PfSense server, OVPN client …. ifconfig autoconfig?
-
I am doing some testing of an extremely simple OVPN setup, essentially using all the pfSense 2.02-Release default settings, and the OVPN Portable 1.8.2 for Windows:
http://sourceforge.net/projects/ovpnp/
At the moment I am just trying to hack it into operation, without fully understanding all the options. This works from my home computer, and here's the config:
pfSense, OpenVPN: Server
Server mode: Peer to Peer (Shared key)
Protocol: UDP
Device mode: tun
Interface: WAN
Local port: 1194Shared key: (Generated by pfSense)
Encryption algorithm: AES-128-CBC (128-bit)
Hardware Crypto: No accelerationTunnel network: 192.168.103.0/24
Local network: 10.0.0.0/16
Remote network: (blank)Concurrent connections: 16
OVPN config, is a text file named .\data\config\client.ovpn
; Enable verbose logging
verb 3; Remote site to VPN into
remote 123.123.123.123
dev tun
proto udp
nobind; No idea what this is for. OVPN wants it in client mode
ifconfig 192.168.103.2 192.168.103.1; static.key is a text file containing the generated key from pfSense
secret static.key; pfSense 2.0's default key cipher is not the default for Open VPN Portable, so must specify it
cipher AES-128-CBC; The above will get you connected, but nothing will work without a route to the remote network.
; This copypasta does the magic:
route-method exe
route-delay 2
redirect-gateway def1I do not understand why the OVPN client DEMANDS I use the ifconfig option in the client configuration. During startup it reads the configuration info for ifconfig from the server by itself anyway, and will proceed to whine at me, if the ifconfig settings don't match the server settings.
Um, if the OVPN client is reading the settings from the server, why not just use whatever the server is telling you rather than requiring me to hardcode it in the config?
However, there does not appear to be an "ifconfig auto" option.
My concern here is that I don't want to be hardcoding client addresses into the configuration. The eventual goal is to create a universal installer that I can hand our staff, and say "Install this on your home computer for remote desktop access".
I do not want to have to be creating individual installers with separate custom ifconfig settings for each client, to keep people from accidentally using the same remote address, and then nothing works due to overlapping remote addresses.
Is there some sort of "DHCP autoconfig" for the client ifconfig address?
-
You're using shared key mode with tun, which requires that you set an IP with ifconfig.
If you use a server mode (ssl/tls) then it can automatically supply an IP to clients.