Something I'm curious about, but haven't actually tried, is what happens in the case of overlap between ifconfig-push and ifconfig-pool. Obviously it's best not to overlap these, but if one were to... not do that, what happens if the next pool address is already assigned via push? My assumption is that ovpn is smart enough to skip it. More interesting is what happens if a push'd address is already assigned via pool? Does it disconnect the pool client? ignore the push'd address and select a free one from the pool? Send someone to your house to slap you for doing such a silly thing?
Just curious... Thanks, -Joe On Thu, May 27, 2021 at 6:58 AM Jan Just Keijser <janj...@nikhef.nl> wrote: > > On 27/05/21 12:33, Bo Berglund wrote: > > I am a bit confused about how the ccd mechanism works... > > > > Say that I want to assign a limited number of clients with specific tunnel > > addresses, whereas the other connecting clients will use dhcp provided > > addresses. > > In the server.conf file I have this: > > > > server 10.8.1.0 255.255.255.0 'nopool' > > ifconfig-pool 10.8.1.2 10.8.1.127 255.255.255.0 > > client-config-dir /etc/openvpn/ccd2 > > ifconfig-pool-persist ipp2.txt > > client-to-client > > > > Then in the dir /etc/openvpn/ccd2 I have a few files named as the CN (common > > name) of a few "server" clients, each of which will contain this (with a > > different last number in the IP address): > > > > ifconfig-push 10.8.1.130 255.255.255.0 > > > > My question now is how this works? > > Will the presence of a ccd file named as the CN of the connecting client > > mean > > that the main directive ifconfig-pool is *not* used if the ccd file > > contains an > > ifconfig-push directive? > the settings from the ccd file overwrite the settings from the main file > > I assume that all clients not mentioned in the ccd directory will just get > > the > > next "free" IP from the defined pool between 2 and 127? > Correct, unless you had used > --ccd-exclusive > which means that clients without a CCD file simply are not allowed to > connect. > > Also, you can a "default" CCD file named DEFAULT (capitals, no extensions) > > > I want to set up a system whereby a couple of TCP/IP servers can connect to > > this > > OpenVPN and get fixed known tunnel addresses. Then "normal" clients can also > > connect and get their addresses out of the pool. > > With this running the clients should be able to connect to the servers using > > their known addresses from the ccd file. > > > > Is this how it will work? > Yup, this is definitely doable but you need to ensure that routing is > done correctly to and from the CCD-based clients. > > HTH, > > JJK > > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
