Feature #4728
openExpose ``nopool`` server option in the OpenVPN Server GUI
0%
Description
Openvpn has a checkbox to enable an address pool, but that one seems to be pretty useless (pool_enable is used nowhere). To make this one fully functional I'd suggest the following (taken from https://community.openvpn.net/openvpn/wiki/Concepts-Addressing#subnetExamplewithstaticccd). Instead of using the "server" directive, just use "ifconfig" instead and let users specify the pool via "ifconfig-pool" in additional options, or even add a new field for "pool network".
Why is this needed? If you want to have static and dynamic clients you would like a tunnel network to have for instance /24 and then use the lower /25 for dynamic clients and the upper /25 for static clients.
Related issues
Updated by Florian Apolloner over 9 years ago
I am currently running my pfsense install with this patch:
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 927a3ec..1103976 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -642,9 +642,9 @@ function openvpn_reconfigure($mode, $settings) { case 'server_user': case 'server_tls_user': if (!empty($ip) && !empty($mask)) { - $conf .= "server {$ip} {$mask}\n"; + $conf .= "#server {$ip} {$mask}\n"; if (is_ipaddr($ipv6)) { - $conf .= "server-ipv6 {$ipv6}/{$prefix}\n"; + $conf .= "#server-ipv6 {$ipv6}/{$prefix}\n"; } $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; } else {
and this as additional server options:
mode server ifconfig 172.22.2.1 255.255.255.0 ifconfig-pool 172.22.2.2 172.22.2.100 255.255.255.0 push "route-gateway 172.22.2.1" push "topology subnet"
This allows me to dynamically assign IPs from 172.22.2.2-172.22.2.100 and use stuff like
ifconfig-push 172.22.2.130 255.255.255.0
as client specific overrides for some static clients :)
Updated by Florian Apolloner over 9 years ago
Hmm, I guess the easiest option would be to just remove the "address pool setting" and make "tunnel network optional" -- this would allow for truly advanced configurations (Obviously tunnel networks should get a big warning that you should only leave this empty when you know what you are doing). What do you think? If you tell me the way to go forward I can try to wipe together a patch.
Updated by Florian Apolloner over 9 years ago
I have expanded the server directive as per the openvpn manpage: https://github.com/apollo13/pfsense/commit/137498be7fe113802cb1548b47f83778ade84eb1 -- what do you think? IPv6 is still missing, I am not really a PHP user, so I have yet to read up on the IPv6 library (also I have no IPv6 network to test ;)).
Updated by Jim Pingle almost 5 years ago
- Status changed from New to Duplicate
This was duplicated by #7567 which was solved a couple years ago.
Updated by Florian Apolloner almost 2 years ago
Hi, I do not think this is a duplicate and I just ran into this again. I actually want to be able to specify "nopool" for the server.
I have added a PR at https://github.com/pfsense/pfsense/pull/4621 and restored the "pool_enable" functionality.
Updated by Danilo Zrenjanin 12 months ago
- Status changed from Duplicate to Pull Request Review
This option might be handy to define a specific scope of IPs that will be served to the clients. That way, we can have addresses out of the pool for Specific Client Overrides.
Updated by Danilo Zrenjanin 12 months ago
I tested the patch, and it works as expected. I would consider the wording. Steve suggested naming that option 'Auto Address Pool' instead of 'Address Pool'. In my opinion we can simply name it 'nopool'.
Updated by Florian Apolloner 11 months ago
I usually find negated settings hard to read. But let me know what you prefer or simply push the edits yourself into my branch.
Updated by Marcos M 11 months ago
- Has duplicate Feature #9156: OpenVPN: Add tickbox for 'nopool' directive added
Updated by Marcos M 11 months ago
- Tracker changed from Bug to Feature
- Subject changed from Openvpn "Address Pool" settings non-functional to Expose ``nopool` server option in OpenVPN
- Priority changed from Normal to Low
- Affected Version deleted (
2.2.2) - Affected Architecture deleted (
All)
This can be accomplished with the custom options setting, e.g.:
server 172.25.1.0 255.255.255.0 nopool;ifconfig-pool "172.25.1.100 172.25.1.200";