OpenVPN server static IP
-
I would like to set a static IP of the OpenVPN server and select the range of IP for the client. Iv looked everywhere and don't see where I can set those settings. Can anyone help? Using PFsense V. 2.4.4-RELEASE-p2.
-
The server gets the first IP of the tunnel network, remaining IPs is the range for clients.
-Rico
-
I see that but my goal is to be on the same subnet as the lan side. Is there a way?
-
@yummy909 said in OpenVPN server static IP:
I see that but my goal is to be on the same subnet as the lan side. Is there a way?
Set up a TAP VPN, instead of TUN.
-
Ill give that a try. Ill keep you posted.
-
You should stay in standard tun mode, only switch to tap if you really need to.
-Rico
-
So I tried the TAP mode and now works great on my laptop. My phone is another issue. The OPENvpn IOS app will not accept TAP mode. TUN mode only. So I made two OPENvpns servers. One TUN for my phone and TAP for my laptop. Was really hoping to get both on TAP mode. So all in all, a success! Thanks for the help! Just a side note. I seem to be bottle necked with downloading or uploading. Bounces around 2 to 5 MB/s. I am on a gigabit network and my pfsense router cpu bearly cracks 2% load. Any way to speed up the VPN?
-
Try with these options
fast-io sndbuf 524288 rcvbuf 524288
-Rico
-
To the server or the client config file?
-
Both sides.
-Rico
-
Thanks for the tip but no improvement. I would have to run it again without the mod but I think it might have gotten worst.
-
Well going to try something. Ill report back later.
-
Maybe you need to play around a bit with those parameters.
Check https://forum.netgate.com/topic/115495/openvpn-fast-io-and-sndbuf-rcvbuf-options-in-the-gui and https://redmine.pfsense.org/issues/7507-Rico
-
@rico said in OpenVPN server static IP:
You should stay in standard tun mode, only switch to tap if you really need to.
-Rico
He said "I see that but my goal is to be on the same subnet as the lan side. Is there a way?". The only way that's going to happen is with TAP. Tun requires a separate subnet.
Here's some info on what he wants to do:
-
I know what he asked and what a bridge is.
99% of people asking for this do not really need to carry layer 2 over VPN and just want to have the same subnet for some kind of cosmetic reason.
For most scenarios to cover layer 3 is just fine, in OpenVPN it is widely supported, more stable, less overhead.
If you really need to transfer layer 2 stuff...sure go for tap mode, but you need to live with the donwsides then.-Rico
-
Wanted to give an update. TAP VPN has been working great! Everything works and the speed issue was my connection where I was. Thank you for everyones help!! PFsense is awesome!!
-
By the way... What is the con of doing TAP vs TUN VPN?
-
TAP benefits:
- behaves like a real network adapter (except it is a virtual network adapter)
- can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc, etc)
- Works in layer 2, meaning Ethernet frames are passed over the VPN tunnel
- Can be used in bridges
TAP drawbacks
- causes much more broadcast overhead on the VPN tunnel
- adds the overhead of Ethernet headers on all packets transported over the VPN tunnel
- scales poorly
- can not be used with Android or iOS devices
TUN benefits:
- A lower traffic overhead, transports only traffic which is destined for the VPN client
- Transports only layer 3 IP packets
TUN drawbacks:
- Broadcast traffic is not normally transported
- Can only transport IPv4 (OpenVPN 2.3 adds IPv6)
- Cannot be used in bridges
-Rico
-
Awesome write up! Do you know or heard when the IOS app will be possibly updated to work on TAP? I have some programs I have written but being on TUN VPN break certain features.
-
"The iOS VPN API supports only tun-style tunnels at the moment. This is a limitation of the iOS platform. If you try to connect a profile that uses a tap-based tunnel, you will get an error that only layer 3 tunnels are currently supported."
(https://openvpn.net/faq/why-doesnt-the-app-support-tap-style-tunnels/)-Rico