OpenVPN Support Forum

Posted: **Mon Mar 07, 2022 12:02 pm**

Hi,
we try to deploy the access-server with failover.
Our goal is to setup dynamic ip-addresses for our clients.
Every client/user belongs to an Group.
We've setup an dynamic ip address network and static ip address network under "Configuration => VPN Settings".
The "Group Default IP Address Network (Optional)" is empty because we dont want to use it and its optional.

The User are configured to use dynamic ip addresses "User Management => User Permissions => Username => IP Addressing => Use Dynamic"
The Group has an empty "Dynamic subnet ranges for this group (optional): " under "User Management => Group Permissions => Groupname => "

Now the Clients cant connect "User authentication failed".
The ServerNode-Log says:

Code: Select all

[stdout#info] VPN Auth Failed: "group assignment failed: GROUP: group 'groupname' has no defined dynamic IP range: omi/auth:805,internet/defer:1418,sagent/usersvc:1504,sagent/usersvc:705,sagent/usersvc:165,sagent/usersvc:310,sagent/usersvc:295,sagent/usersvc:243 (<class 'pyovpn.sagent.usersvc.Client.IPSettings.do_ip_address.<locals>.GroupError'>)" [None]

Of course its empty, because we didnt setup any Network because its optional and we wont use it. Why is this an problem? The Client should become an IP-Address from the Subnet we defined under "Configuration => VPN Settings".

How can we reach what we trying to do?

Posted: **Mon Mar 07, 2022 1:49 pm**

Hello marcapo,

A global group default address pool is optional, if you supply address pools for each group. It seems you did not or only partially.

Go to to group and specify an address range to use for this group, for example 192.168.60.0/24 or something. Since you want dynamic addressing, in the dynamic address range box put something like 192.168.60.2-192.168.60.100. That will make it so 192.168.60.2 through 192.168.60.100 can be assigned dynamically to users in this group. Do not use the first and last available IP in the range as that is taken by Access Server itself.

Alternatively, go to VPN Settings and in the group default address pool define an address pool. Users in groups can then get IP addresses from that global default address pool.

Kind regards,
Johan

Posted: **Mon Mar 07, 2022 2:21 pm**

openvpn_inc wrote: ↑
Mon Mar 07, 2022 1:49 pm
Hello marcapo,

A global group default address pool is optional, if you supply address pools for each group. It seems you did not or only partially.

Go to to group and specify an address range to use for this group, for example 192.168.60.0/24 or something. Since you want dynamic addressing, in the dynamic address range box put something like 192.168.60.2-192.168.60.100. That will make it so 192.168.60.2 through 192.168.60.100 can be assigned dynamically to users in this group. Do not use the first and last available IP in the range as that is taken by Access Server itself.

Alternatively, go to VPN Settings and in the group default address pool define an address pool. Users in groups can then get IP addresses from that global default address pool.

Kind regards,
Johan

Thanks for the quick reply and the information!
When every dynamic IP-Address User gets an IP from the Group Default Pool or from the specific group pool setting.
What is the option "Dynamic IP Address Network" under "Configuration => VPN Settings" standing for? Should be unnecessary and without any effect?

Posted: **Thu Mar 10, 2022 3:35 pm**

Hello marcapo,

The default group address pool is for groups.
The dynamic IP address network is for the whole server globally for users not in a group.

Kind regards,
Johan

OpenVPN Support Forum

Dynamic IP allocation wont work correct

Dynamic IP allocation wont work correct

Re: Dynamic IP allocation wont work correct

Re: Dynamic IP allocation wont work correct

Re: Dynamic IP allocation wont work correct