Defining OpenVPN TUN Address Pool in pfSense

  • Is it possible to define the OpenVPN address pool in pfSense? Adding the directive "ifconfig-pool" to the "Custom Options" area in the OpenVPN server advanced configuration area causes the server not to start and an error to be thrown likely because pfSense creates the server instance using the "server" helper directive in the config file and that conflicts with the "ifconfig-pool" directive.

  • Anybody?

  • Isn't the address range set in the IPv4 Tunnel Network, on the Server's tab? Mine's set to I also have a /64 configured for IPv6.

  • LAYER 8 Global Moderator

    Yes you set the tunnel right there in the gui.. The wizard even fills it in for you I believe - which you can set to something different when you run it, or after in the gui..


  • That sets the VPN tunnel network, not specifically the pool. I'm assuming the pool is generated automatically from the subnet setting in use but that does not give a lot of flexibility for static clients.

    For example, I want to use an entire /24 for my VPN network. I want - 99 be static clients. Then - 254 to be dynamic clients. I do not want OpenVPN to attempt to automatically assign a client an IP from the - range. This can be accomplished by using the ifconfig-pool directive, however OpenVPN in pfSense will not allow this because of how the server directive is used.

    See this link:

  • LAYER 8 Global Moderator

    You can also just use a different tunnel network for your clients assigning statics for ;) Much easier cleaner solution ;)

  • When you say use a different tunnel network, you mean create another OpenVPN server instance or something else? I am trying to avoid creating another server instance (will be the 7th OpenVPN server on this virtual pfSense install) since OpenVPN is not multi-threaded and I am trying to save cost on vCPUs in the cloud.

    If there is a way to create a second tunnel network for a single OpenVPN server instance, I would love to know how...

  • LAYER 8 Global Moderator

    When you create your client override you can call out different tunnel network.

Log in to reply