Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] How to configure openvpn with ip fixed?

    Scheduled Pinned Locked Moved OpenVPN
    16 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      junokim76
      last edited by

      Hello Guys,

      How to configure a fixed IP in open VPN?

      I follow this tutorial but no sucess

      https://fastinetserver.wordpress.com/2013/03/09/pfsense-openvpn-static-ip-for-clients/

      I try to others links and no sucess, please help me !

      I´m using pfsense 2.42

      My configs:
      LAN: 193.89.21.0/24
      TUN: 173.89.210/24

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        that is from 2013.. Without even looking at it assume its outdated and not current for the version of openvpn being used currently.  Just set your client override with the IP you want to get give your client..

        simple ipconfig-push ipaddress mask..

        Here just set this up again.. Same info had gone over in this thread..

        https://forum.pfsense.org/index.php?topic=110874.msg617357#msg617357

        edit;  BTW why are you using public IP space??  That I assume you just pulled out of thin air?

        setIPopenvpnclient.png
        setIPopenvpnclient.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          junokim76
          last edited by

          Hello johnpoz,

          I saw that the link was outdated and has already been pointed out here in the forum, but I am looking for some solution to this case.

          I saw that the link was outdated and has already been pointed out here in the forum, but I am looking for some solution to this case.
          I already configured it as described and it happens that it duplicates the IP.

          About using public IP I changed the network to 172.89.21.0/24

          sameIP.png
          sameIP.png_thumb
          adv_openvpn.png
          adv_openvpn.png_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "About using public IP I changed the network to 172.89.21.0/24"

            Dude that is a public IP… Are you saying your obfuscating it from the rfc1918 your using?  Why??

            What did you use for the CN of the client?  If your clients are all using the same certs then yes it will be duplicated..

            edit:  Here I connected from my phone to same openvpn server, as you can see it got a different IP since I did not call out a client override for its CN..

            CNofclient.png
            CNofclient.png_thumb
            iphone.png
            iphone.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • J
              junokim76
              last edited by

              Hello johnpoz,

              on the tunel ip following the RFC changes something on my network?

              below are the settings for my VPN server and for each user I have a certificate that is associated with the name.

              openVPNTunnel_conf3.png
              openVPNTunnel_conf3.png_thumb
              openVPNTunnel_conf2.png
              openVPNTunnel_conf2.png_thumb
              openVPNTunnel_conf.png
              openVPNTunnel_conf.png_thumb
              openvpnIPTunnel.png
              openvpnIPTunnel.png_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                What part do you not understand about 172.89.21 being a public IP??  You can not just pull out IPs out of thin air and use them..

                NetRange:      172.88.0.0 - 172.91.255.255
                CIDR:          172.88.0.0/14
                Ref:            https://whois.arin.net/rest/net/NET-172-88-0-0-1
                OrgName:        Time Warner Cable Internet LLC

                That space is owned by Time Warner Cable - why would you be using that for your tunnel network?  Your tunnel network should be something in the rfc1918 space, 192.168/16, 172.16/12 or 10/8

                Where is your client override settings?  Fix your tunnel to be some rfc1918 space that your currently not using on the openvpn lan side anywhere, nor that your client would be using remotely, etc..  192.168.0 or 192.168.1 would be bad choices for example since those are very common networks.

                edit:  Are you using this locally as your lan network? "LAN: 193.89.21.0/24" ???

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J
                  junokim76
                  last edited by

                  Hello,

                  johnpoz,

                  I changed the IP of my VPN network to 172.16.21.0/24 as suggested, I thought that this tunnel address would not be mixed with the public IPs valid. Thanks for the tip.

                  Made the changes and configured in the "Client Specific Overrides" tab and restarted the OpenVPN service and still the IP gets duplicated.

                  What can it still be?

                  PS. Yes, its my local LAN:
                  Are you using this locally as your lan network? "LAN: 193.89.21.0/24"

                  duplicateAgain.png
                  duplicateAgain.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "restarted the OpenVPN service and still the IP gets duplicated."

                    What do you mean gets duplicated??

                    What is that a screenshot of… :1194 is not the source port of some client connecting to openvpn running on pfsense??  I find that highly unlikely... What does the widget show you for your clients like I posted..

                    "PS. Yes, its my local LAN:"

                    Dude!!!!  You can not just pick random IPs out of thin air and use them on your network... Use the IP space that has been assigned for you to use on your local networks rfc1918... That network is owned by.. Company in Denmark...

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • J
                      junokim76
                      last edited by

                      Hi johnpoz,

                      I made the changes on the internal network too, did not know that this was so restricted, but thank you for alerting me.

                      I changed my internal / local network to the address 192.168.21.0/24

                      Now follow the new settings:
                      Local Network: 192.168.21.0/24
                      VPN Network: 172.16.21.0/24

                      The OpenVPN settings are the same I just switched access to my internal network for the new network.

                      I was hoping to solve the problem of OpenVPN Virtual IPs not being duplicated, but unfortunately it still did not work out.

                      I am seeing other posts but I have not got a solution yet.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Dude where are you seeing that they are being duplicated?  As you see I can not duplicate your problem… What you posted sure did not look like the openvpn widget - not sure what you were showing exactly that you think the IP is being duplicated..

                        You have clientA, and clientB with different cert names, ie the CN..

                        if you create a client override for clientA to get IP address 1.2.3.4... It is not possible for clientB to get this same IP...  Please post up your client override config and what is the CNs of your different clients that are connecting.. Post up the log of your connections from your clients or your server side..

                        It is not "restricted" to use whatever IP you want... But if you just pull IPs out of thin air and attempt to use them.. Your going to have issues if your ever trying to actually go to something on the internet on those networks your using... Such a setup screams whoever set this up has zero clue!! ;)  There is millions IPs available in the rfc1918 space, there would be zero reason to just make up some network that is public and start using that on your local networks.  Technically it can be done - but its BAD PRACTICE!!!

                        Do you have this checked?
                        "Allow multiple concurrent connections from clients using the same Common Name."

                        On your vpn server settings?  Also if you have a lot of clients.. Then guess it could be possible to get a duplicate if your using the low end... Use a different tunnel network for the clients you want to set static..

                        You don't seem to be able to set the pool directive in the options on the server.. So if you have so many clients connecting that you get a duplicate handed out because your using your whole pool??  Make a larger remote network say /23 how many concurrent clients do you have?  And use static on the high end with your override..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • J
                          junokim76
                          last edited by

                          Hello johnpoz,

                          then they are with the same Virtual Address as shown in the print screen see that I point with the arrows.

                          Yes it is from pfsense with the theme dark, I changed it for easier viewing.

                          But now I send the print I made going under Status -> OpenVPN, where it shows the connected clients and where I see the Duplicate Virtual Address.

                          In one of the prints I show a configuration that I made for myself and that is with the correct parameters but still doubles.
                          I believe that when configuring the client for this IP the server should not assign this IP to anyone else.
                          What can it still be?

                          sameVirtualIP.png
                          sameVirtualIP.png_thumb
                          sameVirtualIP2.png
                          sameVirtualIP2.png_thumb
                          sameVirtualIP3.png
                          sameVirtualIP3.png_thumb

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            172.16.71.7/24 is not a NETWORK - that is a host address.

                            172.16.71.0/24 would be the /24 network

                            Please use a HIGHER number for your static one in the pool… with a pool of 172.16.71.1 to .254 why would you assign your static to .7 -- set it to .170 or something.. Openvpn will assign addresses on the low end of the pool..  Put the statics on the high end..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • J
                              junokim76
                              last edited by

                              Hello johnpoz,

                              really my network is: 172.16.21.0/24
                              and I was putting ip address in the wrong place where the tunnel is placed.

                              I made the correction and in the advanced part I put the IP as follows:

                              ifconfig-push 172.16.21.7 255.255.255.0;

                              so it still assigns the ip to my connection end and the other as well.

                              I always thought that when I put the ip in these settings that openvpn will put the ip as reserved and will not assign it to another connection.

                              What else caught my attention in your comment and how do you know that openvpn will assign the low ips to the dhcp and the fixed ones will last?

                              Is this some RFC standard?

                              Or simply by constructing enumerate the ips by adding more in dhcp the release is made?

                              Do you have any good practices in this regard?

                              on that I decided to use my ip for the end 77 and it seems that solved !!!
                              tomorrow I will put the rest of the clients to see if everything is going to work out

                              johnpoz, thank you for your patience and your wisdom in helping me solve this problem.

                              1 Reply Last reply Reply Quote 0
                              • J
                                junokim76
                                last edited by

                                Hello guys
                                How do I mark the topic as resolved?

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Edit the thread subject and put [Solved] at the beginning.

                                  Glad you finally got it worked out - as a side bonus your no longer using public IP space that you do not own ;)

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    junokim76
                                    last edited by

                                    True, every day learning more …

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.