Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Defining OpenVPN TUN Address Pool in pfSense

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blabs
      last edited by

      Is it possible to define the OpenVPN address pool in pfSense? Adding the directive "ifconfig-pool 10.10.22.100 10.10.22.254 255.255.255.0" to the "Custom Options" area in the OpenVPN server advanced configuration area causes the server not to start and an error to be thrown likely because pfSense creates the server instance using the "server" helper directive in the config file and that conflicts with the "ifconfig-pool" directive.

      1 Reply Last reply Reply Quote 0
      • B
        blabs
        last edited by

        Anybody?

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott
          last edited by

          Isn't the address range set in the IPv4 Tunnel Network, on the Server's tab? Mine's set to 172.16.255.0/24. I also have a /64 configured for IPv6.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Yes you set the tunnel right there in the gui.. The wizard even fills it in for you I believe - which you can set to something different when you run it, or after in the gui..

            0_1540022372697_tunnelsettings.png

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • B
              blabs
              last edited by

              That sets the VPN tunnel network, not specifically the pool. I'm assuming the pool is generated automatically from the subnet setting in use but that does not give a lot of flexibility for static clients.

              For example, I want to use an entire /24 for my VPN network. I want 10.10.22.2 - 99 be static clients. Then 10.10.22.100 - 254 to be dynamic clients. I do not want OpenVPN to attempt to automatically assign a client an IP from the 10.10.22.2 - 10.10.22.99 range. This can be accomplished by using the ifconfig-pool directive, however OpenVPN in pfSense will not allow this because of how the server directive is used.

              See this link:
              https://serverfault.com/questions/910241/how-to-prevent-clients-from-getting-static-ips-set-by-client-specific-overrides

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                You can also just use a different tunnel network for your clients assigning statics for ;) Much easier cleaner solution ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • B
                  blabs
                  last edited by

                  When you say use a different tunnel network, you mean create another OpenVPN server instance or something else? I am trying to avoid creating another server instance (will be the 7th OpenVPN server on this virtual pfSense install) since OpenVPN is not multi-threaded and I am trying to save cost on vCPUs in the cloud.

                  If there is a way to create a second tunnel network for a single OpenVPN server instance, I would love to know how...

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    When you create your client override you can call out different tunnel network.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.