Multiple non-contiguous client IP ranges.

[MrWetsnow]

Hi.

I would like to setup my server to give out 1 IP address per client. So I would use 'topology subnet'. This works fine:

topology subnet
mode server
tls-server
push "topology subnet"
ifconfig 10.9.0.1 255.255.255.0
ifconfig-pool 10.9.0.2 10.9.0.254 255.255.255.0

Now, say I need to expand the ip pool for the clients, but the only one I have available is (this is just an example) 10.56.0.0/24. So I want to add that into the available IPs. Is this possible, or can I only have one contiguous pool of IP addresses?

Thank you
Dan

[controlc.de]

Hi,

Maybe I don´t understood right, but with the line

Code: Select all

server 10.56.0.0 255.255.255.0

you could set the server to this ip range and all clients get a ip address from that.

Bye,
controlc.de

[Douglas]

Hi,

Maybe I don´t understood right, but with the line

Code: Select all

server 10.56.0.0 255.255.255.0

you could set the server to this ip range and all clients get a ip address from that.

Bye,
controlc.de

Correct, that's the 'right' way to do it.

Also, @OP, no need to push topology subnet, just put 'topology subnet' in server config.

Hi.

I would like to setup my server to give out 1 IP address per client. So I would use 'topology subnet'. This works fine:

topology subnet
mode server
tls-server
push "topology subnet"
ifconfig 10.9.0.1 255.255.255.0
ifconfig-pool 10.9.0.2 10.9.0.254 255.255.255.0

Now, say I need to expand the ip pool for the clients, but the only one I have available is (this is just an example) 10.56.0.0/24. So I want to add that into the available IPs. Is this possible, or can I only have one contiguous pool of IP addresses?

Thank you
Dan

How many clients are you planning to have?

[MrWetsnow]

Let me try to clarify. At its simplest, what I want is for the VPN server to be able to hand out IP addresses to clients from multiple non-contiguous IP ranges. For example:

10.2.0.0/24
10.4.0.0/24
10.7.0.0/24
10.9.0.0/24

For on such IP range, the server config is:

------------------
# setup client subnets
topology subnet
mode server
tls-server
push "topology subnet"
ifconfig 10.9.0.1 255.255.255.0
ifconfig-pool 10.9.0.2 10.9.0.254 255.255.255.0
push "route-gateway 10.9.0.1"
# send all of 10/8 over VPN
push "route 10.0.0.0 255.0.0.0 vpn_gateway"
------------------

I understand that if I simply do:

server 10.9.0.0 255.255.255.0

I will get the same result. The server parameter is just an easy way to specify the above.

So what is the config snippet to be able to hand out IP address from multiple, non-contiguous IP ranges? Something like:

server 10.2.0.0 255.255.255.0
server 10.4.0.0 255.255.255.0
server 10.7.0.0 255.255.255.0

except obviously that doesn't work.

Thank you
Dan

[controlc.de]

Let me try to clarify. At its simplest, what I want is for the VPN server to be able to hand out IP addresses to clients from multiple non-contiguous IP ranges. For example:

10.2.0.0/24
10.4.0.0/24
10.7.0.0/24
10.9.0.0/24

Why not creating different config files for each subnet? OpenVPN could start different instances at the same time.

controlc.de

[MrWetsnow]

Well, while that would work, it somewhat complicates the entire setup.

- multiple ports have to be open
- multiple daemons need to run
- failover becomes more difficult
- troubleshooting is more complicated

So I take it what I want is not possible?

[controlc.de]

Well, while that would work, it somewhat complicates the entire setup.

- multiple ports have to be open
- multiple daemons need to run
- failover becomes more difficult
- troubleshooting is more complicated

So I take it what I want is not possible?

I don´t understand - what´s your goal and why?

[MrWetsnow]

It's very simple really. Let's say initially assign a /24 subnet for my clients.

10.1.0.0/24

And that's enough to cover my users. Now my company has grown. And I need to double the available IP address space. So I go to my networking people and ask them for 10.1.1.0/23. That is:

10.1.0.0/24
10.1.1.0/24

If they say 'Ok', I change my pool to 10.1.0.0/23 and all is well. But what if 10.1.1.0/24 is already allocated to somewhere else? All they can give me is 10.1.2.0/24. So now I have:


10.1.0.0/24
10.1.2.0/24

What do I do now?

Obviously one solution is to get an entirely new subnet range. Say, 10.3.0.0/23. The numbers above are small and contrived.

In reality, at large companies with complex internal networks, this isn't always possible. In particular, it may not be possible to get one contiguous range that covers, say, 4,000 (or more) IP addresses. So I need to be able to work with non-contiguous ranges.

Thanks
Dan

[controlc.de]

The 10.x.x.x net is only for connecting OpenVPN server with clients - what kind of network do you create after the server is yours. I think you should not searching for a solution in OpenVPN.

[MrWetsnow]

I am not sure I understand your message. The 10. network in my message is the pool of addresses given out to the clients. Each client gets one IP address. Since it's OpenVPN that's handing out the IP addresses, where else should I be doing searching for a solution?

For example, the Juniper SSLVPN Secure Access devices are able to do this. They don't require one contiguous IP range for the client IP address pool.

[krzee]

please read this:
http://openvpn.net/index.php/open-sourc ... tml#policy
note that it was written before topology subnet existed, so your ifconfig-push would instead look like ifconfig-push <IP> <SUBNET>
however, you in your hypothetical setup you would run into a different problem.
By the time you run out of IPs in a /24 with topology subnet, you have already started having so many users that your server explodes.
ok maybe it doesnt explode, but openvpn chokes and has a painful death around 200 users... this is because of the monolithic way it was coded in. This will not change until version 3, which will not happen any time soon.
you will need more openvpn services to handle that quantity of users.
note that each instance of openvpn will only run on a single cpu core, so you can run multiple instances on a multi core system just fine.
hope that helps

[MrWetsnow]

Well that's an eye opener Is there some official place that talks about such limitations? Something that mentions max clients per server?

[krzee]

well we talked about it in some of the meetings that went into this:
https://community.openvpn.net/openvpn/wiki/RoadMap
and it has come up in the mail list a few times