
192.168.241.255 255.255.255.255 192.168.241.1 p=0 i=46 t=3 pr=2 a=25285 h=0
m=276/0/0/0/0
224.0.0.0 240.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=261734 h=0 m=306/0/0/0/0
224.0.0.0 240.0.0.0 192.168.1.101 p=0 i=3 t=3 pr=2 a=25289 h=0 m=261/0/0/0/0
224.0.0.0 240.0.0.0 192.168.196.1 p=0 i=47 t=3 pr=2 a=25289 h=0
m=276/0/0/0/0
224.0.0.0 240.0.0.0 192.168.241.1 p=0 i=46 t=3 pr=2 a=25289 h=0
m=276/0/0/0/0
224.0.0.0 240.0.0.0 10.8.0.6 p=0 i=33 t=3 pr=2 a=25289 h=0 m=276/0/0/0/0
255.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=261734 h=0
m=306/0/0/0/0
255.255.255.255 255.255.255.255 192.168.1.101 p=0 i=3 t=3 pr=2 a=25289 h=0
m=261/0/0/0/0
255.255.255.255 255.255.255.255 192.168.196.1 p=0 i=47 t=3 pr=2 a=25289 h=0
m=276/0/0/0/0
255.255.255.255 255.255.255.255 192.168.241.1 p=0 i=46 t=3 pr=2 a=25289 h=0
m=276/0/0/0/0
255.255.255.255 255.255.255.255 10.8.0.6 p=0 i=33 t=3 pr=2 a=25289 h=0
m=276/0/0/0/0
SYSTEM ADAPTER LIST
VMware Virtual Ethernet Adapter for VMnet1
Index = 46
GUID = {1B1731F5-1880-4038-8DF1-22D9C9729B94}
IP = 192.168.241.1/255.255.255.0
MAC = 00:50:56:c0:00:01
GATEWAY = 0.0.0.0/255.255.255.255
DNS SERV =
TAP-Windows Adapter V9
Index = 33
GUID = {956E0460-9261-4CD3-A69F-D7B45057C62B}
IP = 10.8.0.6/255.255.255.252
MAC = 00:ff:95:6e:04:60
GATEWAY = 0.0.0.0/255.255.255.255
DHCP SERV = 10.8.0.5/255.255.255.255
DHCP LEASE OBTAINED = Sun Mar 06 19:48:02 2016
DHCP LEASE EXPIRES = Mon Mar 06 19:48:02 2017
DNS SERV = 8.8.8.8/255.255.255.255 8.8.4.4/255.255.255.255
Microsoft Wi-Fi Direct Virtual Adapter
Index = 5
GUID = {286F1C2F-D5CA-4BDA-BA7A-48B13FE7D474}
IP = 0.0.0.0/0.0.0.0
MAC = 00:c2:c6:52:1c:56
GATEWAY = 0.0.0.0/255.255.255.255
DHCP SERV =
DHCP LEASE OBTAINED = Sun Mar 06 21:31:34 2016
DHCP LEASE EXPIRES = Sun Mar 06 21:31:34 2016
DNS SERV =
Intel(R) Centrino(R) Wireless-N 2230
Index = 4
GUID = {E6ABABDE-DBB3-4C3F-A306-2C613D7C7CCB}
IP = 0.0.0.0/0.0.0.0
MAC = 00:c2:c6:52:1c:55
GATEWAY = 0.0.0.0/255.255.255.255
DHCP SERV =
DHCP LEASE OBTAINED = Sun Mar 06 21:31:34 2016
DHCP LEASE EXPIRES = Sun Mar 06 21:31:34 2016
DNS SERV =
Qualcomm Atheros AR8171/8175 PCI-E Gigabit Ethernet Controller (NDIS 6.30)
Index = 3
GUID = {4CDE337E-AB0D-4982-8482-29AD34ED0176}
IP = 192.168.1.101/255.255.255.0
MAC = 28:d2:44:58:9b:19
GATEWAY = 192.168.1.1/255.255.255.255
DHCP SERV = 192.168.1.1/255.255.255.255
DHCP LEASE OBTAINED = Sun Mar 06 21:30:08 2016
DHCP LEASE EXPIRES = Sun Mar 06 23:30:08 2016
DNS SERV = 8.8.8.8/255.255.255.255 8.8.4.4/255.255.255.255
VMware Virtual Ethernet Adapter for VMnet8
Index = 47
GUID = {ADD6AC9D-BA8F-4494-830B-16BC591C9BA7}
IP = 192.168.196.1/255.255.255.0
MAC = 00:50:56:c0:00:08
GATEWAY = 0.0.0.0/255.255.255.255
DNS SERV =
Sun Mar 06 21:31:34 2016 Initialization Sequence Completed With Errors (
see http://openvpn.net/faq.html#dhcpclientserv )
STATE:1457299894,CONNECTED,ERROR,10.8.1.0,[MASKED_SERVER_IP]
So it is weird. 10.8.0.5 should be the client with one static IP.
Sun Mar 06 19:33:39 2016 Set TAP-Windows TUN subnet mode
network/local/netmask = 10.8.1.0/10.8.1.2/10.8.1.1 [SUCCEEDED]
Sun Mar 06 19:33:39 2016 MANAGEMENT: Client disconnected
Sun Mar 06 19:33:39 2016 ERROR: --ip-win32 dynamic [offset] : offset is
outside of --ifconfig subnet
Sun Mar 06 19:33:39 2016 Exiting due to fatal error
push "topology subnet"
topology subnet
The push syntax is correct, but your client is getting the wrong netmask,
it seems. Please post the new server config.
Selva
Selva Nair
2016-03-06 21:51:33 UTC
Permalink
Post by Zoltán Szabó
Ok it is better now after some changes, IP addresses are assigned
correctly from the two ranges. but non of the clients can reach each other,
even ping is not working.
Your configs look ok, but the routing table on the dhcp client is wrong.
You probably have a stale connection running on it already with net30
topology. Or at least routes left over from an old connection. There could
be stale entries in ipp.txt as well. Clean them up, make sure no openvpn is
running and preferably reboot or do a supend-resume on the client to get
the tap driver to a clean state.

Anyway the connection on the dhcp client failed so no point in trying to
check connectivity between clients.

I strongly urge you to first get two clients on dhcp (do not use any ipp
file until everything is working). Then check the connectivity between
those two dhcp clients. As I hinted in my earlier response, getting
client-to-client to work between the static IP client and others may be
trickier.

Selva
Zoltán Szabó
2016-03-07 00:22:18 UTC
Permalink
Hi Selva,

Many thanks. I restarted my machine, and removed ipp and also had to add
these lines to the dhcp client's config to make it work:
route-delay 5
route-method exe
ip-win32 netsh

Now I can reach the static ip client from the dhcp client. I will run some
tests and hopefully it will work with all clients.

Thank you
Post by Selva Nair
Post by Zoltán Szabó
Ok it is better now after some changes, IP addresses are assigned
correctly from the two ranges. but non of the clients can reach each other,
even ping is not working.
Your configs look ok, but the routing table on the dhcp client is wrong.
You probably have a stale connection running on it already with net30
topology. Or at least routes left over from an old connection. There could
be stale entries in ipp.txt as well. Clean them up, make sure no openvpn is
running and preferably reboot or do a supend-resume on the client to get
the tap driver to a clean state.
Anyway the connection on the dhcp client failed so no point in trying to
check connectivity between clients.
I strongly urge you to first get two clients on dhcp (do not use any ipp
file until everything is working). Then check the connectivity between
those two dhcp clients. As I hinted in my earlier response, getting
client-to-client to work between the static IP client and others may be
trickier.
Selva
Zoltán Szabó
2016-03-19 23:52:59 UTC
Permalink
Hi Everyone,

After some weeks of testing this config proved that it is working great.

Now I would like to restrict some clients from accessing certain services
on the VPN.

So I am trying it with iptables but even if I add a really simple rule just
to drop everything coming from one client, it is not dropping.

So adding this:
iptables -A FORWARD -s 10.8.1.0 -j DROP

It does not have any effect. I can ping and reach everything from 10.8.1.0
on the VPN network.
[***@red fw]# iptables -L -v -n
Chain INPUT (policy ACCEPT 11 packets, 801 bytes)
pkts bytes target prot opt in out source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 10.8.1.0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6 packets, 745 bytes)
pkts bytes target prot opt in out source
destination

Do you have any idea how can I make it work? Even I tired to add it to
INPUT and OUTPUT.
Thank you,
Post by Zoltán Szabó
Hi Selva,
Many thanks. I restarted my machine, and removed ipp and also had to add
route-delay 5
route-method exe
ip-win32 netsh
Now I can reach the static ip client from the dhcp client. I will run some
tests and hopefully it will work with all clients.
Thank you
Post by Selva Nair
Post by Zoltán Szabó
Ok it is better now after some changes, IP addresses are assigned
correctly from the two ranges. but non of the clients can reach each other,
even ping is not working.
Your configs look ok, but the routing table on the dhcp client is wrong.
You probably have a stale connection running on it already with net30
topology. Or at least routes left over from an old connection. There could
be stale entries in ipp.txt as well. Clean them up, make sure no openvpn is
running and preferably reboot or do a supend-resume on the client to get
the tap driver to a clean state.
Anyway the connection on the dhcp client failed so no point in trying to
check connectivity between clients.
I strongly urge you to first get two clients on dhcp (do not use any ipp
file until everything is working). Then check the connectivity between
those two dhcp clients. As I hinted in my earlier response, getting
client-to-client to work between the static IP client and others may be
trickier.
Selva
/dev/rob0
2016-03-20 00:34:12 UTC
Permalink
Post by Zoltán Szabó
After some weeks of testing this config proved that it is working great.
Now I would like to restrict some clients from accessing certain
services on the VPN.
So I am trying it with iptables but even if I add a really simple
rule just to drop everything coming from one client, it is not
dropping.
iptables -A FORWARD -s 10.8.1.0 -j DROP
If you have enabled --client-to-client the kernel routing table &
firewall is bypassed. This is to be expected. Remove
--client-to-client if you need firewalling.
Post by Zoltán Szabó
Do you have any idea how can I make it work? Even I tired to add
it to INPUT and OUTPUT.
Forwarded packets do not go to INPUT nor OUTPUT chains.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Gert Doering
2016-03-21 09:10:19 UTC
Permalink
Hi,
Post by Zoltán Szabó
So I am trying it with iptables but even if I add a really simple rule just
to drop everything coming from one client, it is not dropping.
Client-to-client, or client-to-stuff-behind-server?

To filter client-to-client communication, remove the "--client-to-client"
option from the server vpn config - if you have that, client-to-client
traffic will never hit the IP routing / firewalling layer on the server
side, but will be handled internally in the openvpn server.

For client-to-something-else, this should be working.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Loading...