Feature #4728
open
Expose ``nopool`` server option in the OpenVPN Server GUI
Added by Florian Apolloner almost 9 years ago.
Updated 4 months ago.
Status:
Pull Request Review
Description
Openvpn has a checkbox to enable an address pool, but that one seems to be pretty useless (pool_enable is used nowhere). To make this one fully functional I'd suggest the following (taken from https://community.openvpn.net/openvpn/wiki/Concepts-Addressing#subnetExamplewithstaticccd). Instead of using the "server" directive, just use "ifconfig" instead and let users specify the pool via "ifconfig-pool" in additional options, or even add a new field for "pool network".
Why is this needed? If you want to have static and dynamic clients you would like a tunnel network to have for instance /24 and then use the lower /25 for dynamic clients and the upper /25 for static clients.
I am currently running my pfsense install with this patch:
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index 927a3ec..1103976 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -642,9 +642,9 @@ function openvpn_reconfigure($mode, $settings) {
case 'server_user':
case 'server_tls_user':
if (!empty($ip) && !empty($mask)) {
- $conf .= "server {$ip} {$mask}\n";
+ $conf .= "#server {$ip} {$mask}\n";
if (is_ipaddr($ipv6)) {
- $conf .= "server-ipv6 {$ipv6}/{$prefix}\n";
+ $conf .= "#server-ipv6 {$ipv6}/{$prefix}\n";
}
$conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
} else {
and this as additional server options:
mode server
ifconfig 172.22.2.1 255.255.255.0
ifconfig-pool 172.22.2.2 172.22.2.100 255.255.255.0
push "route-gateway 172.22.2.1"
push "topology subnet"
This allows me to dynamically assign IPs from 172.22.2.2-172.22.2.100 and use stuff like
ifconfig-push 172.22.2.130 255.255.255.0
as client specific overrides for some static clients :)
Hmm, I guess the easiest option would be to just remove the "address pool setting" and make "tunnel network optional" -- this would allow for truly advanced configurations (Obviously tunnel networks should get a big warning that you should only leave this empty when you know what you are doing). What do you think? If you tell me the way to go forward I can try to wipe together a patch.
- Status changed from New to Duplicate
This was duplicated by #7567 which was solved a couple years ago.
Hi, I do not think this is a duplicate and I just ran into this again. I actually want to be able to specify "nopool" for the server.
I have added a PR at https://github.com/pfsense/pfsense/pull/4621 and restored the "pool_enable" functionality.
- Status changed from Duplicate to Pull Request Review
This option might be handy to define a specific scope of IPs that will be served to the clients. That way, we can have addresses out of the pool for Specific Client Overrides.
I tested the patch, and it works as expected. I would consider the wording. Steve suggested naming that option 'Auto Address Pool' instead of 'Address Pool'. In my opinion we can simply name it 'nopool'.
I usually find negated settings hard to read. But let me know what you prefer or simply push the edits yourself into my branch.
- Has duplicate Feature #9156: OpenVPN: Add tickbox for 'nopool' directive added
- Tracker changed from Bug to Feature
- Subject changed from Openvpn "Address Pool" settings non-functional to Expose ``nopool` server option in OpenVPN
- Priority changed from Normal to Low
- Affected Version deleted (
2.2.2)
- Affected Architecture deleted (
All)
This can be accomplished with the custom options setting, e.g.:
server 172.25.1.0 255.255.255.0 nopool;ifconfig-pool "172.25.1.100 172.25.1.200";
- Subject changed from Expose ``nopool` server option in OpenVPN to Expose ``nopool` server option in the OpenVPN Server GUI
- Subject changed from Expose ``nopool` server option in the OpenVPN Server GUI to Expose ``nopool`` server option in the OpenVPN Server GUI
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by