ifconfig-pool problem with subnets

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
maxence
OpenVpn Newbie
Posts: 7
Joined: Mon Aug 01, 2022 3:59 pm

ifconfig-pool problem with subnets

Post by maxence » Wed May 24, 2023 3:11 pm

Hello,

I would like to realize a new configuration and I can't manage to do it (I don't even know if that's posible).

Let me explain :
I have 2 certificates with the duplicate-cn flag -> one for internal users
-> one for external users

I'd like to have one subnet per certificate.
For exemple the subnet 10.8.0.0 255.255.255.0 for internals and 10.8.1.0 255.255.255.0 for externals (with differentes routes & firewall rules -> internals will be able to talk with the actual network).

I could manage to create the 2 subnet but I can only have one ifconfig-pool. I cannot dynamicaly assign IP adresses to 2 differents subnets.

Code: Select all

mode server

tls-server

topology subnet

push "topology subnet"

ifconfig 10.8.0.1 255.255.254.0

ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0

route-gateway 10.8.0.1

push "route-gateway 10.8.0.1"
I also tried with the ccd directory but it can only be manual per CN name of certificate. Btw I have auth azure to increase the security and that the reason why we use the duplicate-cn flag.

I've seen that may be I can use another script to deliver IP adress depending on groups or CN may be ?

Can you tell me if the action I am trying to achieve is posible ? How to do it ? If not should I use 2 differents OpenVPN with one for internals and one for externals ?

Thanks you for helping !

Fadim
OpenVPN User
Posts: 40
Joined: Mon May 15, 2023 12:14 pm

Re: ifconfig-pool problem with subnets

Post by Fadim » Fri May 26, 2023 12:48 pm

I think you can try using the client-config-dir (ccd) option along with a script that assigns IP addresses based on groups or CN. This way, you can dynamically assign IP addresses to different subnets based on the user's configuration.

You mentioned using the duplicate-cn flag, so having separate instances of OpenVPN for internals and externals might not be necessary. Instead, explore the ccd directory and scripting options to tailor the IP assignments based on your requirements.

maxence
OpenVpn Newbie
Posts: 7
Joined: Mon Aug 01, 2022 3:59 pm

Re: ifconfig-pool problem with subnets

Post by maxence » Fri May 26, 2023 4:02 pm

Hello @Fadim,

Thanks for your awnser !

That what I have been trying to do. I have tested something like that -> a loop that would implement +1 to the IP adress for each external certificate that request an IP
foreach ($x=1,$x -lt 254;$x++) {
ifconfig-push 10.8.1.$x 255.255.255.0
}

Thing is, this is the openvpn sever that is calling my ccd file and he is expecting a config file option. He is not expecting a script. Do you think there is a way to use a script along with the config file ? If yes I would love to hear how to do it or if you have a link explaining how to do it.

Big thanks for the help.
Maxence

maxence
OpenVpn Newbie
Posts: 7
Joined: Mon Aug 01, 2022 3:59 pm

Re: ifconfig-pool problem with subnets

Post by maxence » Thu Jun 01, 2023 8:51 am

Hello,

Issue is still open if anyone can provide some help.

I would grantly appreciate it !

Cheers

Post Reply