Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN (tap) and Static IPs

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tak-MK
      last edited by

      Hi!
      I've configured an OpenVPN server (tap) and it's working flawlessly except one thing; I cannot assign IPs to each vpn user.
      What I do:

      • Create a new user and a certificate (user vpn)

      • Put "vpn" on the CN field

      • Save and go to VPN -> OpenVPN -> Client Specific Overrides -> Add

      • I select the only VPN on the list, put "vpn" in the Common Name field and "ifconfig-push 10.0.5.77 255.255.0.0;" in the advanced options and Save

      • Export the config for a Windows client and installing it on a PC which is connected using a tethered connection through my mobile  (so it's outside the office' network)

      • Login using "vpn" and the pass

      • Get another IP from the DHCP service (10.0.6.40 in this case) :(

      The server has a 10.0.0.0/16 network configured.

      I changed the "ifconfig-push 10.0.5.77 255.255.0.0;" to "ifconfig-push 10.0.5.77 10.0.0.1;" but still won't work. I'm using pfsense 2.3.1-RELEASE-p5.

      Thanks a lot!

      1 Reply Last reply Reply Quote 0
      • T
        Tak-MK
        last edited by

        bump!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          One of four things is happening:

          1. The CN isn't matching (check the server log to see what it shows as connecting)
          2. The client is rejecting the ifconfig syntax (check the client log)
          3. The client is ignoring the ifconfig-push (client log may say why)
          4. You have one of the weird edge case configs that might need a manual "mode server;" in the advanced options

          Don't manually enter ifconfig-push. Use the tunnel netwok box instead and let the firewall figure out the syntax. For tap mode, it would be 10.0.5.77/16 in your case.

          And /16 is just insane to use for a VPN tunnel network. Why?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • T
            Tak-MK
            last edited by

            @jimp:

            One of four things is happening:

            1. The CN isn't matching (check the server log to see what it shows as connecting)
            2. The client is rejecting the ifconfig syntax (check the client log)
            3. The client is ignoring the ifconfig-push (client log may say why)
            4. You have one of the weird edge case configs that might need a manual "mode server;" in the advanced options

            Don't manually enter ifconfig-push. Use the tunnel netwok box instead and let the firewall figure out the syntax. For tap mode, it would be 10.0.5.77/16 in your case.

            And /16 is just insane to use for a VPN tunnel network. Why?

            The /16 is for the entire network, VPN will use only the 10.0.5.1 to 10.0.5.254.  :D

            I'll check the logs, thanks!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Then the VPN tunnel network should only be 10.0.5.0/24 and the static addresses would also be set as 10.0.5.x/24

              The /16 wouldn't come into play except perhaps as a "Local Network" on the OpenVPN server settings so they get a route pushed.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • T
                trueno
                last edited by

                I am using the subnet feature (pfSense) trying to migrate from the net30 architecture.  Some of my clients are 2.1.5 the rest are 2.3.2.

                have infconfig-push configured properly in the server's client spec override.

                I believe I have configured this correct because routing seems to work.  However, I cannot find the client tunnel-end address I assigned to any of my clients in their routing tables ovpn or freebsd.  Ifconfig yields only 172.16.64.0 –----> 17216.64.1 (the server) on the relevant interface.  Ovpn status routes shows only 172.16.64.0 for the virtual interface.

                Is this correct?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.