One of the options available in OpenVPN that can lead to a lot of confusion is ifconfig-pool-persist
. This directive tells the OpenVPN server to maintain a persistent list of IP addresses handed out to different clients. When a client reconnects at a later time, the previously-used address is reused. This is only one of three methods for assigning static addresses to an OpenVPN client. The other two methods are:
ifconfig-push
statement in a client-connect scriptifconfig-push
statement in a client-configuration fileBoth of these take precedence over the entries found in the ifconfig-pool-persist
file. Experience has shown that it is often a good idea to temporarily disable this option when an OpenVPN setup is not working properly.
In this recipe, we will demonstrate how to use ifconfig-pool-persist
and what the pitfalls are.
We will use the following network layout:
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks at hand, as well as the client configuration file, basic-udp-client.conf
, from the same recipe. The second client was running Windows 7 64 bit and OpenVPN 2.3.11. For this client, keep the client configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe from Chapter 2, Client-server IP-only Networks at hand.
basic-udp-server.conf
file:ifconfig-pool-persist /etc/openvpn/cookbook/ipp.txt
example10-4-server.conf
file.[root@server]# openvpn --config example10-4-server.conf
An empty file, /etc/openvpn/cookbook/ipp.txt
, will be created as the server starts up.
[root@client]# openvpn --config basic-udp-client.conf
Normally, this client will be assigned 10.200.0.2
, which is the first available IP address in the server
IP range.
ipp.txt
file:[root@server]# cat /etc/openvpn/cookbook/ipp.txt client1,10.200.0.2
This client will now be assigned the address 10.200.0.3
. Without the ifconfig-pool-persist
option, it would have been assigned the first available address, which is 10.200.0.2
.
When the OpenVPN server starts, it reads the ipp.txt
file, if it exists, and it tries to re-assign the IP addresses to the client certificates found in the file. Whenever an OpenVPN client with one of the existing client certificates connects, it is assigned the address found in the ipp.txt
file, unless the server VPN IP address space is too small for the number of already-connected clients. In that case, the client receives the first available address from the server VPN IP address space.
The first client that connected received the first available address, 10.200.0.2
, from the VPN IP server address range. When the OpenVPN server shuts down, this information is recorded in the ipp.txt
file. The second time the OpenVPN server started, this information was reloaded and the address, 10.200.0.2
, was held in reserve for the client with certificate client1
. When the second client connected with certificate client2
, it received the next available address in the server VPN IP address range, which is 10.200.0.3
. When the server shuts down again, this information is also recorded in the ipp.txt
file.
This means that from now on, the first client will always receive the .2
address and the second client the .3
address. However, it is not a guarantee that the listed IP addresses will be assigned to a particular client certificate. The exception occurs when many VPN clients connect to the server. If the VPN IP address range is exhausted and the first client is not connected at that time, its address is recycled for other VPN clients. If the client with certificate client1
then tries to connect to the server, it will be assigned the first available address. For a guaranteed assignment, a client-config-dir
file should be used.
When using the ifconfig-pool-persist
directive, there are a few pitfalls to watch out for.
Because we did not explicitly specify an update interval, the ipp.txt
file is updated every 600 seconds (10 minutes). This can also be seen by looking at the ipp.txt
file right after a new client connects: the newly-found client certificate and VPN IP are not listed in the ipp.txt
file until the first update interval passes or when the OpenVPN server process shuts down.
It is also possible to specify an update interval of 0 seconds, which means that the ipp.txt
file is never updated. This causes the OpenVPN server to associate IP addresses with the client certificate names found in the ipp.txt
file at the startup but these associations will never change afterwards.
The duplicate-cn
option can be used to allow the same client certificate to connect to the same server a number of times. If this option is used, the ifconfig-pool-persist
option becomes useless, as the same client certificate will be connected twice. This means that the OpenVPN server has to hand out two different IP addresses to each client and the entry in the ipp.txt
file becomes meaningless.
When the server option topology net30
is used, the format of the ipp.txt
file is slightly different. In the net30
topology mode, each client is assigned a /30
network address consisting of four IP addresses: the network address, the VPN server endpoint address, the actual client VPN IP address, and the broadcast address for the /30
network. In the ipp.txt
file, the first of these is recorded:
client1,10.200.0.4 client2,10.200.0.8
18.117.7.212