Limit DHCP IP range for OpenVPN clients (GUI Only)
-
Uh, I'd look at Netgate docs https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html
Ovpn Server configuration, not mention any dhcp server setting.Are you follow this guide? If you set client-server vpn the remote client ip isn't managed by dhcp server of pfsense interface you set to "Local Network"?
-
@babiz there is no mention of DHCP on the OpenVPN setup page, but you have to set the Tunnel Network which is the network that Clients get assigned (in our example, .1 is the VPN gateway). If you don't assign static IPs using client-specific settings, Users get an IP from the Tunnel Network range so it IS using DHCP (and in fact, if you look at the OpenVPN logs when saving the config you can see it set that range).
-
@gwright_sov ouch, so I'm not a ovpn expert, well advice from @jimp don't fit your need?
I just looked at ovpn server configuration and I see stuff like this:
Did you try to rely remote host on a small subnet each one for tunnel, will be useful for you?
I mean to set virtual network on /30 and allow only one connected client for server process. Not right for you? -
You can possibly add
ifconfig-pool 192.168.20.16 192.168.20.253
which gives out addresses from .16 to .253 and has room for 14 fixed IP clients, .2 to .15.
-
@pippin thanks yeah, we tried that before but you can't set it in the GUI, it just says it's already set.
-
Ok, shame on me, I should have read the OP better.
But that's odd...I created a RA TLS User Auth server and can add ifconfig-pool just fine.
dev ovpns1 verb 4 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh learn-address "/usr/local/sbin/openvpn.learn-address.sh home.lan" local 192.168.42.137 tls-server server 192.168.20.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 username-as-common-name plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= true server1 1194 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server1' 1" lport 1194 management /var/etc/openvpn/server1.sock unix ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-crypt /var/etc/openvpn/server1.tls-crypt ncp-ciphers AES-256-GCM compress push "compress " persist-remote-ip float topology subnet fast-io ifconfig-pool 192.168.20.16 192.168.20.253
Can you
ls /var/etc/openvpn
and
cat /var/etc/openvpn/server.conf
replacing server.conf with yours?
Command Prompt is in Diagnostics menu.
Just wondering if ifconfig-pool line is in there... -
Hm, forget the above, did not check the logs, you were right.
But,
addingserver 192.168.20.0 255.255.255.0 'nopool';ifconfig-pool 192.168.20.16 192.168.20.253
to the Custom options does it.
Although now there are two server directives in the config, the last one is being used, confirmed by the log @verb4.Just for info:
server address is .1
DHCP server is .254
broadcast is .255
Those are not usable for clients.@jimp
Can we have a checkbox to set the 'nopool' option for the --server network netmask ['nopool'] directive and when ticked expands with a field to define the DHCP pool?Thanks.
-
@Pippin said in Limit DHCP IP range for OpenVPN clients (GUI Only):
I came to this topic searching for solution to the OpenVPN pool problem. Is there any solutions to this problem already? I think the suggestion of @Pippin makes sense.
-
@yurtesen This actually solved the exact same problem I had
-
@gwizzle What solved the problem? there is still no checkbox for
nopool
?