Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limit DHCP IP range for OpenVPN clients (GUI Only)

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 6 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gwright_sov @jimp
      last edited by

      Well I mean that would work, but does DHCP automatically assign the lowest unused IP or does it just increment then start over? So if Joe gets 20.2, Bob gets 20.3 etc then Joe disconnects and Steve logs in, does Steve get 20.2 or 20.4? Seems like a security lottery vs actual certainty of who gets what IP :)

      1 Reply Last reply Reply Quote 0
      • BabizB
        Babiz
        last edited by

        Uh, I'd look at Netgate docs https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html
        Ovpn Server configuration, not mention any dhcp server setting.

        Are you follow this guide? If you set client-server vpn the remote client ip isn't managed by dhcp server of pfsense interface you set to "Local Network"?

        G 1 Reply Last reply Reply Quote 0
        • G
          gwright_sov @Babiz
          last edited by

          @babiz there is no mention of DHCP on the OpenVPN setup page, but you have to set the Tunnel Network which is the network that Clients get assigned (in our example, .1 is the VPN gateway). If you don't assign static IPs using client-specific settings, Users get an IP from the Tunnel Network range so it IS using DHCP (and in fact, if you look at the OpenVPN logs when saving the config you can see it set that range).

          BabizB 1 Reply Last reply Reply Quote 0
          • BabizB
            Babiz @gwright_sov
            last edited by

            @gwright_sov ouch, so I'm not a ovpn expert, well advice from @jimp don't fit your need?
            I just looked at ovpn server configuration and I see stuff like this:
            alt text

            Did you try to rely remote host on a small subnet each one for tunnel, will be useful for you?
            I mean to set virtual network on /30 and allow only one connected client for server process. Not right for you?

            1 Reply Last reply Reply Quote 0
            • PippinP
              Pippin
              last edited by Pippin

              You can possibly add

              ifconfig-pool 192.168.20.16 192.168.20.253

              which gives out addresses from .16 to .253 and has room for 14 fixed IP clients, .2 to .15.

              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
              Halton Arp

              G 1 Reply Last reply Reply Quote 0
              • G
                gwright_sov @Pippin
                last edited by

                @pippin thanks yeah, we tried that before but you can't set it in the GUI, it just says it's already set.

                1 Reply Last reply Reply Quote 0
                • PippinP
                  Pippin
                  last edited by

                  Ok, shame on me, I should have read the OP better.
                  But that's odd...

                  I created a RA TLS User Auth server and can add ifconfig-pool just fine.

                  dev ovpns1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh home.lan"
local 192.168.42.137
tls-server
server 192.168.20.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= true server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server1' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.2048
tls-crypt /var/etc/openvpn/server1.tls-crypt 
ncp-ciphers AES-256-GCM
compress 
push "compress "
persist-remote-ip
float
topology subnet
fast-io
ifconfig-pool 192.168.20.16 192.168.20.253

                  Can you

                  ls /var/etc/openvpn

                  and

                  cat /var/etc/openvpn/server.conf

                  replacing server.conf with yours?
                  Command Prompt is in Diagnostics menu.
                  Just wondering if ifconfig-pool line is in there...

                  I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                  Halton Arp

                  1 Reply Last reply Reply Quote 1
                  • PippinP
                    Pippin
                    last edited by Pippin

                    Hm, forget the above, did not check the logs, you were right.

                    But,
                    adding

                    server 192.168.20.0 255.255.255.0 'nopool';ifconfig-pool 192.168.20.16 192.168.20.253

                    to the Custom options does it.
                    Although now there are two server directives in the config, the last one is being used, confirmed by the log @verb4.

                    Just for info:
                    server address is .1
                    DHCP server is .254
                    broadcast is .255
                    Those are not usable for clients.

                    @jimp
                    Can we have a checkbox to set the 'nopool' option for the --server network netmask ['nopool'] directive and when ticked expands with a field to define the DHCP pool?

                    Thanks.

                    I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                    Halton Arp

                    1 Reply Last reply Reply Quote 6
                    • Y
                      yurtesen
                      last edited by

                      @Pippin said in Limit DHCP IP range for OpenVPN clients (GUI Only):

                      @jimp

                      I came to this topic searching for solution to the OpenVPN pool problem. Is there any solutions to this problem already? I think the suggestion of @Pippin makes sense.

                      G 1 Reply Last reply Reply Quote 1
                      • G
                        Gwizzle @yurtesen
                        last edited by

                        @yurtesen This actually solved the exact same problem I had

                        Y 1 Reply Last reply Reply Quote 0
                        • Y
                          yurtesen @Gwizzle
                          last edited by

                          @gwizzle What solved the problem? there is still no checkbox for nopool ?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.