Project

General

Profile

Actions

Feature #4728

open

Expose ``nopool`` server option in the OpenVPN Server GUI

Added by Florian Apolloner over 9 years ago. Updated about 1 year ago.

Status:
Pull Request Review
Priority:
Low
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
05/23/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Openvpn has a checkbox to enable an address pool, but that one seems to be pretty useless (pool_enable is used nowhere). To make this one fully functional I'd suggest the following (taken from https://community.openvpn.net/openvpn/wiki/Concepts-Addressing#subnetExamplewithstaticccd). Instead of using the "server" directive, just use "ifconfig" instead and let users specify the pool via "ifconfig-pool" in additional options, or even add a new field for "pool network".

Why is this needed? If you want to have static and dynamic clients you would like a tunnel network to have for instance /24 and then use the lower /25 for dynamic clients and the upper /25 for static clients.


Related issues

Has duplicate Feature #9156: OpenVPN: Add tickbox for 'nopool' directiveDuplicate11/29/2018

Actions
Actions #1

Updated by Florian Apolloner over 9 years ago

I am currently running my pfsense install with this patch:

diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index 927a3ec..1103976 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -642,9 +642,9 @@ function openvpn_reconfigure($mode, $settings) {
                        case 'server_user':
                        case 'server_tls_user':
                                if (!empty($ip) && !empty($mask)) {
-                                       $conf .= "server {$ip} {$mask}\n";
+                                       $conf .= "#server {$ip} {$mask}\n";
                                        if (is_ipaddr($ipv6)) {
-                                               $conf .= "server-ipv6 {$ipv6}/{$prefix}\n";
+                                               $conf .= "#server-ipv6 {$ipv6}/{$prefix}\n";
                                        }
                                        $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
                                } else {

and this as additional server options:

mode server
ifconfig 172.22.2.1 255.255.255.0
ifconfig-pool 172.22.2.2 172.22.2.100 255.255.255.0
push "route-gateway 172.22.2.1" 
push "topology subnet" 

This allows me to dynamically assign IPs from 172.22.2.2-172.22.2.100 and use stuff like

ifconfig-push 172.22.2.130 255.255.255.0

as client specific overrides for some static clients :)

Actions #2

Updated by Florian Apolloner over 9 years ago

Hmm, I guess the easiest option would be to just remove the "address pool setting" and make "tunnel network optional" -- this would allow for truly advanced configurations (Obviously tunnel networks should get a big warning that you should only leave this empty when you know what you are doing). What do you think? If you tell me the way to go forward I can try to wipe together a patch.

Actions #3

Updated by Florian Apolloner over 9 years ago

I have expanded the server directive as per the openvpn manpage: https://github.com/apollo13/pfsense/commit/137498be7fe113802cb1548b47f83778ade84eb1 -- what do you think? IPv6 is still missing, I am not really a PHP user, so I have yet to read up on the IPv6 library (also I have no IPv6 network to test ;)).

Actions #4

Updated by Jim Pingle about 5 years ago

  • Status changed from New to Duplicate

This was duplicated by #7567 which was solved a couple years ago.

Actions #5

Updated by Florian Apolloner about 2 years ago

Hi, I do not think this is a duplicate and I just ran into this again. I actually want to be able to specify "nopool" for the server.

I have added a PR at https://github.com/pfsense/pfsense/pull/4621 and restored the "pool_enable" functionality.

Actions #6

Updated by Danilo Zrenjanin about 1 year ago

  • Status changed from Duplicate to Pull Request Review

This option might be handy to define a specific scope of IPs that will be served to the clients. That way, we can have addresses out of the pool for Specific Client Overrides.

Actions #7

Updated by Danilo Zrenjanin about 1 year ago

I tested the patch, and it works as expected. I would consider the wording. Steve suggested naming that option 'Auto Address Pool' instead of 'Address Pool'. In my opinion we can simply name it 'nopool'.

Actions #8

Updated by Florian Apolloner about 1 year ago

I usually find negated settings hard to read. But let me know what you prefer or simply push the edits yourself into my branch.

Actions #9

Updated by Marcos M about 1 year ago

  • Has duplicate Feature #9156: OpenVPN: Add tickbox for 'nopool' directive added
Actions #10

Updated by Marcos M about 1 year ago

  • Tracker changed from Bug to Feature
  • Subject changed from Openvpn "Address Pool" settings non-functional to Expose ``nopool` server option in OpenVPN
  • Priority changed from Normal to Low
  • Affected Version deleted (2.2.2)
  • Affected Architecture deleted (All)

This can be accomplished with the custom options setting, e.g.:

server 172.25.1.0 255.255.255.0 nopool;ifconfig-pool "172.25.1.100 172.25.1.200";

Actions #11

Updated by Marcos M about 1 year ago

  • Subject changed from Expose ``nopool` server option in OpenVPN to Expose ``nopool` server option in the OpenVPN Server GUI
Actions #12

Updated by Marcos M about 1 year ago

  • Subject changed from Expose ``nopool` server option in the OpenVPN Server GUI to Expose ``nopool`` server option in the OpenVPN Server GUI
Actions

Also available in: Atom PDF