By default, openvpn does not reserve IPs assigned to clients in the client config dir, rather it still gives out those IPs to other clients. To prevent that, the server should be created with "nopool" and a custom pool added without the reserved IPs. The script should validate that all the client IPs are outside of the pool. Since I can't find a reference to openvpn supporting multiple pools, which would allow us to exclude single IPs from the pool automatically, the script would require setting a custom pool (via a new config node, e.g. 'server pool ...') if any 'server client ip' is defined. That would also mean a non-migratable change to the validation.
Description
Description
Details
Details
- Difficulty level
- Unknown (require assessment)
- Version
- -
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Perfectly compatible
- Issue type
- Bug (incorrect behavior)
Event Timeline
Comment Actions
WIP: https://github.com/vyos/vyos-1x/pull/325
We won't do strict exclusion of client IPs from the server pool, but just print a warning if they overlap. This way old configs won't require migration and will still work, and new configurations will be able to manually set a smaller pool.
Comment Actions
The script now prints a warning on commit if the server client IP is in the pool. There is a new config node for setting the pool start/stop/netmask/disable, if not set, the defaults of openvpn are used.