OpenVPN clients sometimes receive a DHCP address instead of the address assigned by FreeRADIUS

itnl

We are using pfSense 25.11.1 with 400+ OpenVPN clients connecting to it.
Occasionally, OpenVPN clients receive a DHCP-assigned IP address instead of the static address assigned via FreeRADIUS.

When we manually disconnect an affected client via the OpenVPN status page, the client reconnects immediately and receives the correct IP address.

The DHCP addresses appear to be random. For example, this morning we observed eight clients simultaneously connected with a DHCP-assigned address.

Disconnecting these eight clients immediately resulted in all of them reconnecting with the correct IP address.
As a troubleshooting step, we have already increased “Maximum Requests Tracked” to 4096.

Gertjan

@itnl

Questions creates questions ;)

These DHCP leases came from which DHCP server ?
pfSense ?

Extra info : if pfSense, ISC ? Kea ?

itnl

No, if it is a dynamic address( /22 IPv4 tunnel network) , it is assigned by OpenVPN. The static IP address the client should receive is configured per user in FreeRADIUS.

Gertjan

@itnl

I know .... that is how it should work.

But you said :

@itnl said in OpenVPN clients sometimes receive a DHCP address instead of the address assigned by FreeRADIUS:

Occasionally, OpenVPN clients receive a DHCP-assigned IP address instead of the static address assigned via FreeRADIUS.

you saw that the OpenVPN client received a DHCP-assigned IP or lease (that includes a IP, a gateway, a DNS, a network, and a duration and some more stuf).

So, my question isn't about how it should work, I get that.
I - and you I sure - want to know where the lease came from, if it isn't the OpenVPN server (with the help of FreeRadius).
The IP received didn't start with 169.xxxx (one six nine), right ?

itnl

@Gertjan Sorry for the confusion. The clients receive a dynamic IP address from the OpenVPN server configuration, as mentioned in my earlier message, so not specifically via the DHCP server.
On average, we have around 300 clients connected, and we have the impression that this issue occurs more frequently since more clients are connected or at least it has become more noticeable.
A disconnect and reconnect resolves the issue immediately. It almost seems to occur when multiple clients establish a connection at roughly the same time.

Gertjan

@itnl

Read / check with another thread, 'somewhat' related : https://forum.netgate.com/topic/199750/duplicate-ip-address?_=1775641633796.

I wasn't even a ware (before) that the OpenVPN could assign a specific (openvpn tunnel !) IP to a client. I always though it was some random ION in thne tunnel range, for me 192.168.3.x/24 where 192.168.3.1 is sued by the OpenVPN server.
I knew that the OpenVPN does somewhat what a DHCP server does : it assigns a individual tunnel IP to every connected OpenVPN client.
I never used this myself, but it's also possible that you use FreeRadius where you define de connection details of every OpenVPN client, and probably also the IP used for every client.

These :

@itnl said in OpenVPN clients sometimes receive a DHCP address instead of the address assigned by FreeRADIUS:

Disconnecting these eight clients immediately

where did they get their IP from, if it wasn't the OpenVPN server ?
What is your RFC1918 (!) tunnel network ?
What was the IP these 8 received ?

edit : your VPN tunnel network is bigger as a basic /24 I presume, as you have more then 250+ vpn clients.

itnl

Thank you for the tip. I will test the options as soon as this is possible during the maintenance window.

itnl

As an additional note: it concerns a /22 subnet. The clients all received sequential IP addresses from this subnet, rather than the address defined in the FreeRADIUS configuration.

Gertjan

@itnl said in OpenVPN clients sometimes receive a DHCP address instead of the address assigned by FreeRADIUS:

The clients all received sequential IP addresses from this subnet, rather than the address defined in the FreeRADIUS configuration

I leave it up to the pfSense VPN server to allocate IPs to the connected clients.
As (see above) my openVPN tunnel is 192.168.3.1/24, my OpenVPN clients receive IPs like 192.168.3.2, 192.168.3.3 etc.
So for me, this is what happens :

The clients all received sequential IP addresses from this subnet

Or, in your case, when an openvpn client connects, the OpenVPN server (pfSense) 'asks' Freeradius for an "Ok" , and if "Ok'ed", the OpenVPN should also get an IP for this client, the IP you've assigned to that client in the FreeRadius database.
Btw : do you use FreeRadius with SQL, or do you use the 'flat file' solution ?
I presume you use the pfSense FreeRadius package and not some other Radius server.

So, the subject :

OpenVPN clients sometimes receive a DHCP address instead of the address assigned by FreeRADIUS

you mean that it was the pfSense OpenVPN server that generated and handed over an IP to the client, or it should have received one from Freeradius when the access is granted ?
( so there is no "DHCP server" in play here )
Right ?

The nasty part :
You have have a look at the communication between the OpenVPN server and the (Free)radius server, and typically at the moment when things go wrong.

radsniff exists on pfSense.

Like :

[26.03-RELEASE][root@pfSense.bhf.tld]/root: radsniff
Defaulting to capture on all interfaces

Message from syslogd ...
2026-04-08 15:09:40.365804 (1) Access-Request Id 161 lo0:192.168.2.1:15869 -> 192.168.2.1:1812 +0.000
2026-04-08 15:09:40.630006 (2) Access-Accept Id 161 lo0:192.168.2.1:15869 <- 192.168.2.1:1812 +0.264 +0.264
2026-04-08 15:09:40.660714 (3) Accounting-Request Id 159 lo0:192.168.2.1:30882 -> 192.168.2.1:1813 +0.294
2026-04-08 15:09:40.663643 (4) Accounting-Response Id 159 lo0:192.168.2.1:30882 <- 192.168.2.1:1813 +0.297 +0.002

Try

radsniff -x

From here on, you have to find the moment a 'client' connects, and check why the IP from freeradius wasn't used / present / whatever, which forces (?) the OpenVPN server to create an IP for that client.

Sorry for being a bit vague. I normally test things before I write about it, but I'm not using OpenVPN with FreeRadius.

itnl

We use the XML / file-based version of the official package, so no external RADIUS is used.
The difficulty is that it’s not really reproducible, and therefore occurs at random.

Gertjan

@itnl

Open a console or better : SSH.
Option 8.

radsniff -x > /root/radsniff.log &

From now on, the sniff output goes to the log file.
Be careful : don't leave home now : check 'often' this file as it will grow and can become huge.
As soon as some one has 'the issue' you can ask : when did you connect ?.
Then, kill the prcoess, open the log file, locate the moment, and see what happened, as stuff was logged with details.

Btw : this is a "how I would handle this" to get more details.

itnl

This morning, "server 192.168.1.0 255.255.252.0 nopool" was added to the custom options. So far, the results are positive. We are monitoring with Zabbix to see whether an dynamic address comes online.

Gertjan

@itnl said in OpenVPN clients sometimes receive a DHCP address instead of the address assigned by FreeRADIUS:

server 192.168.1.0 255.255.252.0 nopool" was added to the custom options

The OpenVPN server settings ?

192.168.1.0/22 is your OpenVPN tunnel network ?
A voice in my head says : pick any RFC1918, but not that one for a VPN .... ;)

itnl

In reality I’m using a different subnet, but this is only for the example on the forum ;)

itnl

After the adjustment, it has been working well for some time now, and the issue appears to be resolved.