Page MenuHomeVyOS Platform

OpenVPN client-ip-pool option is broken
Closed, ResolvedPublicBUG


There are multiple problems with it:

  • There's no space between the pool end and the netmask in the generated config, so it can never work.
  • In addition, the netmask parameter is always generated, even though it's only valid for the tap mode. In the tun mode, it prevents OpenVPN from starting.
  • Last but not least, ifconfig-pool: first from the subnet option, without checking whether the user defined it explicitly; second time from the client-ip-pool option defined by the user.

Trying to run OpenVPN with extra subnet parameter in ifconfig-pool results in this error and terminates the OpenVPN process:

openvpn-vtun0[9645]: Options error: The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode

The man page says:

Valid syntax:

                 ifconfig-pool start-IP end-IP [netmask]

              For  tun-style  tunnels, each client will be given a /30 subnet (for interoperability with Windows clients).  For tap-style tunnels, individual addresses will be allocated, and the optional netmask parameter will also
              be pushed to clients.


Difficulty level
Easy (less than an hour)
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Mentioned In

Event Timeline

dmbaturin renamed this task from OpenVPN ifconfig-pool option is broken to OpenVPN client-ip-pool option is broken.May 1 2022, 12:13 PM
dmbaturin claimed this task.
dmbaturin updated the task description. (Show Details)
Viacheslav changed the task status from Open to Needs testing.Aug 30 2023, 11:14 AM
Viacheslav subscribed.

Should be fixed, needs testing.

dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.