Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN server static IP

    Scheduled Pinned Locked Moved OpenVPN
    23 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RicoR
      Rico LAYER 8 Rebel Alliance
      last edited by

      The server gets the first IP of the tunnel network, remaining IPs is the range for clients.

      -Rico

      1 Reply Last reply Reply Quote 1
      • Y
        yummy909
        last edited by

        I see that but my goal is to be on the same subnet as the lan side. Is there a way?

        JKnottJ 1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @yummy909
          last edited by

          @yummy909 said in OpenVPN server static IP:

          I see that but my goal is to be on the same subnet as the lan side. Is there a way?

          Set up a TAP VPN, instead of TUN.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 1
          • Y
            yummy909
            last edited by

            Ill give that a try. Ill keep you posted.

            1 Reply Last reply Reply Quote 0
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by

              You should stay in standard tun mode, only switch to tap if you really need to.

              -Rico

              JKnottJ 1 Reply Last reply Reply Quote 1
              • Y
                yummy909
                last edited by

                So I tried the TAP mode and now works great on my laptop. My phone is another issue. The OPENvpn IOS app will not accept TAP mode. TUN mode only. So I made two OPENvpns servers. One TUN for my phone and TAP for my laptop. Was really hoping to get both on TAP mode. So all in all, a success! Thanks for the help! Just a side note. I seem to be bottle necked with downloading or uploading. Bounces around 2 to 5 MB/s. I am on a gigabit network and my pfsense router cpu bearly cracks 2% load. Any way to speed up the VPN?

                1 Reply Last reply Reply Quote 0
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  Try with these options

                  fast-io
                  sndbuf 524288
                  rcvbuf 524288
                  

                  -Rico

                  1 Reply Last reply Reply Quote 1
                  • Y
                    yummy909
                    last edited by

                    To the server or the client config file?

                    1 Reply Last reply Reply Quote 0
                    • RicoR
                      Rico LAYER 8 Rebel Alliance
                      last edited by

                      Both sides.

                      -Rico

                      1 Reply Last reply Reply Quote 1
                      • Y
                        yummy909
                        last edited by

                        Thanks for the tip but no improvement. I would have to run it again without the mod but I think it might have gotten worst.

                        1 Reply Last reply Reply Quote 0
                        • Y
                          yummy909
                          last edited by

                          Well going to try something. Ill report back later.

                          1 Reply Last reply Reply Quote 0
                          • RicoR
                            Rico LAYER 8 Rebel Alliance
                            last edited by

                            Maybe you need to play around a bit with those parameters.
                            Check https://forum.netgate.com/topic/115495/openvpn-fast-io-and-sndbuf-rcvbuf-options-in-the-gui and https://redmine.pfsense.org/issues/7507

                            -Rico

                            1 Reply Last reply Reply Quote 1
                            • JKnottJ
                              JKnott @Rico
                              last edited by

                              @rico said in OpenVPN server static IP:

                              You should stay in standard tun mode, only switch to tap if you really need to.

                              -Rico

                              He said "I see that but my goal is to be on the same subnet as the lan side. Is there a way?". The only way that's going to happen is with TAP. Tun requires a separate subnet.

                              Here's some info on what he wants to do:

                              Bridged OpenVPN Connections

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 1
                              • RicoR
                                Rico LAYER 8 Rebel Alliance
                                last edited by

                                I know what he asked and what a bridge is.
                                99% of people asking for this do not really need to carry layer 2 over VPN and just want to have the same subnet for some kind of cosmetic reason.
                                For most scenarios to cover layer 3 is just fine, in OpenVPN it is widely supported, more stable, less overhead.
                                If you really need to transfer layer 2 stuff...sure go for tap mode, but you need to live with the donwsides then.

                                -Rico

                                1 Reply Last reply Reply Quote 0
                                • Y
                                  yummy909
                                  last edited by

                                  Wanted to give an update. TAP VPN has been working great! Everything works and the speed issue was my connection where I was. Thank you for everyones help!! PFsense is awesome!!

                                  1 Reply Last reply Reply Quote 0
                                  • Y
                                    yummy909
                                    last edited by

                                    By the way... What is the con of doing TAP vs TUN VPN?

                                    1 Reply Last reply Reply Quote 0
                                    • RicoR
                                      Rico LAYER 8 Rebel Alliance
                                      last edited by

                                      TAP benefits:

                                      • behaves like a real network adapter (except it is a virtual network adapter)
                                      • can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc, etc)
                                      • Works in layer 2, meaning Ethernet frames are passed over the VPN tunnel
                                      • Can be used in bridges

                                      TAP drawbacks

                                      • causes much more broadcast overhead on the VPN tunnel
                                      • adds the overhead of Ethernet headers on all packets transported over the VPN tunnel
                                      • scales poorly
                                      • can not be used with Android or iOS devices

                                      TUN benefits:

                                      • A lower traffic overhead, transports only traffic which is destined for the VPN client
                                      • Transports only layer 3 IP packets

                                      TUN drawbacks:

                                      • Broadcast traffic is not normally transported
                                      • Can only transport IPv4 (OpenVPN 2.3 adds IPv6)
                                      • Cannot be used in bridges

                                      -Rico

                                      1 Reply Last reply Reply Quote 1
                                      • Y
                                        yummy909
                                        last edited by

                                        Awesome write up! Do you know or heard when the IOS app will be possibly updated to work on TAP? I have some programs I have written but being on TUN VPN break certain features.

                                        1 Reply Last reply Reply Quote 0
                                        • RicoR
                                          Rico LAYER 8 Rebel Alliance
                                          last edited by

                                          "The iOS VPN API supports only tun-style tunnels at the moment. This is a limitation of the iOS platform. If you try to connect a profile that uses a tap-based tunnel, you will get an error that only layer 3 tunnels are currently supported."
                                          (https://openvpn.net/faq/why-doesnt-the-app-support-tap-style-tunnels/)

                                          -Rico

                                          1 Reply Last reply Reply Quote 0
                                          • Y
                                            yummy909
                                            last edited by

                                            Oh I am aware. What I am asking is if you heard about any development on adding TAP to IOS?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.