[Dnsmasq-discuss] Different IP Address range for OpenVPN clients?

Mike azmr at earthlink.net
Wed Aug 30 21:30:52 BST 2006


On Wed, 30 Aug 2006, Simon Kelley wrote:

> Mike wrote:
>> First off I'm pretty sure I don't understand the syntax of
>> /etc/dnsmasq.conf...
>>
>> I've been using dnsmasq in a small office lan for almost two years now.
>> We recently added OpenVPN for our few road warrirors.  I wanted to keep
>> the OpenVPN IP address range separate from the local folks.  However that
>> doesn't seem to be working, OpenVPN clients are assigned an address from
>> the first defined range.  Additionally the lease time is incorrect on
>> OpenVPN clients ("Lease Obtained" and "Lease Expires" are the same).
>>
>> Here's my dnsmasq.conf file.
>>
>> no-poll                                  # do not poll resolv-file
>> except-interface=eth0                    # do not answer on external i/f
>> listen-address=10.169.1.1                # listen on local address only
>> listen-address=127.0.0.1                 #
>> domain-needed                            # don't forward plain names
>> bogus-priv                               # don't forward private addresse
>> filterwin2k                              # filter useless Windows DNS
>> requests
>> #
>> # Local DNS name server
>> #
>> no-hosts                                 # do not read /etc/hosts
>> addn-hosts=/etc/hosts.dnsmasq            # instead, read this file
>> expand-hosts                             # add the domain to /etc/hosts
>> entries
>> resolv-file=/etc/resolv.dnsmasq          #
>> domain=internal.lan                      # domain name
>> local=/internal.lan/                     # answer these domains from
>> /etc/hosts
>> #
>> # Automatically configure DHCP client network i/f (RFC 1533)
>> #
>> dhcp-option=1,255.255.255.0              # subnet mask
>> dhcp-option=42,10.169.1.1                # NTP server
>> dhcp-mac=ovpn,00:FF:*:*:*:*
>>
>> dhcp-option=ovpn,3                       # Don't send default GW to openvpn
>>                                           # clients
>> #
>> # DHCP address range
>> #
>> dhcp-range=10.169.1.17,10.169.1.63,255.255.255.0,12h      # DHCP addr range for LAN clients
>> dhcp-range=ovpn,10.169.1.120,10.169.1.125,255.255.255.0,6h    # DHCP addr range for OpenVPN clients
>
> This is the problem: as you have it that line sets the "ovpn" tag when
> that range is used, but it doesn't constrain which  range to use.
> dnsmasq will eventually get around to using the 120-125 range, but
> probably only if it runs out of addresses in the 17-63 range.
>
> If you change to this: (note the net: prefix)
>
> dhcp-range=net:ovpn,10.169.1.120,10.169.1.125,255.255.255.0,6h
>
> then the semantics changes: now dnsmasq will use the 120-125 range
> _only_ when the "ovpn" tag is set (by the dhcp-mac line) and it will use
> it in preference to the untagged range when the "ovpn" tag is set.
>
> Note that if all the addresses in the 120-125 range are in use, an
> openvpn host will fall back to an address in the 17-63 range. If you
> want to avoid this, disallow the 17-63 range when the ovpn tag is set
> like this:
>
> dhcp-range=net:#ovpn,10.169.1.17,10.169.1.63,255.255.255.0,12h
>
> the # negates the sense, so that the range will only be used when the
> ovpn tag is not set.
>
> Yes, this is difficult: the syntax grew in a backwards compatible way
> over the years, it's easy for simple things, but needlessly obscure for
> complex ones. One day there might be a dnsmasq 3 which has a more
> rationally designed configuration syntax.
>
> HTH
> Simon.
>

Thanks Simon that did it.  I sure understand how syntax has a way of doing 
that.  Regardless dnsmasq is still much simpler and more appropriate for 
my situation than bind!

-- Thanks again, Mike




More information about the Dnsmasq-discuss mailing list