Reserve / block certain ip's in pool

jaredc · December 8, 2025, 8:52am

We are on AWS - and on their VPC the first 2 ip’s are reserved for their use

We had a user that got assigned x.x.x.2 which is reserved for AWS use - so I would like to block the first 2 ip’s in the subnet

Technically AWS should not use this ip as the subnet is just routed to pritunl, it’s not in use directly on a VPC subnet but I wish to rule out any complications

zach · December 8, 2025, 10:07pm

The AWS VPC can’t be used as the VPN virtual network these need to be different subnets. The AWS route advertisement documentation explains how to configure automatic static routing of the VPN virtual network to the VPC routing table.

jaredc · December 8, 2025, 10:18pm

the routing is all working my question was about reserving/excluding an ip from being assigned

zach · December 8, 2025, 10:22pm

There’s no option to exclude specific IP addresses.

jpasher-work · December 30, 2025, 9:00pm

On a related note, I have a similar situation in an on-prem environment. My subnet structure is divided this way (10.0.0.0/24):

10.0.0.1 - Gateway
10.0.0.5 - Gateway 2
10.0.0.20-254 - Start of available IPs

I currently have a VPN server configured to use 10.0.0.128/25, but this means 10.0.0.20-10.0.0.127 is not used. Given that there is not an option to exclude IP addresses, what would the recommended way to better utilize the majority of the /24 subnet?

zach · December 30, 2025, 10:19pm

It’s not a valid configuration, you seem to be thinking of bridged mode. There is a bridged mode, it’s in the advanced server settings with an enterprise subscription. This will then show Network Start and Network End but this is only going to work in specific environments that will support a network bridge. It won’t work on AWS or any of the cloud providers even with source/dest checking disabled. It also won’t work on RHEL servers if SELinux is enabled. There’s a lot of other issues and limitations with bridged mode, it’s mostly unmaintained. A non-NAT configuration with the virtual network routed should be used instead.

jpasher-work · December 30, 2025, 10:50pm

Maybe I worded something incorrectly, but my setup sounds very similar to the OP (except I’m on-perm versus cloud). My configuration for the non-NAT VPN (I have two separate Pritunl instances):

I have an Enterprise subscription
VPN host is running at 10.0.0.3/24
Server Settings → Virtual Network = 10.0.0.128/25
Server Settings → Network Mode = Tunnel
Subnet routes have been added to the VPN server (I am not using the 0.0.0.0 route), with NAT Route unchecked for each route.
The gateway (firewall) at 10.0.0.1 has a static route to push traffic bound for 10.0.0.128/25 to 10.0.0.3

All of this is working fine. Users connect, get an IP from 10.0.0.128/25, and they can talk to the routed subnets on the network through the firewall. However, If I want to utilize the IPs from 10.0.0.4-10.0.0.127, I have to create another VPN server with a smaller virtual network (e.g. 10.0.0.64/26) to fill in the gaps.

zach · December 30, 2025, 11:12pm

It may work but it’s not a valid configuration. There will be overlapping subnets, it can create problems that will be very difficult to debug. The VPN virtual network is specifically a virtual network created on the Pritunl host, it can not bridge to the existing subnet that the host is on.