Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    no free --ifconfig-pool addresses are available

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 2.5k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      albertmiclat
      last edited by

      Just a wild guess : every client eat up 4 IPs in from pool ? not sure about this, how is this possible and how to check? is there any setting i need to change?

      1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan
        last edited by

        https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

        Look at the openvpn server config file - the file itself (/var/etc/openvpn/serverX.conf where X is a number.
        Does it contain

        .....
        topology subnet
        .....
        

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • A Offline
          albertmiclat
          last edited by

          here is my server config

          #######
          dev ovpns6
          verb 1
          dev-type tun
          tun-ipv6
          dev-node /dev/tun6
          writepid /var/run/openvpn_server6.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          auth SHA1
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          client-connect /usr/local/sbin/openvpn.attributes.sh
          client-disconnect /usr/local/sbin/openvpn.attributes.sh
          local 202.55.95.114
          tls-server
          server 10.99.26.0 255.255.255.0
          client-config-dir /var/etc/openvpn-csc/server6
          username-as-common-name
          auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user c2dkYzAzLHNnZasdfasdfSxMb2NhbCBEYXRhYmFzZQ== false server6 1194" via-env
          tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'sg.ong-ong.com' 1"
          lport 1194
          management /var/etc/openvpn/server6.sock unix
          max-clients 100
          push "route 10.25.0.0 255.255.0.0"
          push "dhcp-option DOMAIN ong-ong.internal"
          push "dhcp-option DNS 10.25.1.7"
          push "dhcp-option DNS 10.25.1.9"
          push "dhcp-option NTP 10.25.1.7"
          push "dhcp-option NTP 10.25.1.9"
          push "redirect-gateway def1"
          duplicate-cn
          ca /var/etc/openvpn/server6.ca
          cert /var/etc/openvpn/server6.cert
          key /var/etc/openvpn/server6.key
          dh /etc/dh-parameters.1024
          tls-auth /var/etc/openvpn/server6.tls-auth 0
          comp-lzo yes
          persist-remote-ip
          float
          topology net30
          push "route 10.84.3.0 255.255.255.0"
          push "route 10.100.0.0 255.255.255.0"
          push "route 10.60.0.0 255.255.0.0"
          push "route 10.88.1.0 255.255.255.0"
          push "route 10.62.21.0 255.255.255.0"
          push "route 10.191.0.0 255.255.255.0"
          push "route 10.66.0.0 255.255.0.0"
          push "route 10.86.28.0 255.255.255.0"
          push "route 10.65.2.0 255.255.255.0"
          push "ping-exit 600"

          1 Reply Last reply Reply Quote 0
          • RicoR Offline
            Rico LAYER 8 Rebel Alliance
            last edited by

            topology net30 is using 4 IPs per client.

            -Rico

            1 Reply Last reply Reply Quote 0
            • A Offline
              albertmiclat
              last edited by

              Hi Rico,

              Is there any advice to fix this?

              Thanks,
              A

              1 Reply Last reply Reply Quote 0
              • RicoR Offline
                Rico LAYER 8 Rebel Alliance
                last edited by

                Expand your tunnel network or switch to topology subnet which is the default mode for like 5 years.

                -Rico

                1 Reply Last reply Reply Quote 0
                • A Offline
                  albertmiclat
                  last edited by

                  Hi Rico,

                  I will probably try expanding my tunnel network to /22.

                  Thanks,
                  A

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    I see some other problems in your config as well..

                    comp-lzo yes

                    Been a huge known security issue with openvpn and compression for quite some time.. "Voracle Attack"
                    https://community.openvpn.net/openvpn/wiki/VORACLE

                    I would move to aes-gcm vs cbc

                    I would really suggest you read through
                    https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html

                    Great doc with lots of great info about scaling and improving your vpn overall..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 1
                    • A Offline
                      albertmiclat
                      last edited by

                      Thanks @Gertjan @johnpoz @Rico

                      i did some changes accordingly.

                      so far all user are now able to connect w/out any issue.

                      1 Reply Last reply Reply Quote 0
                      • RicoR Offline
                        Rico LAYER 8 Rebel Alliance
                        last edited by

                        Glad you have it working.

                        -Rico

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.