Feature Request: Support multiple IP pools and per‑CCD pool assignment

[zasim87]

Feature Request: per‑CCD subnet support
Summary
OpenVPN currently allows defining static IP addresses and iroute directives in CCD files, but it does not support assigning a dedicated subnet to a specific client. This limits deployments where a client represents a remote network or needs multiple internal addresses behind a single tunnel.

Problem
In many real‑world setups, a client is not a single host but a gateway for multiple services or devices. Today, OpenVPN requires manual routing workarounds or external orchestration to handle such cases. CCD cannot define a subnet for a client; it can only reference an existing subnet behind the client via iroute.

Requested Enhancement
Add support for defining a unique subnet per client inside its CCD file. Expected behavior:

Allow specifying a subnet (e.g., subnet 10.8.10.0 255.255.255.0) in CCD

Server automatically allocates and manages that subnet

Server advertises routes to other clients and upstream routers

Detect and prevent overlapping subnets

Maintain backward compatibility with existing CCD functionality

Use Cases
Remote branch offices with multiple internal hosts

IoT gateways with several devices behind a single tunnel

Multi‑service clients requiring isolated address space

Scenarios where each client must have its own routed segment

Why this matters
This feature would simplify network design, reduce manual routing configuration, and make OpenVPN more suitable for modern multi‑device and multi‑service deployments.

Environment
OpenVPN 2.x server

Linux-based deployments

CCD enabled via client-config-dir

Additional Notes
There are several forum discussions where users attempt similar setups, but the current architecture does not support per‑client subnet allocation. This feature would fill a long‑standing gap.

[ordex]

may you explain a bit more in detail what would be the difference with today when using iroute + route?

[schwabe]

Detect and prevent overlapping subnets

Maintain backward compatibility with existing CCD functionality

These two are in violation to each other. Currently when one CCD has a iroute that is a smaller netmask that in contained in an iroute of another CCD (ie overlapping), we assume normal routing with longest-prefix match.

There are several forum discussions where users attempt similar setups, but the current architecture does not support per‑client subnet allocation. This feature would fill a long‑standing gap.

Most of us developers are not reading the forum. Please summarise these post and provide links.

Why this matters
This feature would simplify network design, reduce manual routing configuration, and make OpenVPN more suitable for modern multi‑device and multi‑service deployments.

Please provide a bit more information why these scenarios cannot be solved with iroute currently.

In many real‑world setups, a client is not a single host but a gateway for multiple services or devices. Today, OpenVPN requires manual routing workarounds or external orchestration to handle such cases. CCD cannot define a subnet for a client; it can only reference an existing subnet behind the client via iroute.

iroute is just IPs routed to a client. The server does not really care what happens on the other end of the tunnel with these IP addresses. Please provide a more concrete example of what you want to achieve as I do not see this scenario where iroute is insufficent.

[zasim87]

Thanks for the questions — let me clarify the exact requirement.

I need different CCD groups to receive tunnel addresses from different subnets, for example:

Group A → 10.8.10.0/24

Group B → 10.8.20.0/24

Group C → 10.8.30.0/24

The goal is for each client in a CCD group to automatically get an address from that group’s subnet without manually assigning static IPs via ifconfig-push.

iroute does not solve this, because it only declares routes behind the client. It does not allow the server to choose the address pool for the client itself. OpenVPN currently has only one global pool, so all clients receive addresses from the same range unless every IP is manually configured.

This feature request is specifically about:

Per‑CCD address pool selection, not routing.

This would allow scalable multi‑group deployments without hundreds of static assignments.

[cron2]

Let me re-try this (deleted the previous answer because it was going off the wrong tangent).

Now that you have specified what you actually want (a pool serving more than one client, but having multiple pools you can put clients into, depending on group) this is easier to answer - yes, it would be nice to have, and we have an open feature request for that since ages. Somebody needs to either program it, or pay someone to do it.

This has nothing to do with "a client is not a single host but a gateway for multiple services or devices" (quote from above!), though - that is what iroute is the right solution for: route a subnet to a client, which can then service "multiple devices". So you need to be a bit more precise in what you want, to get useful answers.

[schwabe]

Most people who need this kind of flexibility currently use client-connect script to assign IP addresses via a script (or use management interface).

That script then generates the ifconfig-push directives dynamically. When you are at the point that you need dynamic IP assignment but from different pools you requirements might quickly no longer match what OpenVPN can offer internally.

Commercial products build on OpenVPN like OpenVPN Access Server also can offer this using the same hooks.

[ordex]

@zasim87 any hint?

[cron2]

I think we can leave this open, as a feature request. Not sure who will find time, and when, to implement it - but I have more than one scenario where I'd love to have this.

(Admittedly I'd also love to have pools synchronized across OpenVPN instances running on different machines, with iroute-to-bgp, so whichever server you hit you get the same IP routed to that server - but that's yet another level increase ;-) )