Feature #4728
openExpose ``nopool`` server option in the OpenVPN Server GUI
0%
Description
Openvpn has a checkbox to enable an address pool, but that one seems to be pretty useless (pool_enable is used nowhere). To make this one fully functional I'd suggest the following (taken from https://community.openvpn.net/openvpn/wiki/Concepts-Addressing#subnetExamplewithstaticccd). Instead of using the "server" directive, just use "ifconfig" instead and let users specify the pool via "ifconfig-pool" in additional options, or even add a new field for "pool network".
Why is this needed? If you want to have static and dynamic clients you would like a tunnel network to have for instance /24 and then use the lower /25 for dynamic clients and the upper /25 for static clients.
Related issues
Updated by Florian Apolloner over 9 years ago
I am currently running my pfsense install with this patch:
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 927a3ec..1103976 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -642,9 +642,9 @@ function openvpn_reconfigure($mode, $settings) { case 'server_user': case 'server_tls_user': if (!empty($ip) && !empty($mask)) { - $conf .= "server {$ip} {$mask}\n"; + $conf .= "#server {$ip} {$mask}\n"; if (is_ipaddr($ipv6)) { - $conf .= "server-ipv6 {$ipv6}/{$prefix}\n"; + $conf .= "#server-ipv6 {$ipv6}/{$prefix}\n"; } $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; } else {
and this as additional server options:
mode server ifconfig 172.22.2.1 255.255.255.0 ifconfig-pool 172.22.2.2 172.22.2.100 255.255.255.0 push "route-gateway 172.22.2.1" push "topology subnet"
This allows me to dynamically assign IPs from 172.22.2.2-172.22.2.100 and use stuff like
ifconfig-push 172.22.2.130 255.255.255.0
as client specific overrides for some static clients :)
Updated by Florian Apolloner over 9 years ago
Hmm, I guess the easiest option would be to just remove the "address pool setting" and make "tunnel network optional" -- this would allow for truly advanced configurations (Obviously tunnel networks should get a big warning that you should only leave this empty when you know what you are doing). What do you think? If you tell me the way to go forward I can try to wipe together a patch.
Updated by Florian Apolloner over 9 years ago
I have expanded the server directive as per the openvpn manpage: https://github.com/apollo13/pfsense/commit/137498be7fe113802cb1548b47f83778ade84eb1 -- what do you think? IPv6 is still missing, I am not really a PHP user, so I have yet to read up on the IPv6 library (also I have no IPv6 network to test ;)).
Updated by Jim Pingle about 5 years ago
- Status changed from New to Duplicate
This was duplicated by #7567 which was solved a couple years ago.
Updated by Florian Apolloner about 2 years ago
Hi, I do not think this is a duplicate and I just ran into this again. I actually want to be able to specify "nopool" for the server.
I have added a PR at https://github.com/pfsense/pfsense/pull/4621 and restored the "pool_enable" functionality.
Updated by Danilo Zrenjanin about 1 year ago
- Status changed from Duplicate to Pull Request Review
This option might be handy to define a specific scope of IPs that will be served to the clients. That way, we can have addresses out of the pool for Specific Client Overrides.
Updated by Danilo Zrenjanin about 1 year ago
I tested the patch, and it works as expected. I would consider the wording. Steve suggested naming that option 'Auto Address Pool' instead of 'Address Pool'. In my opinion we can simply name it 'nopool'.
Updated by Florian Apolloner about 1 year ago
I usually find negated settings hard to read. But let me know what you prefer or simply push the edits yourself into my branch.
Updated by Marcos M about 1 year ago
- Has duplicate Feature #9156: OpenVPN: Add tickbox for 'nopool' directive added
Updated by Marcos M about 1 year ago
- Tracker changed from Bug to Feature
- Subject changed from Openvpn "Address Pool" settings non-functional to Expose ``nopool` server option in OpenVPN
- Priority changed from Normal to Low
- Affected Version deleted (
2.2.2) - Affected Architecture deleted (
All)
This can be accomplished with the custom options setting, e.g.:
server 172.25.1.0 255.255.255.0 nopool;ifconfig-pool "172.25.1.100 172.25.1.200";
Updated by Marcos M about 1 year ago
- Subject changed from Expose ``nopool` server option in OpenVPN to Expose ``nopool` server option in the OpenVPN Server GUI
Updated by Marcos M about 1 year ago
- Subject changed from Expose ``nopool` server option in the OpenVPN Server GUI to Expose ``nopool`` server option in the OpenVPN Server GUI