"Reclaim" VPN IP addresses

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
george
Forum Team
Posts: 117
Joined: Tue Jun 09, 2009 4:25 pm
Location: St. Louis, MO USA

"Reclaim" VPN IP addresses

Post by george » Thu Sep 09, 2010 6:32 pm

We have had users leave our company, and as I was reviewing logs, and config files on all our servers recently, it ocurred to me that we will soon be out of VPN IPs.

Do I reclaim the unused addresses by deleting the cooresponding entries from /etc/openvpn/ipp.txt?

TIA

User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: "Reclaim" VPN IP addresses

Post by krzee » Mon Sep 13, 2010 4:20 am

why do you even use ipp.txt?

george
Forum Team
Posts: 117
Joined: Tue Jun 09, 2009 4:25 pm
Location: St. Louis, MO USA

Re: "Reclaim" VPN IP addresses

Post by george » Mon Sep 13, 2010 1:38 pm

I didn't realize there was an alternative. I have always let openvpn dynamically assign, our "internal" clients a VPN IP, and setup our "external" clients with statics IPs using ccd dir and files.


For clarity's sake here a short explanation:

internal clients = users that work for my company and need full access to the lan

external clients = users who do not work for us and only need access to one or two hosts/services on our lan


Am I worring about nothing? Should I be managing the client IP addressing another way?

User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: "Reclaim" VPN IP addresses

Post by krzee » Tue Oct 05, 2010 8:56 am

sorry for the long time without reply...

[14:51] <vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.

Sounds like you could give out IPs from 2 pools with one of these (by setting static IPs like you do now, but dynamicly if that makes sense). Then you do not need to manage anything except a list of the exception to your --server IP pool.

Or you can just continue managing 1 static from ccd and let the other get dynamic from the pool (same as above, but with managing ccd files instead of a list of common-names)

ipp does not do what most people expect:
[14:54] <vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use ccd entries with ifconfig-push or a client-connect script

Post Reply