OpenVPN server (CentOS 7): client devices are pulling VPN addresses outside of the defined DHCP Address Range.

Products Affected:

CentOS7 based OpenVPN server on Wave 7.0
 

Issue:

With this particular configuration, when you apply adjustments made to this range, the OpenVPN services will be restarted as expected; however, the client devices will start pulling VPN addresses from the lowest available IP.  In the example shown below, the first client will be 10.10.2.2 as 10.10.2.1 is the tun0 interface on the OpenVPN server itself.

Cause:

This appears related to the OpenVPN release, 2.4.x, used on the server when configured to use 'topology subnet'.  This setting allows the OpenVPN server to utilize the entire address space in the client subnet.  The previous OpenVPN release running on CentOS 6, by default, did honor this setting; but was configured to allocate a /30 network (reserving 4 IP addresses) for each client device.  

Symptoms:

In Station Monitor, you'll see that the phones below are getting client IP addresses, 10.10.2.2 & 10.10.2.3 as shown below.  This is contrary to the DHCP Address Range above showing that the first availble IP should be 10.10.2.10.

Solution:

The solution here is to understand that whatever network you assign to the OpenVPN clients, ALL of the addresses will be available for client devices with the exception of the following:

  1. The network address, e.g. 10.10.2.0.
  2. The broadcast address, e.g. 10.10.2.255.
  3. The first host IP in the network, e.g. 10.10.2.1, that is allocated to the OpenVPN server itself.  

The benefit here is that in a /24 (255.255.255.0) network, rather than 63 clients being available to the CentOS 6 based OpenVPN server, you can now get 253 clients in the same address space.