Changing OpenVPN DHCP pool
Solution 1
OK finally it is solved with some changes on the config file:
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.8.0.1 255.255.254.0
ifconfig-pool 10.8.1.0 10.8.1.253
route-gateway 10.8.0.1
push "route-gateway 10.8.0.1"
client-config-dir /etc/openvpn/ccd
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 300
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 6
Solution 2
To piggyback on Zoltan Szabo's answer and to fulfill the clarifications requested in the comments, here is my take on an answer.
How to change the DHCP address pool?
First things first, the answer to the initial question. There's probably something like server 10.8.0.0 255.255.255.0
in your config. This directive will automatically allocate a DHCP pool with ifconfig-pool 10.8.0.4 10.8.0.251
. If you try to specify the ifconfig-pool
yourself, OpenVPN will complain that you can't use server
and ifconfig-pool
together. Now there are two ways to customize the DHCP address pool.
a) Use nopool
There is an option to force OpenVPN to not allocate a DHCP address pool. Just add the nopool
argument at the end of the server directive and you can specify the pool yourself.
server 10.8.0.0 255.255.255.0 nopool
ifconfig-pool 10.8.0.100 10.8.0.200
b) Declare and customise the expanded server
directive yourself
This solution is what was used by Zoltan and is a bit trickier, but let's you customise more aspects of the server. The OpenVPN manual shows how the server
directive is expanded. Building upon this, you can declare all the necessary options yourself. This is highly dependent on the topology and if you're using dev tun
or dev tap
.
I just add an example based on the configuration in the question (topology subnet
and dev tun
).
mode server
tls-server
push "topology subnet"
ifconfig 10.8.0.1 255.255.255.0
ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
push "route-gateway 10.8.0.1"
route-gateway 10.8.0.1
See the notes below and the manual for more info.
How to assign a static IP address to a client?
The second part of the question was about assigning static IPs. It seems like OP figured that one out, and there are already plenty of resources about this topic on the internet. Nevertheless I would like to add a short paragraph about assigning static IP addresses to certain clients.
The solution is to use a client configuration directory and add a file for each client in there.
Add this to your OpenVPN server configuration:
client-config-dir /etc/openvpn/ccd
If you want to, for example, assign the IP 10.8.0.5 to a client with the common name client1
, create a file /etc/openvpn/ccd/client1
with this content (note: this is for topology subnet
):
ifconfig-push 10.8.0.5 255.255.255.0
Also keep the note in the OpenVPN manual about ifconfig-push
in mind. I couldn't find the route
directive in the configuration Zoltan posted in his answer.
Remember also to include a --route directive in the main OpenVPN config file which encloses local, so that the kernel will know to route it to the server's TUN/TAP interface.
Notes
Just for completion, this is the section in the OpenVPN manual about the expanding of the server directive.
For example,
--server 10.8.0.0 255.255.255.0
expands as follows:mode server tls-server push "topology [topology]" if dev tun AND (topology == net30 OR topology == p2p): ifconfig 10.8.0.1 10.8.0.2 if !nopool: ifconfig-pool 10.8.0.4 10.8.0.251 route 10.8.0.0 255.255.255.0 if client-to-client: push "route 10.8.0.0 255.255.255.0" else if topology == net30: push "route 10.8.0.1" if dev tap OR (dev tun AND topology == subnet): ifconfig 10.8.0.1 255.255.255.0 if !nopool: ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0 push "route-gateway 10.8.0.1" if route-gateway unset: route-gateway 10.8.0.2
Related videos on Youtube
Z T
Updated on September 18, 2022Comments
-
Z T over 1 year
I have a config at the moment which is working almost fine until some clients connect, the server starts to kick the clients off from the server or something like that. As I have checked every clients get a good IP address and there is no IP address collision. The clients are using different certificates to connect. However I want to change this config to separate the DHCP range.
The current server config is this:
port 1194 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh2048.pem server 10.8.0.0 255.255.255.0 topology subnet push "route 10.8.0.1 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" ifconfig-pool-persist ipp.txt client-config-dir /etc/openvpn/ccd client-to-client keepalive 10 300 comp-lzo user nobody group nobody persist-key persist-tun status /etc/openvpn/openvpn-status.log verb 6
I would like to have dynamic IPs assigned from this range:
10.8.1.0 - 10.8.1.254For this, I would like to use a /23, so 255.255.254.0
And I will assign static IPs from this range:
10.8.0.3 - 10.8.1.255 as 0.1 and 0.2 might be assigned to the server.I will use this to push to client for static ip:
ifconfig-push 10.8.0.5 255.255.254.0
Could you please help me to modify my config to achieve this?
So split my 10.8.0.0-10.8.1.255 range to two:
- static IPs: 10.8.0.4-10.8.0.255
- dynamic IPs: 10.8.1.0-10.8.1.254
I will have Linux and Windows clients too.
-
Sascha over 5 yearsNice that you shared your config. But it would have been more helpful for the others when you would've explained what you've changed and why.
-
MikeW over 5 years... As comments in the conf file !