Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 2240 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN lifetime of ip addresses within VPN Pool (SSL)

Udo Eber

How long is the lifetime of assigned IP adresses within VPN Pool (SSL)? Is it infinite as long as the VPN Pool (SSL) is not exhausted?

I ask because I use SNAT to masquerade IP addresses from VPN Pool (SSL) to Internal (Network). So I suppose the only way for communication between remote access clients is to use the IP addresses of VPN Pool (SSL). Or should I better configure and activate DNS resolution via Sophos UTM to get IP addresses from VPN Pool (SSL) via DNS resolution?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Udo,

    The Pool of addresses is managed by OpenVPN and not the UTM DHCP, but basically, once you disconnect from the SSLVPN the IP is free, so yes it can be infinite as long as is not exhausted the max it can handle is /16.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hey emmosophos,

    yes thank you! This will do. So I can refer to those "static" ip addresses within VPN Pool (SSL) for a certain VPN client.

    Greetings

    Udo

  • 0 in reply to Udo Eber

    Hallo Udo,

    I'm not sure what you're suggesting, but fixed IPs in a User object cannot be used by UTM SSL VPN Remote Access.  What issue led you to ask this question and propose your solution?

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    at the moment I only need communication between the OpenVPN client computers for remote control. For that purpose I can use those quasi-permanent ip addresses within VPN Pool (SSL) and dont need DNS name resolution. OpenVPN users are limited to a single connection per user which corresponds to the computer and not computer users.

    Greetings
    Udo

  • 0 in reply to Udo Eber

    Hallo Udo,

    There's no such thing as "quasi-permanent ip addresses within VPN Pool (SSL)," so you can't count on the same computer to always get the same IP.

    If you want to do remote control of the remote computers from within your "Internal (Network)," you will need DNATs and Additional Addresses on the "Internal" interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to BAlfson

    Hey BAlfson,

    yes when you leave "Allow multiple concurrent connections per user" activated clients get different ip addresses. But if you deactivate it and your number of VPN Pool (SSL) addresses is not exhausted the vpn clients get every time the same ip address. I know that behaviour from Endian Firewall and  confirmed it for Sophos UTM with his post 7 Jul 2020 11:03 PM in this thread:

    The Pool of addresses is managed by OpenVPN and not the UTM DHCP, but basically, once you disconnect from the SSLVPN the IP is free, so yes it can be infinite as long as is not exhausted the max it can handle is /16.

    Greetings
    Udo

  • 0 in reply to Udo Eber

    That's valuable, new knowledge here, Udo - vielen Dank !

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Unfiltered HTML