openvpn如何同时分配动态和固定IP地址范围？

admin

I have a config at the moment which is working almost fine until some clients connect, the server starts to kick the clients off from the server or something like that. As I have checked every clients get a good IP address and there is no IP address collision. The clients are using different certificates to connect. However I want to change this config to separate the DHCP range.

The current server config is this:

1. port 1194
   
2. proto udp
   
3. 
   
4. dev tun
   
5. 
   
6. ca /etc/openvpn/ca.crt
   
7. cert /etc/openvpn/server.crt
   
8. key /etc/openvpn/server.key
   
9. dh /etc/openvpn/dh2048.pem
   
10. 
    
11. server 10.8.0.0 255.255.255.0
    
12. topology subnet
    
13. 
    
14. push "route 10.8.0.1 255.255.255.0"
    
15. push "dhcp-option DNS 8.8.8.8"
    
16. push "dhcp-option DNS 8.8.4.4"
    
17. 
    
18. ifconfig-pool-persist ipp.txt
    
19. 
    
20. client-config-dir /etc/openvpn/ccd
    
21. 
    
22. client-to-client
    
23. 
    
24. keepalive 10 300
    
25. comp-lzo
    
26. user nobody
    
27. group nobody
    
28. 
    
29. persist-key
    
30. persist-tun
    
31. 
    
32. status /etc/openvpn/openvpn-status.log
    
33. verb 6

复制代码

I would like to have dynamic IPs assigned from this range:
10.8.1.0 - 10.8.1.254

For this, I would like to use a /23, so 255.255.254.0

And I will assign static IPs from this range:
10.8.0.3 - 10.8.1.255 as 0.1 and 0.2 might be assigned to the server.

I will use this to push to client for static ip:

ifconfig-push 10.8.0.5 255.255.254.0

Could you please help me to modify my config to achieve this?

So split my 10.8.0.0-10.8.1.255 range to two:

• static IPs: 10.8.0.4-10.8.0.255
• dynamic IPs: 10.8.1.0-10.8.1.254
  

I will have Linux and Windows clients too.

答案一：

OK finally it is solved with some changes on the config file:

1. port 1194
   
2. proto udp
   
3. dev tun
   
4. 
   
5. ca /etc/openvpn/ca.crt
   
6. cert /etc/openvpn/server.crt
   
7. key /etc/openvpn/server.key
   
8. dh /etc/openvpn/dh2048.pem
   
9. 
   
10. mode server
    
11. tls-server
    
12. topology subnet
    
13. push "topology subnet"
    
14. ifconfig 10.8.0.1 255.255.254.0
    
15. ifconfig-pool 10.8.1.0 10.8.1.253
    
16. route-gateway 10.8.0.1
    
17. push "route-gateway 10.8.0.1"
    
18. 
    
19. client-config-dir /etc/openvpn/ccd
    
20. 
    
21. push "dhcp-option DNS 8.8.8.8"
    
22. push "dhcp-option DNS 8.8.4.4"
    
23. 
    
24. client-to-client
    
25. 
    
26. keepalive 10 300
    
27. comp-lzo
    
28. 
    
29. user nobody
    
30. group nobody
    
31. persist-key
    
32. persist-tun
    
33. 
    
34. status /etc/openvpn/openvpn-status.log
    
35. verb 6

复制代码

答案二：

How to change the DHCP address pool?

First things first, the answer to the initial question. There's probably something like server 10.8.0.0 255.255.255.0 in your config. This directive will automatically allocate a DHCP pool with ifconfig-pool 10.8.0.4 10.8.0.251. If you try to specify the ifconfig-pool yourself, OpenVPN will complain that you can't use server and ifconfig-pool together. Now there are two ways to customize the DHCP address pool.

a) Use nopool

There is an option to force OpenVPN to not allocate a DHCP address pool. Just add the nopool argument at the end of the server directive and you can specify the pool yourself.

1. server 10.8.0.0 255.255.255.0 nopool
   
2. ifconfig-pool 10.8.0.100 10.8.0.200

复制代码

b) Declare and customise the expanded server directive yourself

This solution is what was used by Zoltan and is a bit trickier, but let's you customise more aspects of the server. The OpenVPN manual shows how the server directive is expanded. Building upon this, you can declare all the necessary options yourself. This is highly dependent on the topology and if you're using dev tun or dev tap.

I just add an example based on the configuration in the question (topology subnet and dev tun).

1. mode server
   
2. tls-server
   
3. push "topology subnet"
   
4. ifconfig 10.8.0.1 255.255.255.0
   
5. ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
   
6. push "route-gateway 10.8.0.1"
   
7. route-gateway 10.8.0.1

复制代码

How to assign a static IP address to a client?

The second part of the question was about assigning static IPs. It seems like OP figured that one out, and there are already plenty of resources  about this topic on the internet. Nevertheless I would like to add a short paragraph about assigning static IP addresses to certain clients.

The solution is to use a client configuration directory and add a file for each client in there.

Add this to your OpenVPN server configuration:

1. client-config-dir /etc/openvpn/ccd

复制代码

If you want to, for example, assign the IP 10.8.0.5 to a client with the common name client1, create a file /etc/openvpn/ccd/client1 with this content (note: this is for topology subnet):

1. ifconfig-push 10.8.0.5 255.255.255.0

复制代码

Also keep the note in the OpenVPn manual about ifconfig-push in mind. I couldn't find the route directive in the configuration Zoltan posted in his answer.

Remember also to include a --route directive in the main OpenVPN config file which encloses local, so that the kernel will know to route it to the server's TUN/TAP interface.