IP addresses from group pool

[izchi]

Hi,

I'm having an issue with my OpenVPN AS installation (2.1.4) on Ubuntu 14.04. I've been using it for a few months, everything seemed to work fine. Now I need to be able to assign users to groups and have these clients assigned IP addresses only from that group's IP pool. I created a new group, under Group Permissions I added <ip_address>/<netmask> for the range, saved changes, restarted the server. I have one user assigned to this group. Now, when I connect to the OpenVPN server as that user I expect this user to be assigned an IP address from the group pool. Instead, the IP address is being assigned from the default pool configured under VPN Settings --> Dynamic IP Address Network. I checked everything I could, restarted the server - still the same result.

Any ideas what is happening and how to make sure that IP addresses from the group IP pool get assigned to the users that belong to this group?

Thank you for any help on this.

[novaflash]

> Group Permissions I added <ip_address>/<netmask> for the range,

Did you also use the second box to specify a range to be used to automatically assign IP addresses? Otherwise the subnet you specified for this group can only be used for static IP addresses which you must manually specify per user.

If your range for example was 192.168.70.0/24 and you want to use this whole range for automatic IP addressing then in the second box put 192.168.70.2-192.168.70.253.

Remember not to use .1 or .254 (the first and last available IP in the range) as these are reserved by the Access Server itself.

Also note that putting an admin level user in a non-admin group, or vice versa, can result in the user being ejected from the group to prevent unintended access to subnets the user should not have access to. The user then gets added to the global subnet and receives an IP from there.

[izchi]

Thank you for your response. Now I added an IP range under Dynamic subnet ranges for this group, saved changes and updated the running server. I don't see any change, the user is still assigned an IP address from the default pool and not from the group pool. I don't see any obvious errors in the logs.

What else could it be?

[novaflash]

I think you should contact the support ticket system and post your logs there. There is obviously still a misconfiguration somewhere. Like for example the user not being part of the group, or the settings not having been saved AND the running server restarted to implement these changes. Or an admin user in a non-admin group. Or any of those things. The log really will tell the whole story. Post it to the support ticket system and we'll help you there.

[izchi]

Thank you! You've hit it out of the park with one of your suggestions. It was an admin user in a non-admin group problem. As soon as I removed the admin role for the user, group pool IP address was assigned properly. It was not an obvious misconfiguration. Thanks again.

[novaflash]

Alright. I did originally mention that already but I'm glad you spotted it this time.

[izchi]

Yes, I see it now. Thanks for repeating.