Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN and static IP for ALL clients

    Scheduled Pinned Locked Moved OpenVPN
    27 Posts 7 Posters 12.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vjfromgt
      last edited by

      I have seen documentation on how to assign a static ip per vpn configuration but I need all my clients to have static ips, whatever IP the get the first time they connect should be the ip they always get.

      Is there a setting for this?
      Is there a setting for the config to always assign an available ip when creating a new client account?

      Thanks

      1 Reply Last reply Reply Quote 1
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        VPN > OpenVPN > Client Specific Overrides
        Make sure the Common Name matches the User Cert exactly. Define the User static IP in IPv4 Tunnel Network.
        Say your tunnel network is 10.30.8.0/24 and you want this User to have 10.30.8.11 fill in 10.30.8.11/24

        -Rico

        1 Reply Last reply Reply Quote 1
        • V
          vjfromgt
          last edited by

          Thanks for your reply
          This must be done per account
          I am looking for a way for this to be done with every single account in some automated method

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            Not that I'm aware of.
            I always do this right after creation of the new User and Client Export. So this cost me like 5 more seconds, no big deal.
            Why do you need static IPs anyway if you don't care about the actual IP the User gets? I need them because of a different Firewall Ruleset per User, so .11 and .12 could be a huge difference here in what the User can access or not. ☺

            -Rico

            1 Reply Last reply Reply Quote 0
            • V
              vjfromgt
              last edited by

              I use the endpoint to send data to them
              I need to configure where to send data to.

              How does numbering work ? Every VPN need 3 ips?

              1 Reply Last reply Reply Quote 0
              • PippinP
                Pippin
                last edited by

                Tunnel subnet size - 4 = nr. of clients
                /24 - 4 = 252 clients
                /25 - 4 = 124 clients
                etc.

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 0
                • T
                  ThePieMonster
                  last edited by

                  @Rico
                  I just tried this myself and was not able to get the client to have a static IP.

                  The server tunnel network is 10.1.200.0/24.
                  The client has its own cert.
                  That certs common name is entered in the Common Name field in the client override section.
                  Also the IPv4 Tunnel Network is 10.1.200.100/24 for the client override.

                  Client just ends up getting the next available address from DHCP still...

                  1 Reply Last reply Reply Quote 0
                  • noplanN
                    noplan
                    last edited by noplan

                    hi there
                    client specific override the way it works.

                    1. IPv4 Tunnel Network ip that client shall receive eg 1.2.3.4/24
                    2. in Advanced fill in: ifconfig-push 1.2.3.4 255.255.255.0;
                    3. Server List select a / the server

                    3)Common Name & Description must be exactly the same as used when u created the user
                    i personally do a copy n paste in user management for username full name and the cert for the user

                    4)restart openVPN server EDIT: (not nescenecessary)

                    1. export your credentials .... done

                    what i learned that sometimes at the first connect of the client with client spec override
                    the assigned IP will not be assigned. DIsconnect the client, restart the openVPN service and it works, disconnecting and connecting after 5 minutes also works.

                    if there are any improvements, or things to do better feel free to comment

                    brNP

                    T 1 Reply Last reply Reply Quote 0
                    • RicoR
                      Rico LAYER 8 Rebel Alliance
                      last edited by

                      Restarting the OpenVPN server because of adding some CSO? That would be a massive pain and I never had to do that.
                      I also nerver had to fill Advanced / ifconfig-push...

                      -Rico

                      1 Reply Last reply Reply Quote 0
                      • noplanN
                        noplan
                        last edited by

                        ok restartin is a true pain in the .. .
                        and it is workin without restarting. (true)

                        without Advanced / ifconfig-push... not workin here
                        to true for all devices on some it does on some it does not
                        with Advanced / ifconfig-push... workin like a charm and no problems

                        out of the blue any side effect / disadvantages cuz of usin ifconfig-push ?

                        brNP

                        1 Reply Last reply Reply Quote 0
                        • V
                          vjfromgt
                          last edited by

                          On my linux box, I have a script which creates client accounts and sets ips
                          can something like this be done?

                          1 Reply Last reply Reply Quote 0
                          • T
                            ThePieMonster @noplan
                            last edited by

                            @noplan said in OpenVPN and static IP for ALL clients:

                            ifconfig-push 1.2.3.4 255.255.255.0;

                            What is wrong with the below setup?
                            The domain username is not TEST (it is DOMAIN\USERNAME, actually I don't even enter the DOMAIN\ part when authenticating with the OpenVPN prompt), but that shouldn't matter correct? It's just based off the CN name?

                            alt text
                            alt text

                            1 Reply Last reply Reply Quote 0
                            • noplanN
                              noplan
                              last edited by noplan

                              i use this here (and remember i use exact copy n paste) in:
                              b3fe2653-81b9-4020-b8ff-2096bb15a01f-grafik.png

                              32be2a08-56ba-49b8-b45a-dae112fbe841-grafik.png

                              88abe489-c330-432d-b0c9-dcc03db99575-grafik.png

                              7207580c-cfa6-4e1d-b055-cba87ac31ff1-grafik.png

                              and still in User Management:
                              u have to klick Crate a user certificate

                              1886a7ef-0c9f-40d0-afa4-e2164e65c2c2-grafik.png

                              4e49475d-bdf0-4b1f-8eef-2e9ed19c9a64-grafik.png

                              and in client spec overrides :
                              47af0467-1e18-4d2a-880b-ee9964c352f3-grafik.png

                              2a2bcc29-5922-46ed-b017-8104cd0b7f60-grafik.png

                              and it works ...
                              read my other comments in this post why i use Advanced / ifconfig-push...

                              (edit 10/04/20 more screenshots as requested)

                              brNp

                              1 Reply Last reply Reply Quote 0
                              • T
                                ThePieMonster
                                last edited by

                                @noplan said in OpenVPN and static IP for ALL clients:

                                i use this here (and remember i use exact copy n paste) in:

                                32be2a08-56ba-49b8-b45a-dae112fbe841-grafik.png

                                88abe489-c330-432d-b0c9-dcc03db99575-grafik.png

                                7207580c-cfa6-4e1d-b055-cba87ac31ff1-grafik.png

                                and in:

                                4e49475d-bdf0-4b1f-8eef-2e9ed19c9a64-grafik.png

                                and in client spec overrides :

                                2a2bcc29-5922-46ed-b017-8104cd0b7f60-grafik.png

                                and it works ...
                                read my other comments in this post why i use Advanced / ifconfig-push...

                                brNp

                                Can you take larger screenshots to see more of the page? I'm not sure where this username field would be...

                                noplanN 1 Reply Last reply Reply Quote 0
                                • noplanN
                                  noplan @ThePieMonster
                                  last edited by

                                  @ThePieMonster

                                  done added more screenshots

                                  T 1 Reply Last reply Reply Quote 0
                                  • T
                                    ThePieMonster @noplan
                                    last edited by ThePieMonster

                                    @noplan said in OpenVPN and static IP for ALL clients:

                                    @ThePieMonster

                                    done added more screenshots

                                    So my users are domain users. How would using the User Manager certificate work?

                                    This link shows that using User Certificates is not part of the process.
                                    https://fastinetserver.wordpress.com/2013/03/09/pfsense-openvpn-static-ip-for-clients/

                                    Pictures for location reference

                                    User Manager User Certificate
                                    9d3b7c69-b57b-4d27-aa3d-b466f4309c1e-image.png

                                    Certificate Manager Certificate
                                    de92502c-92b0-4cce-ad85-5af8ed041501-image.png

                                    1 Reply Last reply Reply Quote 0
                                    • noplanN
                                      noplan
                                      last edited by

                                      hey @ThePieMonster

                                      dont get me wrong ...
                                      add a user / click to add a user certificate
                                      and follow the instructions here in that post. and test it if it works for you then go to the next step.
                                      (all of the information you need is provided here)

                                      as far as i m concerned the link --> klick you provided is a) from 2013 and b) mentions as u can see in the screenshot
                                      that User Certificates is part of the process.

                                      28b5366a-093c-40f4-81d1-1ae015b9b058-grafik.png

                                      possibly the next step my be
                                      check how to import the DOMAIN User Cert to pfS ore use the domainUserDB as Backend in pfS
                                      and test the whole loop again, let me mention that it would be pretty sweet when you keep us all informed how it works / or even not. But this is not part of this topic i think, cuz static IP for VPN-clients is pretty much solved here.

                                      br nP

                                      1 Reply Last reply Reply Quote 0
                                      • viktor_gV
                                        viktor_g Netgate
                                        last edited by

                                        If you need per-client firewall rules, a more efficient way is to use Cisco-AVPair RADIUS ACLs:
                                        https://docs.netgate.com/pfsense/en/latest/book/openvpn/controlling-client-parameters-via-radius.html

                                        noplanN 1 Reply Last reply Reply Quote 0
                                        • noplanN
                                          noplan @viktor_g
                                          last edited by

                                          @viktor_g

                                          oh yeah i like that, but lack of useCase :(

                                          i think @ThePieMonster needs a static IP for his vpn-clients
                                          but a static Ip only helps when rules are set ;) so whats NEXT !

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            ThePieMonster
                                            last edited by

                                            @noplan @viktor_g

                                            As I mentioned the user cert is from the the Certificate Manager / Certificates section of pfSense, not from the User Manager section. There are two locations where a user certificate can be created.

                                            I also found out today, that the common name, is not the CN name of the cert, that can be whatever you like, but the username of the domain user. Switching this info around in the client override solved the issue for me.

                                            TLDR: CN = Domain Username, not Certificate name.

                                            viktor_gV 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.