Page 1 of 1

"Reclaim" VPN IP addresses

Posted: Thu Sep 09, 2010 6:32 pm
by george
We have had users leave our company, and as I was reviewing logs, and config files on all our servers recently, it ocurred to me that we will soon be out of VPN IPs.

Do I reclaim the unused addresses by deleting the cooresponding entries from /etc/openvpn/ipp.txt?

TIA

Re: "Reclaim" VPN IP addresses

Posted: Mon Sep 13, 2010 4:20 am
by krzee
why do you even use ipp.txt?

Re: "Reclaim" VPN IP addresses

Posted: Mon Sep 13, 2010 1:38 pm
by george
I didn't realize there was an alternative. I have always let openvpn dynamically assign, our "internal" clients a VPN IP, and setup our "external" clients with statics IPs using ccd dir and files.


For clarity's sake here a short explanation:

internal clients = users that work for my company and need full access to the lan

external clients = users who do not work for us and only need access to one or two hosts/services on our lan


Am I worring about nothing? Should I be managing the client IP addressing another way?

Re: "Reclaim" VPN IP addresses

Posted: Tue Oct 05, 2010 8:56 am
by krzee
sorry for the long time without reply...

[14:51] <vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.

Sounds like you could give out IPs from 2 pools with one of these (by setting static IPs like you do now, but dynamicly if that makes sense). Then you do not need to manage anything except a list of the exception to your --server IP pool.

Or you can just continue managing 1 static from ccd and let the other get dynamic from the pool (same as above, but with managing ccd files instead of a list of common-names)

ipp does not do what most people expect:
[14:54] <vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use ccd entries with ifconfig-push or a client-connect script