Details of ifconfig-pool-persist

One of the options available in OpenVPN that can lead to a lot of confusion is ifconfig-pool-persist. This directive tells the OpenVPN server to maintain a persistent list of IP addresses handed out to different clients. When a client reconnects at a later time, the previously-used address is reused. This is only one of three methods for assigning static addresses to an OpenVPN client. The other two methods are:

  • Using an ifconfig-push statement in a client-connect script
  • Using an ifconfig-push statement in a client-configuration file

Both of these take precedence over the entries found in the ifconfig-pool-persist file. Experience has shown that it is often a good idea to temporarily disable this option when an OpenVPN setup is not working properly.

In this recipe, we will demonstrate how to use ifconfig-pool-persist and what the pitfalls are.

Getting ready

We will use the following network layout:

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf, from the Server-side routing recipe from Chapter 2Client-server IP-only Networks at hand, as well as the client configuration file, basic-udp-client.conf, from the same recipe. The second client was running Windows 7 64 bit and OpenVPN 2.3.11. For this client, keep the client configuration file, basic-udp-client.ovpn, from the Using an ifconfig-pool block recipe from Chapter 2Client-server IP-only Networks at hand.

How to do it...

  1. Create the server configuration file by adding the following line to the basic-udp-server.conf file:
    ifconfig-pool-persist /etc/openvpn/cookbook/ipp.txt
    
  2. Save it as example10-4-server.conf file.
  3. Start the server:
    [root@server]# openvpn --config example10-4-server.conf
    

    An empty file, /etc/openvpn/cookbook/ipp.txt, will be created as the server starts up.

  4. Connect the first client:
    [root@client]# openvpn --config basic-udp-client.conf
    

    Normally, this client will be assigned 10.200.0.2, which is the first available IP address in the server IP range.

  5. Stop both the client and the server. List the contents of the ipp.txt file:
    [root@server]# cat /etc/openvpn/cookbook/ipp.txt
    client1,10.200.0.2
    
  6. Start the server again. Now, connect the second client, which has a different certificate:
    How to do it...

    This client will now be assigned the address 10.200.0.3. Without the ifconfig-pool-persist option, it would have been assigned the first available address, which is  10.200.0.2.

How it works...

When the OpenVPN server starts, it reads the ipp.txt file, if it exists, and it tries to re-assign the IP addresses to the client certificates found in the file. Whenever an OpenVPN client with one of the existing client certificates connects, it is assigned the address found in the ipp.txt file, unless the server VPN IP address space is too small for the number of already-connected clients. In that case, the client receives the first available address from the server VPN IP address space.

The first client that connected received the first available address, 10.200.0.2, from the VPN IP server address range. When the OpenVPN server shuts down, this information is recorded in the ipp.txt file. The second time the OpenVPN server started, this information was reloaded and the address, 10.200.0.2, was held in reserve for the client with certificate client1. When the second client connected with certificate client2, it received the next available address in the server VPN IP address range, which is 10.200.0.3. When the server shuts down again, this information is also recorded in the ipp.txt file.

This means that from now on, the first client will always receive the .2 address and the second client the .3 address. However, it is not a guarantee that the listed IP addresses will be assigned to a particular client certificate. The exception occurs when many VPN clients connect to the server. If the VPN IP address range is exhausted and the first client is not connected at that time, its address is recycled for other VPN clients. If the client with certificate client1 then tries to connect to the server, it will be assigned the first available address. For a guaranteed assignment, a client-config-dir file should be used.

There's more...

When using the ifconfig-pool-persist directive, there are a few pitfalls to watch out for.

Specifying the update interval

Because we did not explicitly specify an update interval, the ipp.txt file is updated every 600 seconds (10 minutes). This can also be seen by looking at the ipp.txt file right after a new client connects: the newly-found client certificate and VPN IP are not listed in the ipp.txt file until the first update interval passes or when the OpenVPN server process shuts down.

It is also possible to specify an update interval of 0 seconds, which means that the ipp.txt file is never updated. This causes the OpenVPN server to associate IP addresses with the client certificate names found in the ipp.txt file at the startup but these associations will never change afterwards.

Caveat - the duplicate-cn option

The duplicate-cn option can be used to allow the same client certificate to connect to the same server a number of times. If this option is used, the ifconfig-pool-persist option becomes useless, as the same client certificate will be connected twice. This means that the OpenVPN server has to hand out two different IP addresses to each client and the entry in the ipp.txt file becomes meaningless.

When topology net30 is used

When the server option topology net30 is used, the format of the ipp.txt file is slightly different. In the net30 topology mode, each client is assigned a /30 network address consisting of four IP addresses: the network address, the VPN server endpoint address, the actual client VPN IP address, and the broadcast address for the /30 network. In the ipp.txt file, the first of these is recorded:

client1,10.200.0.4 
client2,10.200.0.8 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.7.212