OpenVPN with Client IP address Assignments from Multiple Subnets



  • Hello All,

    I am new to pfSense and OpenVPN.  However, I was able to construct a multi-user VPN with relative ease thanks to the simple interface that pfSense provides.  My question is how can I create multiple address pool assignments for my users.

    Today my VPN users have IPs that are assigned from one subnet that is applied to the OpenVPN virtual interface on OPT1.  That subnet is 10.0.1.0/24.  I also have the need to assign IPs to VPN users from another subnet of 172.16.15.0/24 to clients as well.  I know I can create two different OpenVPN server instances and run one on port 1194 and another on 1195 for example to accomplish this.  My client is not able to allow me to do this.  They must be able to assign from both subnets using the same OpenVPN server instance running on port 1194.  To simplify further, they do not want to have to issue a new ".ovpn" file to every client.  There is a specific corporate policy need to not send out a unique ".ovpn" file as well as not create a new instance.  In contrast to that last statement, if there is some way to have the same client config file attempt to contact multiple OpenVPN server instances to obtain an address that would be fine.  I also allow the same user and password combo to connect multiple times to the same VPN tunnel as this is a requirement.

    My client conducts psychological background checks and needs to create a sense of randomness for several types of tests that they have remote employees perform.  There is actually more than two subnets but I figured I would simplify the question.  They want users that receive 10.0.1.0/24 IP addresses to follow a different path of tests which are not the same application as the users who receive 172.16.15.0/24 IP addresses.  They have a need to create a completely different process flow for users of each subnet.  Kind of like mice in a maze they want users to be presented with chance that is beyond their own control.  Is it possible to randomize the IP address that the VPN user receives?  Is it possible for the pfSense OpenVPN server to assign addresses via DHCP instead of the OPT1 virtual interface?

    Is there a way to accomplish the above using the following criteria:

    • Usernames and passwords must be the same for all users
    • There must only be one single server instance running on port 1194 unless a client can attempt to try multiple servers using the same ".ovpn" config file.
    • We can assign a new ".ovpn" file, but it must be the same one used by all users.
    • The solution must support the assignment of IP addresses for a variety of pools of addresses, but only one IP address is required on the client side

    All other options are up in the air and available to use, but the solution must adhere to the above criteria.

    I thank everyone in advance for your consideration.  If the above questions have been asked already by others, please forgive me.  As I said, I am new to pfSense and this forum.  I did search over the last few days but I couldn't find anything on this forum, Google, etc that was even remotely close to what I am trying to achieve.  However, I have been known to be blind before.