Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN and static IP for ALL clients

    Scheduled Pinned Locked Moved OpenVPN
    27 Posts 7 Posters 13.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • noplanN
      noplan
      last edited by

      @ThePieMonster said in OpenVPN and static IP for ALL clients:

      Switching this info around in the client override solved the issue for me.

      so please mark this posting als SOLVED !

      T 1 Reply Last reply Reply Quote 0
      • T
        ThePieMonster @noplan
        last edited by

        @noplan I would but I'm not OP. :)

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          There seems to be some mis-information in this thread.

          You do not need to add the custom push line in a Client Specific Override. Adding the tunnel network as an IP address already does exactly that.

          You often do need to restart the OpenVPN server to read in the CSOs: https://redmine.pfsense.org/issues/10337
          That should probably be marked a feature though, nothing has changed there.

          Steve

          noplanN 1 Reply Last reply Reply Quote 2
          • noplanN
            noplan @stephenw10
            last edited by

            @stephenw10 said in OpenVPN and static IP for ALL clients:

            You do not need to add the custom push line in a Client Specific Override

            as i mentioned earlier
            the reason why i added it and still doin it

            there are clinets out there in the wild where the CSO is not working without
            the custom push added.

            thanks for pointin me to issue 10337

            brNP
            #staysafe

            1 Reply Last reply Reply Quote 0
            • viktor_gV
              viktor_g Netgate @ThePieMonster
              last edited by

              @ThePieMonster said in OpenVPN and static IP for ALL clients:

              @noplan @viktor_g

              I also found out today, that the common name, is not the CN name of the cert, that can be whatever you like, but the username of the domain user. Switching this info around in the client override solved the issue for me.

              TLDR: CN = Domain Username, not Certificate name.

              You can change this behavior on 2.5 branch,
              or by applying patch https://redmine.pfsense.org/issues/8289 on 2.4.4/2.4.5

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by stephenw10

                I would suggest those clients must have typo or similar because adding the custom line does exactly the same thing.
                For example I created a CSO for a user with a cert CN of test and added only this:

                Selection_821.png

                If I check what that actually creates:

                [2.4.5-RELEASE][admin@google.stevew.lan]/root: cat /var/etc/openvpn-csc/server2/test
ifconfig-push 10.10.10.5 255.255.255.240

                If I now add the custom line in addition:

                Selection_822.png

                I now get:

                [2.4.5-RELEASE][admin@google.stevew.lan]/root: cat /var/etc/openvpn-csc/server2/test
ifconfig-push 10.10.10.5 255.255.255.240
ifconfig-push 10.10.10.5 255.255.255.240

                Clearly both those lines are not required! 😉

                Steve

                1 Reply Last reply Reply Quote 0
                • noplanN
                  noplan
                  last edited by

                  @stephenw10

                  tested it with some older android clients right now
                  without the ifconfig-push not working on device
                  added the lines working
                  maybe / pretty shure it is the client not the config on the Server

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.