OpenVPN client specific override IP is assigned to other users

  • Hi,
    I'm on the 2.0 RC3 version (June 20). I have an OpenVPN setup which works great. The tunneling network is
    I've setup a client specific override for one user in order to assign him a static IP and restrict his access via firewall rules.
    The network I assigned is, that's why the IP he should get is

    Now the problem is that this particular user connects once every few months, meanwhile other users get his IP.
    When I first saw this problem I restarted the OpenVPN server (I haven't done so after creating the override) and the problem seemed to be solved, but today I saw this exact problem with another user which got this IP.

    How do I solve this?


  • See the attach. See the catch?
    Use IPcalc.

    EDIT: ah, my bad. I missed that You have assigned
    Maybe just set another instance of OpenVPN for him?

    EDIT: ok now I understand what do You mean.
    For first free IP is, I guest this will be server IP. So for users should be range from to But somehow another person gets random

  • @TooMeeK:

    See the attach. See the catch?
    Use IPcalc.

    Not sure, what you try to tell us…

    I don't think there is any possibility to configure that in pfsense. The static IPs should be at the end of your tunnel network because pfsense starts to share the IPs from the IP pool starting from the lowest one.
    Then you should think about to increase your tunnel network - using an subnetmask of /24. The network should as big as many clients could connect to your openvpn server.

  • @TooMeek:
    in OpenVPN it goes in /30 networks for each connected user.


    The static IPs should be at the end of your tunnel network because pfsense starts to share the IPs from the IP pool starting from the lowest one.

    that's the thing - I guess it doesn't, because while the user who got the problematic IP was connected, I dialed in too and got a much "lower" IP. It seems to be completely random. I just thought that "client override" will actually reserve it somehow.

    Is increasing the network and hoping it won't collide - the only option? If so, can I just do it on the server or do I have to re-export the clients as well?

  • It is enough to do that on the server site.

    An other possibility could be to us "ipp.txt". Not sure how to configure that - google that.
    Or you have to gave all clients static IPs. How many clients do you have to maintain ? Your tunnel network is really small.

    Or you have to start another OpenVPN server for this client.

    I never thought about this problem in the past but I would be really interested in a "good" solution, too.

  • I actually have about 10-20 OpenVPN users, but they never connect simultaneously. So 8 possible concurrent connections is more than enough for me. Of course, it wouldn't hurt to increase the number, but it seems that even then I'll be dependent on luck (although with better chances).

    A separate server for this is a no-brainer, but it seems a bit weird, doesn't it?
    So is giving static IPs to everyone. Shouldn't it be a bit more natural? (no insult of the devs intended).

  • Rebel Alliance Developer Netgate

    That's just the way that OpenVPN works, not much (anything?) we can do about that.

    If you want to limit the connections, use a larger tunnel subnet and just set the connection limit in the GUI using the "Concurrent connections" field.

    Then you can assign the higher portions of the subnet without wondering if the connecting users would ever overlap the static assignments.

  • I wonder why the IP, which is a second highest /30 subnet is assigned to a user when 6 lower /30 networks are available (no one else was connected at the time).
    Even if I change the network to /24, how will the IP be chosen? How can I guarantee it won't collide?
    I realise that there isn't anything you can do about the way this works, but I believe you have a better understanding of the whole thing and can guide me in the right direction.

  • Rebel Alliance Developer Netgate

    It normally starts assigning from the bottom up, I can't say I've seen it start in the middle as long as I've been using it.

    Anything unusual about the common names on these certificates that might cause one of them to match the other's settings?

    OpenVPN will usually log things pretty well, you can also turn up the verbosity of the logs by putting something like "verb 5;" or "verb 9;" in the custom options on the server.

  • No, nothing unusual about the names, really.
    I'll try the logs thing. Gonna be in 3 days though.
    Thanks a lot!

  • Perhaps there is a kind of "lease time" in OpenVPN IP assignment !? Just a suggestion.

Log in to reply