no free --ifconfig-pool addresses are available

albertmiclat

Just a wild guess : every client eat up 4 IPs in from pool ? not sure about this, how is this possible and how to check? is there any setting i need to change?

Gertjan

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

Look at the openvpn server config file - the file itself (/var/etc/openvpn/serverX.conf where X is a number.
Does it contain

.....
topology subnet
.....

albertmiclat

here is my server config

#######
dev ovpns6
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun6
writepid /var/run/openvpn_server6.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 202.55.95.114
tls-server
server 10.99.26.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server6
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user c2dkYzAzLHNnZasdfasdfSxMb2NhbCBEYXRhYmFzZQ== false server6 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'sg.ong-ong.com' 1"
lport 1194
management /var/etc/openvpn/server6.sock unix
max-clients 100
push "route 10.25.0.0 255.255.0.0"
push "dhcp-option DOMAIN ong-ong.internal"
push "dhcp-option DNS 10.25.1.7"
push "dhcp-option DNS 10.25.1.9"
push "dhcp-option NTP 10.25.1.7"
push "dhcp-option NTP 10.25.1.9"
push "redirect-gateway def1"
duplicate-cn
ca /var/etc/openvpn/server6.ca
cert /var/etc/openvpn/server6.cert
key /var/etc/openvpn/server6.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server6.tls-auth 0
comp-lzo yes
persist-remote-ip
float
topology net30
push "route 10.84.3.0 255.255.255.0"
push "route 10.100.0.0 255.255.255.0"
push "route 10.60.0.0 255.255.0.0"
push "route 10.88.1.0 255.255.255.0"
push "route 10.62.21.0 255.255.255.0"
push "route 10.191.0.0 255.255.255.0"
push "route 10.66.0.0 255.255.0.0"
push "route 10.86.28.0 255.255.255.0"
push "route 10.65.2.0 255.255.255.0"
push "ping-exit 600"

Rico

topology net30 is using 4 IPs per client.

-Rico

albertmiclat

Hi Rico,

Is there any advice to fix this?

Thanks,
A

Rico

Expand your tunnel network or switch to topology subnet which is the default mode for like 5 years.

-Rico

albertmiclat

Hi Rico,

I will probably try expanding my tunnel network to /22.

Thanks,
A

johnpoz

I see some other problems in your config as well..

comp-lzo yes

Been a huge known security issue with openvpn and compression for quite some time.. "Voracle Attack"
https://community.openvpn.net/openvpn/wiki/VORACLE

I would move to aes-gcm vs cbc

I would really suggest you read through
https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html

Great doc with lots of great info about scaling and improving your vpn overall..

albertmiclat

Thanks @Gertjan @johnpoz @Rico

i did some changes accordingly.

so far all user are now able to connect w/out any issue.

Rico

Glad you have it working.

-Rico