core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

OpenVPN: Allow manually configuring the dynamic IP pool range

Open butwhoscounting opened this issue 3 months ago • 6 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [✓] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [-] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe. OpenVPN Client Specific Overrides allow you to assign static IP-addresses to VPN clients, which in turn allows the administrator to apply different firewall rules to different clients based on the client's IP.

This feature is currently unusable in OPNsense because OPNsense does not allow reducing the OpenVPN dynamic IP pool range – it will dynamically assign IPs to clients from the entire VPN subnet range. This results in potential collisions between dynamically assigned IPs and statically assigned IPs. A CSO client only gets their assigned static IP if has not already previously been allocated to another (dynamically assigned) client.

Describe the solution you like Add an OpenVPN instance configuration option under /ui/openvpn/instances that would allow the administrator to manually configure the OpenVPN dynamic IP pool range.

This feature should leverage the OpenVPN server ifconfig-pool configuration directive. (This is the recommended approach by OpenVPN: https://community.openvpn.net/Pages/Concepts-Addressing#static-address-assignment)

Describe alternatives you considered I don't see a good alternative to this besides standing up two entirely separate instances for VPN clients with dynamic IPs and VPN clients with static IPs, but this increases the management overhead for the administrator.

Additional context There have been earlier pull requests (https://github.com/opnsense/core/issues/7567) and issues opened about this (https://github.com/opnsense/core/issues/8600), but they haven't been merged nor commented on by the devs.

Since there's clearly some demand for it, please consider implementing this feature.

butwhoscounting avatar Sep 12 '25 10:09 butwhoscounting

I don't see pull requests attached, only tickets, but no-pool is likely all you need to prevent a pool overlap, which is implemented in https://github.com/opnsense/core/pull/9025

AdSchellevis avatar Sep 12 '25 11:09 AdSchellevis

Thank you for your reply @AdSchellevis. My bad, I linked the wrong thing. This was the pull request I was thinking of https://github.com/opnsense/core/pull/7568. More specifically, this commit https://github.com/opnsense/core/pull/7568/commits/8355bb9f3ef992370fd61c1e01d9ef0bdc0244ee.

Regarding no-pool. As I understand this would mean dynamic IP allocation isn't used at all and only clients with static assignments get an IP. This is not the desired behaviour.

I would like to mix and match so that clients that do have a CSO/static IP assignment get a static IP and clients that don't have a static IP assigned to them get an IP from the dynamic pool. Allowing the administrator to configure the ifconfig-pool directive would allow you to do that.

For example, if the VPN subnet is 10.8.0.0/24, ifconfig-pool would enable you to configure things so that IPs ranging from 10.8.0.2 to 10.8.0.199 are used for dynamic allocation. All IPs outside of that range could be used for static assignments. Here's an example of what the OpenVPN server config would look like in this case: https://community.openvpn.net/Pages/Concepts-Addressing#subnet-example-with-static-ccd

butwhoscounting avatar Sep 12 '25 11:09 butwhoscounting

to avoid complexity, we don't plan in offering mixed situations at the moment.

AdSchellevis avatar Sep 12 '25 11:09 AdSchellevis

I see ifconfig-pool as being analogous to configuring the DHCP pool range on a DHCP server. When configuring DHCP servers administrators also often exclude a small range of IPs from the start/end of the subnet from the pool range, so that those IPs can be used for DHCP reservations.

That's to say it should be rather easy for OPNsense administrators to understand what ifconfig-pool does and what it's used for. Additionally, this option could be "hidden" under advanced mode settings, so that the uninitiated won't stumble on it accidentally.

butwhoscounting avatar Sep 12 '25 12:09 butwhoscounting

Second that.

Mixed static IP/pool solution worked with the legacy server GUI until 25.1 by configuring a CSO with a tunnel network that was separate from the server’s general one. With the new configuration GUI, this configuration results in an error because the tunnel network is outside the server network.

Personally, I would consider not having a pool (going all-static) to be more exotic than having a pool plus some static addresses. Plus, implementation should be really straightforward, it is just another option exposed through the GUI.

mvglasow avatar Nov 19 '25 15:11 mvglasow

Would also really like to see this feature supported

Ericreeses avatar Nov 21 '25 22:11 Ericreeses