Limit DHCP IP range for OpenVPN clients (GUI Only)
Hi guys, we are trying to set up OpenVPN in pfSense and it's working well. We only have access to the GUI interface and we're running into a problem. We are assigning client-specific IPs using the username/common name but we don't see any way to stop clients who aren't in client-specific from getting an IP we've already assigned. For example :
Our IPV4 Tunnel Network is set to 192.168.20.0/24. We statically assign IPs using ifconfig-push, so the first 10 (2-11) are taken and we built firewall rules accordingly. However when a client connects and they aren't set up in client-specific, DHCP is just giving them 192.168.20.2 since it's the first IP that's not taken.
We tried using the ifconfig-pool setting in Advanced Config Custom Options but it says that ifconfig-pool is already defined.
So, is there any way to tell OpenVPN DHCP to not assign IPs that we're already assigning statically? Remembering we ONLY have GUI access.
Put the statics at the END of the tunnel network range, not the beginning. Problem solves itself.
Well I mean that would work, but does DHCP automatically assign the lowest unused IP or does it just increment then start over? So if Joe gets 20.2, Bob gets 20.3 etc then Joe disconnects and Steve logs in, does Steve get 20.2 or 20.4? Seems like a security lottery vs actual certainty of who gets what IP :)
Babiz last edited by
Uh, I'd look at Netgate docs https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html
Ovpn Server configuration, not mention any dhcp server setting.
Are you follow this guide? If you set client-server vpn the remote client ip isn't managed by dhcp server of pfsense interface you set to "Local Network"?
@babiz there is no mention of DHCP on the OpenVPN setup page, but you have to set the Tunnel Network which is the network that Clients get assigned (in our example, .1 is the VPN gateway). If you don't assign static IPs using client-specific settings, Users get an IP from the Tunnel Network range so it IS using DHCP (and in fact, if you look at the OpenVPN logs when saving the config you can see it set that range).
Babiz last edited by
Did you try to rely remote host on a small subnet each one for tunnel, will be useful for you?
I mean to set virtual network on /30 and allow only one connected client for server process. Not right for you?
Pippin last edited by Pippin
You can possibly add
ifconfig-pool 192.168.20.16 192.168.20.253
which gives out addresses from .16 to .253 and has room for 14 fixed IP clients, .2 to .15.
@pippin thanks yeah, we tried that before but you can't set it in the GUI, it just says it's already set.
Pippin last edited by
Ok, shame on me, I should have read the OP better.
But that's odd...
I created a RA TLS User Auth server and can add ifconfig-pool just fine.
dev ovpns1 verb 4 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh learn-address "/usr/local/sbin/openvpn.learn-address.sh home.lan" local 192.168.42.137 tls-server server 192.168.20.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 username-as-common-name plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= true server1 1194 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server1' 1" lport 1194 management /var/etc/openvpn/server1.sock unix ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-crypt /var/etc/openvpn/server1.tls-crypt ncp-ciphers AES-256-GCM compress push "compress " persist-remote-ip float topology subnet fast-io ifconfig-pool 192.168.20.16 192.168.20.253
replacing server.conf with yours?
Command Prompt is in Diagnostics menu.
Just wondering if ifconfig-pool line is in there...
Pippin last edited by Pippin
Hm, forget the above, did not check the logs, you were right.
server 192.168.20.0 255.255.255.0 'nopool';ifconfig-pool 192.168.20.16 192.168.20.253
to the Custom options does it.
Although now there are two server directives in the config, the last one is being used, confirmed by the log @verb4.
Just for info:
server address is .1
DHCP server is .254
broadcast is .255
Those are not usable for clients.
Can we have a checkbox to set the 'nopool' option for the --server network netmask ['nopool'] directive and when ticked expands with a field to define the DHCP pool?
I came to this topic searching for solution to the OpenVPN pool problem. Is there any solutions to this problem already? I think the suggestion of @Pippin makes sense.
@yurtesen This actually solved the exact same problem I had