We have had users leave our company, and as I was reviewing logs, and config files on all our servers recently, it ocurred to me that we will soon be out of VPN IPs.
Do I reclaim the unused addresses by deleting the cooresponding entries from /etc/openvpn/ipp.txt?
TIA
"Reclaim" VPN IP addresses
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
george
- Forum Team
- Posts: 117
- Joined: Tue Jun 09, 2009 4:25 pm
- Location: St. Louis, MO USA
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: "Reclaim" VPN IP addresses
why do you even use ipp.txt?
-
george
- Forum Team
- Posts: 117
- Joined: Tue Jun 09, 2009 4:25 pm
- Location: St. Louis, MO USA
Re: "Reclaim" VPN IP addresses
I didn't realize there was an alternative. I have always let openvpn dynamically assign, our "internal" clients a VPN IP, and setup our "external" clients with statics IPs using ccd dir and files.
For clarity's sake here a short explanation:
internal clients = users that work for my company and need full access to the lan
external clients = users who do not work for us and only need access to one or two hosts/services on our lan
Am I worring about nothing? Should I be managing the client IP addressing another way?
For clarity's sake here a short explanation:
internal clients = users that work for my company and need full access to the lan
external clients = users who do not work for us and only need access to one or two hosts/services on our lan
Am I worring about nothing? Should I be managing the client IP addressing another way?
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: "Reclaim" VPN IP addresses
sorry for the long time without reply...
[14:51] <vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
Sounds like you could give out IPs from 2 pools with one of these (by setting static IPs like you do now, but dynamicly if that makes sense). Then you do not need to manage anything except a list of the exception to your --server IP pool.
Or you can just continue managing 1 static from ccd and let the other get dynamic from the pool (same as above, but with managing ccd files instead of a list of common-names)
ipp does not do what most people expect:
[14:54] <vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use ccd entries with ifconfig-push or a client-connect script
[14:51] <vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
Sounds like you could give out IPs from 2 pools with one of these (by setting static IPs like you do now, but dynamicly if that makes sense). Then you do not need to manage anything except a list of the exception to your --server IP pool.
Or you can just continue managing 1 static from ccd and let the other get dynamic from the pool (same as above, but with managing ccd files instead of a list of common-names)
ipp does not do what most people expect:
[14:54] <vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use ccd entries with ifconfig-push or a client-connect script