OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

ifconfig-pool problem with subnets

https://forums.openvpn.net/viewtopic.php?t=35773

Page 1 of 1

ifconfig-pool problem with subnets

Posted: Wed May 24, 2023 3:11 pm
by maxence
Hello,

I would like to realize a new configuration and I can't manage to do it (I don't even know if that's posible).

Let me explain :
I have 2 certificates with the duplicate-cn flag -> one for internal users
-> one for external users

I'd like to have one subnet per certificate.
For exemple the subnet 10.8.0.0 255.255.255.0 for internals and 10.8.1.0 255.255.255.0 for externals (with differentes routes & firewall rules -> internals will be able to talk with the actual network).

I could manage to create the 2 subnet but I can only have one ifconfig-pool. I cannot dynamicaly assign IP adresses to 2 differents subnets.

Code: Select all

mode server

tls-server

topology subnet

push "topology subnet"

ifconfig 10.8.0.1 255.255.254.0

ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0

route-gateway 10.8.0.1

push "route-gateway 10.8.0.1"
I also tried with the ccd directory but it can only be manual per CN name of certificate. Btw I have auth azure to increase the security and that the reason why we use the duplicate-cn flag.

I've seen that may be I can use another script to deliver IP adress depending on groups or CN may be ?

Can you tell me if the action I am trying to achieve is posible ? How to do it ? If not should I use 2 differents OpenVPN with one for internals and one for externals ?

Thanks you for helping !

Re: ifconfig-pool problem with subnets

Posted: Fri May 26, 2023 12:48 pm
by Fadim
I think you can try using the client-config-dir (ccd) option along with a script that assigns IP addresses based on groups or CN. This way, you can dynamically assign IP addresses to different subnets based on the user's configuration.

You mentioned using the duplicate-cn flag, so having separate instances of OpenVPN for internals and externals might not be necessary. Instead, explore the ccd directory and scripting options to tailor the IP assignments based on your requirements.

Re: ifconfig-pool problem with subnets

Posted: Fri May 26, 2023 4:02 pm
by maxence
Hello @Fadim,

Thanks for your awnser !

That what I have been trying to do. I have tested something like that -> a loop that would implement +1 to the IP adress for each external certificate that request an IP
foreach ($x=1,$x -lt 254;$x++) {
ifconfig-push 10.8.1.$x 255.255.255.0
}

Thing is, this is the openvpn sever that is calling my ccd file and he is expecting a config file option. He is not expecting a script. Do you think there is a way to use a script along with the config file ? If yes I would love to hear how to do it or if you have a link explaining how to do it.

Big thanks for the help.
Maxence

Re: ifconfig-pool problem with subnets

Posted: Thu Jun 01, 2023 8:51 am
by maxence
Hello,

Issue is still open if anyone can provide some help.

I would grantly appreciate it !

Cheers
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/