OpenVPN TUN Reserves Multiple Gateways?

  • I have 6 OpenVPN TUN servers setup on our "pfSense OpenVPN hub" machine connecting multiple sites and clients, pfSense version 2.4.4. I need to define static IP's for many of the VPN clients as some are servers. I noticed that when an OpenVPN server is first created and no clients have connected, the gateway IP (for example) is Once a client connects for the first time, the gateway for that OpenVPN server changes to and stays like that even if the server is restarted. The interface for that OpenVPN server still shows as Is this normal behavior? I have configured an interface assignment for each OpenVPN server to make managing firewall rules easier.

    What is even more odd to me, I have one of our sites setup on the network, the gateway shows as, I have statically assigned to the client (using ifconfig-push in the client override), and everything works traffic flows/routes fine in both directions. I have that particular client setup as its own gateway with static routes to networks behind it as well, so two gateways show up on the pfSense dashboard. If I try to edit the static client gateway while the server is running, it give me an error stating that a gateway already exists with that IP (meaning it is conflicting with the dynamically created gateway).

    Are the first two IP's (x.x.x.1 and x.x.x.2) always reserved for use by the server in a TUN configuration? If I shell into pfSense I do see that the directive "ifconfig" is in the /var/etc/openvpn/server3.conf file. I have scoured the internet for hours trying to find documentation about how this actually works internally with no success.

  • Anybody?

  • Rebel Alliance Developer Netgate

    The .1 address is on the interface itself. The .2 address is used by OpenVPN to nudge traffic across the VPN as needed. OpenVPN doesn't use the routing table internally, it uses iroutes to tell what traffic to send to which clients.

    It doesn't matter what pfSense sees as the gateway for the VPN as long as it's some destination inside the VPN, so it uses .2 for that.

    You shouldn't have anything like additional gateways or static routes setup in pfSense for the VPN, that will never work properly/reliably. Use OpenVPN's own settings for any routing you need. In some cases you might be able to use a routing protocol (For example, OSPF requires tap mode)

  • My next questions is, should I NOT be assigning .2 as a static IP to a client? Should I start static clients at .3?

    I have additional routes/gateways setup to reach networks that are off a gateway behind the VPNs and not on the same subnet along with the proper route/iroute in OpenVPN itself.

  • Rebel Alliance Developer Netgate

    In theory, it shouldn't matter that much.

    That said, since OpenVPN will start randomly assigning from the start of the pool, putting static assignments at the start of the subnet is a poor practice anyhow. If the client is offline, a connecting client without an override assignment would land there.

  • In this case, there will never be any dynamic clients. All of the clients will be cloud servers/sites that require a static IP. I just wanted to cover all bases in case there is a situation in the future that would require dynamic clients on this particular OpenVPN server instance.

Log in to reply