[Dnsmasq-discuss] Different IP Address range for OpenVPN clients?

Simon Kelley simon at thekelleys.org.uk
Wed Aug 30 20:49:51 BST 2006 

Mike wrote:
> First off I'm pretty sure I don't understand the syntax of 
> /etc/dnsmasq.conf...
> 
> I've been using dnsmasq in a small office lan for almost two years now. 
> We recently added OpenVPN for our few road warrirors.  I wanted to keep 
> the OpenVPN IP address range separate from the local folks.  However that 
> doesn't seem to be working, OpenVPN clients are assigned an address from 
> the first defined range.  Additionally the lease time is incorrect on 
> OpenVPN clients ("Lease Obtained" and "Lease Expires" are the same).
> 
> Here's my dnsmasq.conf file.
> 
> no-poll                                  # do not poll resolv-file
> except-interface=eth0                    # do not answer on external i/f
> listen-address=10.169.1.1                # listen on local address only
> listen-address=127.0.0.1                 #
> domain-needed                            # don't forward plain names
> bogus-priv                               # don't forward private addresse
> filterwin2k                              # filter useless Windows DNS 
> requests
> #
> # Local DNS name server
> #
> no-hosts                                 # do not read /etc/hosts
> addn-hosts=/etc/hosts.dnsmasq            # instead, read this file
> expand-hosts                             # add the domain to /etc/hosts 
> entries
> resolv-file=/etc/resolv.dnsmasq          #
> domain=internal.lan                      # domain name
> local=/internal.lan/                     # answer these domains from 
> /etc/hosts
> #
> # Automatically configure DHCP client network i/f (RFC 1533)
> #
> dhcp-option=1,255.255.255.0              # subnet mask
> dhcp-option=42,10.169.1.1                # NTP server
> dhcp-mac=ovpn,00:FF:*:*:*:*
> 
> dhcp-option=ovpn,3                       # Don't send default GW to openvpn
>                                           # clients
> #
> # DHCP address range
> #
> dhcp-range=10.169.1.17,10.169.1.63,255.255.255.0,12h      # DHCP addr range for LAN clients
> dhcp-range=ovpn,10.169.1.120,10.169.1.125,255.255.255.0,6h    # DHCP addr range for OpenVPN clients

This is the problem: as you have it that line sets the "ovpn" tag when
that range is used, but it doesn't constrain which  range to use.
dnsmasq will eventually get around to using the 120-125 range, but
probably only if it runs out of addresses in the 17-63 range.

If you change to this: (note the net: prefix)

dhcp-range=net:ovpn,10.169.1.120,10.169.1.125,255.255.255.0,6h

then the semantics changes: now dnsmasq will use the 120-125 range
_only_ when the "ovpn" tag is set (by the dhcp-mac line) and it will use
it in preference to the untagged range when the "ovpn" tag is set.

Note that if all the addresses in the 120-125 range are in use, an
openvpn host will fall back to an address in the 17-63 range. If you
want to avoid this, disallow the 17-63 range when the ovpn tag is set
like this:

dhcp-range=net:#ovpn,10.169.1.17,10.169.1.63,255.255.255.0,12h

the # negates the sense, so that the range will only be used when the
ovpn tag is not set.

Yes, this is difficult: the syntax grew in a backwards compatible way
over the years, it's easy for simple things, but needlessly obscure for
complex ones. One day there might be a dnsmasq 3 which has a more
rationally designed configuration syntax.

HTH
Simon.




> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list