Global dynamic IP address network VS group specific settings

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
MPM
OpenVpn Newbie
Posts: 1
Joined: Tue Jan 26, 2021 10:22 am

Global dynamic IP address network VS group specific settings

Post by MPM » Tue Jan 26, 2021 10:53 am

Hello,

I have a question for those familiar with OpenVPN networking configs. I am a bit worried if the configuration I want to implement will not cause IP address conflicts. I have the following scenario:

1. Currently I have no groups on the Access Server (v2.8.6).

2. I have a Dynamic IP Address Network configured on Access Server - Configuration - VPN Settings with a /20 subnet. The "Static IP Address Network (Optional)" and "Group Default IP Address Network (Optional)" are left blank on this page.

3. I want to create a group (the purpose of this group is to introduce Client Scripting) and assign users to it. I don't necessarily care about the group IP addressing however it seems I must specify it (as indicated by the error below). What I did so far was to create the group Access Server - USER MANAGEMENT - Group Permissions - New Group without specifying any VPN IP Addresses. I've assigned a user to that group to test it and got the following error on logon:

group assignment failed: referenced group u'XXXXXXXXXXXX' either does not exist or does not define group_subnets: omi/auth:618, internet/defer:1418, sagent/usersvc:1379, sagent/usersvc:642, sagent/usersvc:149, sagent/usersvc:276, sagent/usersvc:262, sagent/usersvc:229 (pyovpn.sagent.usersvc.GroupError)

4. I plan to assign a "Dynamic subnet ranges for this group" that is exactly the same as the global one from point nr 2 (the /20 subnet) as I don't really want to get into any subnetting / routing configurations down the road.

My concern is that if I have the same range specified in Global configuration and in Group specific configuration I can end up with Access Server assigning the same IP to 2 different clients. I imagine this could happen when I have some users in the group (those would use group specific IP assignment) and some without group membership (those would use the global settings) but perhaps this isn't anything to worry about as the Access Server has some built in mechanism to prevent this.

Any help would be appreciated.

Many Thanks.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Global dynamic IP address network VS group specific settings

Post by openvpn_inc » Tue Feb 16, 2021 1:25 pm

Hello,

You can set a group subnet in VPN Settings page in the "group default IP address network (optional)" section. It must be a unique subnet that doesn't conflict with any other subnet in use. So long as you have a subnet set here, and group you create will inherit IP address automatically from this range, assuming you don't have any set on the group itself.

If you need the group to have the range you previously had on the "Dynamic IP address network" then just change the subnet there and put that subnet in the "group default IP address network (optional)" section. Then make a group and set it as default group in Group Permissions. Then all users are now part of the default group. And you can then set up a second group for other purposes if you like.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply