Defining OpenVPN TUN Address Pool in pfSense



  • Is it possible to define the OpenVPN address pool in pfSense? Adding the directive "ifconfig-pool 10.10.22.100 10.10.22.254 255.255.255.0" to the "Custom Options" area in the OpenVPN server advanced configuration area causes the server not to start and an error to be thrown likely because pfSense creates the server instance using the "server" helper directive in the config file and that conflicts with the "ifconfig-pool" directive.



  • Anybody?



  • Isn't the address range set in the IPv4 Tunnel Network, on the Server's tab? Mine's set to 172.16.255.0/24. I also have a /64 configured for IPv6.


  • Rebel Alliance Global Moderator

    Yes you set the tunnel right there in the gui.. The wizard even fills it in for you I believe - which you can set to something different when you run it, or after in the gui..

    0_1540022372697_tunnelsettings.png



  • That sets the VPN tunnel network, not specifically the pool. I'm assuming the pool is generated automatically from the subnet setting in use but that does not give a lot of flexibility for static clients.

    For example, I want to use an entire /24 for my VPN network. I want 10.10.22.2 - 99 be static clients. Then 10.10.22.100 - 254 to be dynamic clients. I do not want OpenVPN to attempt to automatically assign a client an IP from the 10.10.22.2 - 10.10.22.99 range. This can be accomplished by using the ifconfig-pool directive, however OpenVPN in pfSense will not allow this because of how the server directive is used.

    See this link:
    https://serverfault.com/questions/910241/how-to-prevent-clients-from-getting-static-ips-set-by-client-specific-overrides


  • Rebel Alliance Global Moderator

    You can also just use a different tunnel network for your clients assigning statics for ;) Much easier cleaner solution ;)



  • When you say use a different tunnel network, you mean create another OpenVPN server instance or something else? I am trying to avoid creating another server instance (will be the 7th OpenVPN server on this virtual pfSense install) since OpenVPN is not multi-threaded and I am trying to save cost on vCPUs in the cloud.

    If there is a way to create a second tunnel network for a single OpenVPN server instance, I would love to know how...


  • Rebel Alliance Global Moderator

    When you create your client override you can call out different tunnel network.