Fixing Ip Address of client connected through openvpn



  • Hello everyone,

    I have Static Ip at Head Office connected to branches through Openvpn via pfsense firewalls at both ends. The branches doesn't have static Ip. There is an application on one of the server at the head office which allows connection from allowed ip addresses.

    I am confused what Ip Address a client at branch office would get connected to Head office Server.

    The Static Ip at Head Office is : 203.xxx.xxx.xxx

    The Lan Network at Head office : 172.16.9.0/24

    The Lan Network  at branch office is : 192.168.33.0/24

    The tunnel Network is : 172.16.1.0/24

    The branch offices uses 4G dongle to get connected to Head Office.

    Can I assign a fix Ip Addresses for clients from particular branch office when get connected to head office.

    I am not sure whether I have made the situation clear.

    Thank you,
    Regards,
    Ashima


  • Rebel Alliance Global Moderator

    so you have a site to site setup.. with this office?  If you want clients at that office to have a specific address on that lan, then give them a reservation on the dhcp server there.

    If you want road warriors that log into your pfsense.. Doesn't matter where they are at when they do you can assign them a specific IP in the tunnel via client override in openvpn.



  • Thanks  johnpoz,

    Yes, we have site to site setup.

    We have 5 branches –- say Site A , Site B, Site C, Site D and Site E all connecting to Head Office say Site H. Site H has static Ip but all other sites A-E are connecting through 4G dongle via Openvpn.

    How do I ensure that clients connecting from Site A to server at Site H appear to come from some fixed IP. The application running on server at Site H requires the client to come from fixed IP.

    I hope I am clear now.

    Regards,
    Ashima



  • Local DHCP servers at the sites, add a static mapping for each client that has to have a static IP address. How to do this depends on the DHCP server used and I can't go into details without knowing which one(s) is/are used.


  • Rebel Alliance Global Moderator

    "Site A to server at Site H appear to come from some fixed IP."

    You wan them to look like they are all coming from the same IP?  Or you want to allow user Billy and Bob machines to access, but not Susans or Kevins devices?  So you want Billy and Bob machines to always to have the same IP so you can allow those IPs to the server IP..

    As I mentioned already and kpa restated as well.. Setting the IP of Billy and Bobs machines so they get the same IP would be done on the dhcp server that serves that site.

    if your wanting all users machines in site A to always look like it always comes from the same IP.. That could be done via source nat on your pfsense at site H.



  • Yeah, source NAT would also drop the requirement of two-way routing between the clients at different sites to the network at site H.



  • Thanks all of you.

    I want all my users of site A to appear to come from fixed Ip. As suggested by you all, I'll try source NATing.

    There is a part B of the problem.

    Some part of the DATA is stored in cloud which can also be accessed from a fixed IP. Site H which has a static IP is able to access the Data. But Branch Offices (Site A  – E) are on 4G dongle. The ISP is  using 100.64.0.0/10 network (CGNAT)  so cannot have fixed IP for these branches also cannot use ddns.

    Is there some virtual IPs I can set for WAN interface on the pfsense box, so that any request for these cloud data appears to come from pre-set virtual IP.  (This is wild guess... I really don't know if it really make any sense).

    Any suggestions ?

    regards,
    Ashima


  • Rebel Alliance Global Moderator

    huh??  Dude really at a loss to what your trying to accomplish here..

    If your just going to source nat all these clients at your site A.. Why not just set the server to all allow the IPs from that site?

    As to a connection coming into your server via a port forward I assume.. Why would you want to make that look like to the server it is coming from a specific IP?  Why not just allows the IPs it might come from in this server as well?