Limit DHCP IP range for OpenVPN clients (GUI Only)

gwright_sov · Nov 28, 2018, 2:44 PM

Hi guys, we are trying to set up OpenVPN in pfSense and it's working well. We only have access to the GUI interface and we're running into a problem. We are assigning client-specific IPs using the username/common name but we don't see any way to stop clients who aren't in client-specific from getting an IP we've already assigned. For example :

Our IPV4 Tunnel Network is set to 192.168.20.0/24. We statically assign IPs using ifconfig-push, so the first 10 (2-11) are taken and we built firewall rules accordingly. However when a client connects and they aren't set up in client-specific, DHCP is just giving them 192.168.20.2 since it's the first IP that's not taken.

We tried using the ifconfig-pool setting in Advanced Config Custom Options but it says that ifconfig-pool is already defined.

So, is there any way to tell OpenVPN DHCP to not assign IPs that we're already assigning statically? Remembering we ONLY have GUI access.

Thanks!

jimp · Nov 28, 2018, 3:06 PM

Put the statics at the END of the tunnel network range, not the beginning. Problem solves itself.

gwright_sov · Nov 28, 2018, 3:09 PM

Well I mean that would work, but does DHCP automatically assign the lowest unused IP or does it just increment then start over? So if Joe gets 20.2, Bob gets 20.3 etc then Joe disconnects and Steve logs in, does Steve get 20.2 or 20.4? Seems like a security lottery vs actual certainty of who gets what IP :)

Babiz · Nov 28, 2018, 3:10 PM

Uh, I'd look at Netgate docs https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html
Ovpn Server configuration, not mention any dhcp server setting.

Are you follow this guide? If you set client-server vpn the remote client ip isn't managed by dhcp server of pfsense interface you set to "Local Network"?

gwright_sov · Nov 28, 2018, 3:20 PM

@babiz there is no mention of DHCP on the OpenVPN setup page, but you have to set the Tunnel Network which is the network that Clients get assigned (in our example, .1 is the VPN gateway). If you don't assign static IPs using client-specific settings, Users get an IP from the Tunnel Network range so it IS using DHCP (and in fact, if you look at the OpenVPN logs when saving the config you can see it set that range).

Babiz · Nov 28, 2018, 4:39 PM

@gwright_sov ouch, so I'm not a ovpn expert, well advice from @jimp don't fit your need?
I just looked at ovpn server configuration and I see stuff like this:

Did you try to rely remote host on a small subnet each one for tunnel, will be useful for you?
I mean to set virtual network on /30 and allow only one connected client for server process. Not right for you?

Pippin · Nov 28, 2018, 7:23 PM

You can possibly add

ifconfig-pool 192.168.20.16 192.168.20.253

which gives out addresses from .16 to .253 and has room for 14 fixed IP clients, .2 to .15.

gwright_sov · Nov 28, 2018, 6:08 PM

@pippin thanks yeah, we tried that before but you can't set it in the GUI, it just says it's already set.

Pippin · Nov 28, 2018, 9:25 PM

Ok, shame on me, I should have read the OP better.
But that's odd...

I created a RA TLS User Auth server and can add ifconfig-pool just fine.

dev ovpns1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh home.lan"
local 192.168.42.137
tls-server
server 192.168.20.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= true server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server1' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.2048
tls-crypt /var/etc/openvpn/server1.tls-crypt 
ncp-ciphers AES-256-GCM
compress 
push "compress "
persist-remote-ip
float
topology subnet
fast-io
ifconfig-pool 192.168.20.16 192.168.20.253

Can you

ls /var/etc/openvpn

and

cat /var/etc/openvpn/server.conf

replacing server.conf with yours?
Command Prompt is in Diagnostics menu.
Just wondering if ifconfig-pool line is in there...

Pippin · Nov 29, 2018, 12:23 AM

Hm, forget the above, did not check the logs, you were right.

But,
adding

server 192.168.20.0 255.255.255.0 'nopool';ifconfig-pool 192.168.20.16 192.168.20.253

to the Custom options does it.
Although now there are two server directives in the config, the last one is being used, confirmed by the log @verb4.

Just for info:
server address is .1
DHCP server is .254
broadcast is .255
Those are not usable for clients.

@jimp
Can we have a checkbox to set the 'nopool' option for the --server network netmask ['nopool'] directive and when ticked expands with a field to define the DHCP pool?

Thanks.

yurtesen · Sep 29, 2020, 6:55 PM

@Pippin said in Limit DHCP IP range for OpenVPN clients (GUI Only):

@jimp

I came to this topic searching for solution to the OpenVPN pool problem. Is there any solutions to this problem already? I think the suggestion of @Pippin makes sense.

Gwizzle · Oct 4, 2021, 6:40 PM

@yurtesen This actually solved the exact same problem I had

yurtesen · Oct 4, 2021, 6:40 PM

@gwizzle What solved the problem? there is still no checkbox for nopool ?