Defining OpenVPN TUN Address Pool in pfSense

blabs · Oct 16, 2018, 10:21 PM

Is it possible to define the OpenVPN address pool in pfSense? Adding the directive "ifconfig-pool 10.10.22.100 10.10.22.254 255.255.255.0" to the "Custom Options" area in the OpenVPN server advanced configuration area causes the server not to start and an error to be thrown likely because pfSense creates the server instance using the "server" helper directive in the config file and that conflicts with the "ifconfig-pool" directive.

blabs · Oct 19, 2018, 9:50 PM

Anybody?

JKnott · Oct 20, 2018, 1:38 AM

Isn't the address range set in the IPv4 Tunnel Network, on the Server's tab? Mine's set to 172.16.255.0/24. I also have a /64 configured for IPv6.

johnpoz · Oct 20, 2018, 7:59 AM

Yes you set the tunnel right there in the gui.. The wizard even fills it in for you I believe - which you can set to something different when you run it, or after in the gui..

blabs · Oct 22, 2018, 1:58 PM

That sets the VPN tunnel network, not specifically the pool. I'm assuming the pool is generated automatically from the subnet setting in use but that does not give a lot of flexibility for static clients.

For example, I want to use an entire /24 for my VPN network. I want 10.10.22.2 - 99 be static clients. Then 10.10.22.100 - 254 to be dynamic clients. I do not want OpenVPN to attempt to automatically assign a client an IP from the 10.10.22.2 - 10.10.22.99 range. This can be accomplished by using the ifconfig-pool directive, however OpenVPN in pfSense will not allow this because of how the server directive is used.

See this link:
https://serverfault.com/questions/910241/how-to-prevent-clients-from-getting-static-ips-set-by-client-specific-overrides

johnpoz · Oct 22, 2018, 4:18 PM

You can also just use a different tunnel network for your clients assigning statics for ;) Much easier cleaner solution ;)

blabs · Oct 22, 2018, 4:35 PM

When you say use a different tunnel network, you mean create another OpenVPN server instance or something else? I am trying to avoid creating another server instance (will be the 7th OpenVPN server on this virtual pfSense install) since OpenVPN is not multi-threaded and I am trying to save cost on vCPUs in the cloud.

If there is a way to create a second tunnel network for a single OpenVPN server instance, I would love to know how...

johnpoz · Oct 22, 2018, 6:06 PM

When you create your client override you can call out different tunnel network.