Menu
What's new
By:
Filters Better Search

OpenVPN - Static IP vs Dynamic Pool

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

K

Kevin K

Regular Contributor
I need to assign one user a static IP address; I need to be sure no other users will get that address. I'm doing this because I'm using iptables to grant only this one user access to the LAN. All other users get outbound access to the WAN only.

If I do this the 'standard' way, I need to use ifconfig-pool to limit the dynamic addresses so they won't conflict with my static address. This is a pain because it means I have to use a postconf script to remove the 'server' option because 'server' and 'ifconfig-pool' are incompatible and Merlin uses 'server'.

I'd like to be creatively lazy.

If I set "max-clients 20" and I put my VPN on 10.1.0.0, it seems to me like the dynamically assigned addresses would never exceed 10.1.0.20, and I could safely assign my static user (or users) beginning at 10.1.0.100 without fear of conflict.

Can I get away with this? Am I missing a risk?
 
Kevin K said:
I need to assign one user a static IP address; I need to be sure no other users will get that address. I'm doing this because I'm using iptables to grant only this one user access to the LAN. All other users get outbound access to the WAN only.

If I do this the 'standard' way, I need to use ifconfig-pool to limit the dynamic addresses so they won't conflict with my static address. This is a pain because it means I have to use a postconf script to remove the 'server' option because 'server' and 'ifconfig-pool' are incompatible and Merlin uses 'server'.

I'd like to be creatively lazy.

If I set "max-clients 20" and I put my VPN on 10.1.0.0, it seems to me like the dynamically assigned addresses would never exceed 10.1.0.20, and I could safely assign my static user (or users) beginning at 10.1.0.100 without fear of conflict.

Can I get away with this? Am I missing a risk?
Click to expand...

If you mean "security risk" to your network then depending how the static IP is assigned AND if it is not associated with a specific MAC address then a malicious user could using various utilities assign their device the specific IP that you have designated to access the VPN tunnel. If you use the router to assign the static IPs this risk is minimized since the router will based on MAC of the device connecting assign it a designated static IP however a user could by using a utility spoof/clone the MAC address of a device you have designated and then the router will give it the IP for that MAC in its list of static IPs.
 
Just to be sure I'm clear...
I understand how users can ignore DHCP-assigned addresses on a non-VPN LAN. (e.g. You just configure the interface for a static IP.) If I code "ifconfig-push 10.1.0.123 255.255.255.0" at the server, are you saying that the OpenVPN client can override that server-assigned IP?
 
Kevin K said:
If I code "ifconfig-push 10.1.0.123 255.255.255.0" at the server, are you saying that the OpenVPN client can override that server-assigned IP?
Click to expand...

In theory I think they could by using the 'pull-filter' directive etc.
Code: 
pull-filter ignore ifconfig
ifconfig xxx.xxx.xxx.253 xxx.xxx.xxx.254

but I don't think they would be able to access anything with their sneaky config?
 
You must log in or register to reply here.

Similar threads

J
AT&T How multi static IP addresses work
Replies
0
Views
178
Justinh
J
Q
Does merlin reset router when assigning DHCP manual IP by MAC?
Replies
11
Views
679
DJones
D
J
network IP address space seems odd
Replies
5
Views
348
ColinTaylor
C
Robert Tickle
Static IP Address Question
Replies
13
Views
2K
ApexRon
ApexRon
Siff
Setting dnsmasq on Asuswrt-Merlin
Replies
8
Views
853
Siff
Siff
Similar threads
Thread starter Title Forum Replies Date
D Solved Openvpn client dns Asuswrt-Merlin 2
PR3MIUM WireGuard removing OpenVPN on ASUS Routers ? Asuswrt-Merlin 2
T [Help] Problems setting up OpenVPN Asuswrt-Merlin 7
N dedicated router for OpenVPN Asuswrt-Merlin 4
N Solved OpenVPN Server split tunnell config Asuswrt-Merlin 5
C Connection to router by ip fails while remote over OpenVPN Asuswrt-Merlin 17
S OpenVPN LAN access + one external IP Asuswrt-Merlin 3
J VPN director Multiple OpenVPN clients Asuswrt-Merlin 7
G OpenVPN Server log, is this in error ? Asuswrt-Merlin 7
H Extremely low speed on ac86u with openvpn client Asuswrt-Merlin 7

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 993 (members: 36, guests: 957)
Top