OpenVPN - Static IP addresses

  • My buddy and I are setting up site2site VPN with our pfsenses.  My concern is DHCP.  We dont want any chance of our own PC's in our location picking up DHCP info (mainly gateway) from the others' server.  the chance of it happening at all will be pretty slim but I need to make 100% sure it doesnt happen at all.

    Blocking DHCP altogether and getting the client pfsense to connect using a static IP address is probably the best route.

    Can this be done using the Advanced Options in the client config in the web admin?


  • It should go without mentioning since I'm concerned about DHCP, but just to be clear, this is a tap/bridging config.  I NEED broadcasts to pass over the vpn.

  • Rebel Alliance Developer Netgate

    You might be able to just add a block for udp/67-68 on the OpenVPN interface firewall rules on each end to block DHCP from going over the tunnel.

    Bridging for site-to-site is rather ugly though, and usually avoidable.

  • If I do that… will it block the initial dhcp request that the far side router will send?  I had thought about blocking those ports altogether, but wanted to make sure that initial request wasnt blocked.

    Thanks for the reply.

  • Rebel Alliance Developer Netgate

    If you block both udp 67 and 68 it will catch any DHCP. Even though it's broadcast it's still sent from/to those ports.

  • Right, so when the client side router attempts to get an ip address from my dhcp server when it first connects it will get blocked.  Which is why I was hoping for a static.

    Can this be achieved in the client config?

  • Rebel Alliance Developer Netgate

    Well if each router has DHCP setup on its own LAN, it will get DHCP from its own LAN.

    There isn't anything to setup on the "client" in OpenVPN to control this.

    You can set OpenVPN to supply a subset of DHCP addresses on its own (see the notes in the GUI with the tap fix patch applied) with server-bridge but if you have two separate networks each with DHCP you just want to block DHCP on the VPN and let the LAN interfaces handle it, just make sure each of you is using unique pools inside the same subnet.

  • The thing that had me worried about that scenario was the slight chance one of us picks up a DHCP lease form the other.  Its not so much the pool that I'm worried about.  Thats easy enough to configure.  What I was worried about is the other one picking up gateway information from the dhcp.  thats the troublesome part.  Then our internet is actually routed through the other persons router and sent back out through the VPN.  Gaming, streaming video, watching youtube…  we'd run into a big bottleneck.

    What if i forget about an incoming rule and set up a rule that blocks outgoing DHCP.  We do this on both ends and no dhcp junk goes over the vpn.

    Source would be LAN Subnet
    Desitnation would be OpenVPN Tap Subnet.
    Ports would be 67/68.

    Would it work best to set this rule on the LAN interface of the OpenVPN interface.

    This sound better?

  • Rebel Alliance Developer Netgate

    no, source * dst *, udp 67 to 68. Don't bother putting a source or destination. Block it on the OpenVPN interface, not on LAN.

  • Why are you going with bridged vs. routed?

  • One word.  Broadcasts.

  • Yes, I get that, you want broadcasts to traverse the VPN, but what's your end game?  What are you trying to set up that you think won't (or doesn't) work with a routed solution?

Log in to reply