Using ifconfig-pool in client-config-dir

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
andre.esser
OpenVpn Newbie
Posts: 2
Joined: Thu Mar 07, 2019 3:17 pm

Using ifconfig-pool in client-config-dir

Post by andre.esser » Thu Mar 07, 2019 3:36 pm

Hi,

My users connect to the same OpenVPN server and have the same client OpenVPN configuration (authentication through common client cert plus individual login/password through openvpn-plugin-auth-pam.so). I now have to implement access restrictions based on their logins. I've been testing the client-config-dir feature with username-as-common-name and statis IPs as described in https://openvpn.net/community-resources ... s-policies, and this all works very well.

However for hundreds of users the manual assignment of IPs gets very tedious. So I've tried to create a small number of 'access-class' files in the client-config-dir, containing ifconfig-pool settings for the respective subnets. Then I would only have to create appropriate symlinks for my users to those 'access-class' files and wouldn't have to worry about individual IPs any more. Unfortunately OpenVPN doesn't see it that way, and I get this error:

"Options error: option 'ifconfig-pool' cannot be used in this context (/etc/openvpn/ccd/andre.esser)"

Do any of you know whether what I'm trying to do is possible at all?

Many thanks,

Andre

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Using ifconfig-pool in client-config-dir

Post by TinCanTech » Thu Mar 07, 2019 4:05 pm

This certainly is not possible with current openvpn.

You could make a feature request here:
https://community.openvpn.net/openvpn/newticket

Select: Type Feature Wish

Also, I am not confident that the openvpn article you read is accurate, I would need to test it.

Edit: Double checked with the Devs, the article is quirky but will work.

andre.esser
OpenVpn Newbie
Posts: 2
Joined: Thu Mar 07, 2019 3:17 pm

Re: Using ifconfig-pool in client-config-dir

Post by andre.esser » Thu Mar 21, 2019 11:11 am

Thank you TinCanTech, created as

https://community.openvpn.net/openvpn/ticket/1173

Andre

SofianeLandez
OpenVpn Newbie
Posts: 4
Joined: Thu Mar 28, 2019 8:22 am

Re: Using ifconfig-pool in client-config-dir

Post by SofianeLandez » Thu Mar 28, 2019 8:26 am

Good to know! Thanks for the informations

krapula
OpenVpn Newbie
Posts: 1
Joined: Fri Jan 03, 2020 2:06 pm

Re: Using ifconfig-pool in client-config-dir

Post by krapula » Fri Jan 03, 2020 2:12 pm

Just to follow up on this, is it possible to set the DHCP pool from the management interface?
For example using these:
COMMAND -- client-auth (OpenVPN 2.1 or higher)
-----------------------------------------------

Authorize a ">CLIENT:CONNECT" or ">CLIENT:REAUTH" request and specify
"client-connect" configuration directives in a subsequent text block.

Post Reply