[Solved] How to configure openvpn with ip fixed?
-
Hello Guys,
How to configure a fixed IP in open VPN?
I follow this tutorial but no sucess
https://fastinetserver.wordpress.com/2013/03/09/pfsense-openvpn-static-ip-for-clients/
I try to others links and no sucess, please help me !
I´m using pfsense 2.42
My configs:
LAN: 193.89.21.0/24
TUN: 173.89.210/24 -
that is from 2013.. Without even looking at it assume its outdated and not current for the version of openvpn being used currently. Just set your client override with the IP you want to get give your client..
simple ipconfig-push ipaddress mask..
Here just set this up again.. Same info had gone over in this thread..
https://forum.pfsense.org/index.php?topic=110874.msg617357#msg617357
edit; BTW why are you using public IP space?? That I assume you just pulled out of thin air?
-
Hello johnpoz,
I saw that the link was outdated and has already been pointed out here in the forum, but I am looking for some solution to this case.
I saw that the link was outdated and has already been pointed out here in the forum, but I am looking for some solution to this case.
I already configured it as described and it happens that it duplicates the IP.About using public IP I changed the network to 172.89.21.0/24
-
"About using public IP I changed the network to 172.89.21.0/24"
Dude that is a public IP… Are you saying your obfuscating it from the rfc1918 your using? Why??
What did you use for the CN of the client? If your clients are all using the same certs then yes it will be duplicated..
edit: Here I connected from my phone to same openvpn server, as you can see it got a different IP since I did not call out a client override for its CN..
-
Hello johnpoz,
on the tunel ip following the RFC changes something on my network?
below are the settings for my VPN server and for each user I have a certificate that is associated with the name.
-
What part do you not understand about 172.89.21 being a public IP?? You can not just pull out IPs out of thin air and use them..
NetRange: 172.88.0.0 - 172.91.255.255
CIDR: 172.88.0.0/14
Ref: https://whois.arin.net/rest/net/NET-172-88-0-0-1
OrgName: Time Warner Cable Internet LLCThat space is owned by Time Warner Cable - why would you be using that for your tunnel network? Your tunnel network should be something in the rfc1918 space, 192.168/16, 172.16/12 or 10/8
Where is your client override settings? Fix your tunnel to be some rfc1918 space that your currently not using on the openvpn lan side anywhere, nor that your client would be using remotely, etc.. 192.168.0 or 192.168.1 would be bad choices for example since those are very common networks.
edit: Are you using this locally as your lan network? "LAN: 193.89.21.0/24" ???
-
Hello,
johnpoz,
I changed the IP of my VPN network to 172.16.21.0/24 as suggested, I thought that this tunnel address would not be mixed with the public IPs valid. Thanks for the tip.
Made the changes and configured in the "Client Specific Overrides" tab and restarted the OpenVPN service and still the IP gets duplicated.
What can it still be?
PS. Yes, its my local LAN:
Are you using this locally as your lan network? "LAN: 193.89.21.0/24"
-
"restarted the OpenVPN service and still the IP gets duplicated."
What do you mean gets duplicated??
What is that a screenshot of… :1194 is not the source port of some client connecting to openvpn running on pfsense?? I find that highly unlikely... What does the widget show you for your clients like I posted..
"PS. Yes, its my local LAN:"
Dude!!!! You can not just pick random IPs out of thin air and use them on your network... Use the IP space that has been assigned for you to use on your local networks rfc1918... That network is owned by.. Company in Denmark...
-
Hi johnpoz,
I made the changes on the internal network too, did not know that this was so restricted, but thank you for alerting me.
I changed my internal / local network to the address 192.168.21.0/24
Now follow the new settings:
Local Network: 192.168.21.0/24
VPN Network: 172.16.21.0/24The OpenVPN settings are the same I just switched access to my internal network for the new network.
I was hoping to solve the problem of OpenVPN Virtual IPs not being duplicated, but unfortunately it still did not work out.
I am seeing other posts but I have not got a solution yet.
-
Dude where are you seeing that they are being duplicated? As you see I can not duplicate your problem… What you posted sure did not look like the openvpn widget - not sure what you were showing exactly that you think the IP is being duplicated..
You have clientA, and clientB with different cert names, ie the CN..
if you create a client override for clientA to get IP address 1.2.3.4... It is not possible for clientB to get this same IP... Please post up your client override config and what is the CNs of your different clients that are connecting.. Post up the log of your connections from your clients or your server side..
It is not "restricted" to use whatever IP you want... But if you just pull IPs out of thin air and attempt to use them.. Your going to have issues if your ever trying to actually go to something on the internet on those networks your using... Such a setup screams whoever set this up has zero clue!! ;) There is millions IPs available in the rfc1918 space, there would be zero reason to just make up some network that is public and start using that on your local networks. Technically it can be done - but its BAD PRACTICE!!!
Do you have this checked?
"Allow multiple concurrent connections from clients using the same Common Name."On your vpn server settings? Also if you have a lot of clients.. Then guess it could be possible to get a duplicate if your using the low end... Use a different tunnel network for the clients you want to set static..
You don't seem to be able to set the pool directive in the options on the server.. So if you have so many clients connecting that you get a duplicate handed out because your using your whole pool?? Make a larger remote network say /23 how many concurrent clients do you have? And use static on the high end with your override..
-
Hello johnpoz,
then they are with the same Virtual Address as shown in the print screen see that I point with the arrows.
Yes it is from pfsense with the theme dark, I changed it for easier viewing.
But now I send the print I made going under Status -> OpenVPN, where it shows the connected clients and where I see the Duplicate Virtual Address.
In one of the prints I show a configuration that I made for myself and that is with the correct parameters but still doubles.
I believe that when configuring the client for this IP the server should not assign this IP to anyone else.
What can it still be?
-
172.16.71.7/24 is not a NETWORK - that is a host address.
172.16.71.0/24 would be the /24 network
Please use a HIGHER number for your static one in the pool… with a pool of 172.16.71.1 to .254 why would you assign your static to .7 -- set it to .170 or something.. Openvpn will assign addresses on the low end of the pool.. Put the statics on the high end..
-
Hello johnpoz,
really my network is: 172.16.21.0/24
and I was putting ip address in the wrong place where the tunnel is placed.I made the correction and in the advanced part I put the IP as follows:
ifconfig-push 172.16.21.7 255.255.255.0;
so it still assigns the ip to my connection end and the other as well.
I always thought that when I put the ip in these settings that openvpn will put the ip as reserved and will not assign it to another connection.
What else caught my attention in your comment and how do you know that openvpn will assign the low ips to the dhcp and the fixed ones will last?
Is this some RFC standard?
Or simply by constructing enumerate the ips by adding more in dhcp the release is made?
Do you have any good practices in this regard?
on that I decided to use my ip for the end 77 and it seems that solved !!!
tomorrow I will put the rest of the clients to see if everything is going to work outjohnpoz, thank you for your patience and your wisdom in helping me solve this problem.
-
Hello guys
How do I mark the topic as resolved? -
Edit the thread subject and put [Solved] at the beginning.
Glad you finally got it worked out - as a side bonus your no longer using public IP space that you do not own ;)
-
True, every day learning more …
