Limit DHCP IP range for OpenVPN clients (GUI Only)



  • Hi guys, we are trying to set up OpenVPN in pfSense and it's working well. We only have access to the GUI interface and we're running into a problem. We are assigning client-specific IPs using the username/common name but we don't see any way to stop clients who aren't in client-specific from getting an IP we've already assigned. For example :

    Our IPV4 Tunnel Network is set to 192.168.20.0/24. We statically assign IPs using ifconfig-push, so the first 10 (2-11) are taken and we built firewall rules accordingly. However when a client connects and they aren't set up in client-specific, DHCP is just giving them 192.168.20.2 since it's the first IP that's not taken.

    We tried using the ifconfig-pool setting in Advanced Config Custom Options but it says that ifconfig-pool is already defined.

    So, is there any way to tell OpenVPN DHCP to not assign IPs that we're already assigning statically? Remembering we ONLY have GUI access.

    Thanks!


  • Rebel Alliance Developer Netgate

    Put the statics at the END of the tunnel network range, not the beginning. Problem solves itself.



  • Well I mean that would work, but does DHCP automatically assign the lowest unused IP or does it just increment then start over? So if Joe gets 20.2, Bob gets 20.3 etc then Joe disconnects and Steve logs in, does Steve get 20.2 or 20.4? Seems like a security lottery vs actual certainty of who gets what IP :)



  • Uh, I'd look at Netgate docs https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html
    Ovpn Server configuration, not mention any dhcp server setting.

    Are you follow this guide? If you set client-server vpn the remote client ip isn't managed by dhcp server of pfsense interface you set to "Local Network"?



  • @babiz there is no mention of DHCP on the OpenVPN setup page, but you have to set the Tunnel Network which is the network that Clients get assigned (in our example, .1 is the VPN gateway). If you don't assign static IPs using client-specific settings, Users get an IP from the Tunnel Network range so it IS using DHCP (and in fact, if you look at the OpenVPN logs when saving the config you can see it set that range).



  • @gwright_sov ouch, so I'm not a ovpn expert, well advice from @jimp don't fit your need?
    I just looked at ovpn server configuration and I see stuff like this:
    alt text

    Did you try to rely remote host on a small subnet each one for tunnel, will be useful for you?
    I mean to set virtual network on /30 and allow only one connected client for server process. Not right for you?



  • You can possibly add

    ifconfig-pool 192.168.20.16 192.168.20.253
    

    which gives out addresses from .16 to .253 and has room for 14 fixed IP clients, .2 to .15.



  • @pippin thanks yeah, we tried that before but you can't set it in the GUI, it just says it's already set.



  • Ok, shame on me, I should have read the OP better.
    But that's odd...

    I created a RA TLS User Auth server and can add ifconfig-pool just fine.

    dev ovpns1
    verb 4
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    learn-address "/usr/local/sbin/openvpn.learn-address.sh home.lan"
    local 192.168.42.137
    tls-server
    server 192.168.20.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= true server1 1194
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server1' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.2048
    tls-crypt /var/etc/openvpn/server1.tls-crypt 
    ncp-ciphers AES-256-GCM
    compress 
    push "compress "
    persist-remote-ip
    float
    topology subnet
    fast-io
    ifconfig-pool 192.168.20.16 192.168.20.253
    

    Can you

    ls /var/etc/openvpn
    

    and

    cat /var/etc/openvpn/server.conf
    

    replacing server.conf with yours?
    Command Prompt is in Diagnostics menu.
    Just wondering if ifconfig-pool line is in there...



  • Hm, forget the above, did not check the logs, you were right.

    But,
    adding

    server 192.168.20.0 255.255.255.0 'nopool';ifconfig-pool 192.168.20.16 192.168.20.253
    

    to the Custom options does it.
    Although now there are two server directives in the config, the last one is being used, confirmed by the log @verb4.

    Just for info:
    server address is .1
    DHCP server is .254
    broadcast is .255
    Those are not usable for clients.

    @jimp
    Can we have a checkbox to set the 'nopool' option for the --server network netmask ['nopool'] directive and when ticked expands with a field to define the DHCP pool?

    Thanks.