From 04f2996c7951753ecda4ff10b92b34f9e37881ea Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 12 Dec 2025 00:04:51 +0100 Subject: [PATCH] fix: disable ifconfig-pool-persist when duplicate-cn is enabled (#1354) ## Summary - Only add `ifconfig-pool-persist` to server.conf when `MULTI_CLIENT != y` - Add note in the installation prompt about this limitation - Update README to mention the trade-off First reported in https://github.com/angristan/openvpn-install/issues/440#issuecomment-2987417197 ## Background `ifconfig-pool-persist` is incompatible with `duplicate-cn`. When `duplicate-cn` is enabled, OpenVPN bypasses common name matching in the IP pool allocation, making the persistence file ineffective. From [OpenVPN source](https://github.com/OpenVPN/openvpn/blob/e5ff8247/src/openvpn/init.c#L3608-L3610): ```c if (o->duplicate_cn && o->ifconfig_pool_persist_filename) { msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn"); } ``` Previously, the script always added `ifconfig-pool-persist ipp.txt` regardless of whether `duplicate-cn` was enabled via `MULTI_CLIENT=y`. --- README.md | 2 +- openvpn-install.sh | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5f002c1..b8bd758 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,7 @@ export PASS="1" - Block DNS leaks on Windows 10 - Randomised server certificate name - Choice to protect clients with a password (private key encryption) -- Option to allow multiple devices to use the same client profile simultaneously +- Option to allow multiple devices to use the same client profile simultaneously (disables persistent IP addresses) - Many other little things! ## Compatibility diff --git a/openvpn-install.sh b/openvpn-install.sh index 2ed9da2..1d86962 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -636,6 +636,7 @@ function installQuestions() { done log_menu "" log_prompt "Do you want to allow a single .ovpn profile to be used on multiple devices simultaneously?" + log_prompt "Note: Enabling this disables persistent IP addresses for clients." until [[ $MULTI_CLIENT =~ (y|n) ]]; do read -rp "Allow multiple devices per client? [y/n]: " -e -i n MULTI_CLIENT done @@ -1124,8 +1125,12 @@ persist-key persist-tun keepalive 10 120 topology subnet -server 10.8.0.0 255.255.255.0 -ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf +server 10.8.0.0 255.255.255.0" >>/etc/openvpn/server.conf + + # ifconfig-pool-persist is incompatible with duplicate-cn + if [[ $MULTI_CLIENT != "y" ]]; then + echo "ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf + fi # DNS resolvers case $DNS in