Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN - Static IP addresses

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 3 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jaredadams
      last edited by

      My buddy and I are setting up site2site VPN with our pfsenses.  My concern is DHCP.  We dont want any chance of our own PC's in our location picking up DHCP info (mainly gateway) from the others' server.  the chance of it happening at all will be pretty slim but I need to make 100% sure it doesnt happen at all.

      Blocking DHCP altogether and getting the client pfsense to connect using a static IP address is probably the best route.

      Can this be done using the Advanced Options in the client config in the web admin?

      THANKS!

      1 Reply Last reply Reply Quote 0
      • J
        jaredadams
        last edited by

        It should go without mentioning since I'm concerned about DHCP, but just to be clear, this is a tap/bridging config.  I NEED broadcasts to pass over the vpn.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          You might be able to just add a block for udp/67-68 on the OpenVPN interface firewall rules on each end to block DHCP from going over the tunnel.

          Bridging for site-to-site is rather ugly though, and usually avoidable.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • J
            jaredadams
            last edited by

            If I do that… will it block the initial dhcp request that the far side router will send?  I had thought about blocking those ports altogether, but wanted to make sure that initial request wasnt blocked.

            Thanks for the reply.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              If you block both udp 67 and 68 it will catch any DHCP. Even though it's broadcast it's still sent from/to those ports.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • J
                jaredadams
                last edited by

                Right, so when the client side router attempts to get an ip address from my dhcp server when it first connects it will get blocked.  Which is why I was hoping for a static.

                Can this be achieved in the client config?

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Well if each router has DHCP setup on its own LAN, it will get DHCP from its own LAN.

                  There isn't anything to setup on the "client" in OpenVPN to control this.

                  You can set OpenVPN to supply a subset of DHCP addresses on its own (see the notes in the GUI with the tap fix patch applied) with server-bridge but if you have two separate networks each with DHCP you just want to block DHCP on the VPN and let the LAN interfaces handle it, just make sure each of you is using unique pools inside the same subnet.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • J
                    jaredadams
                    last edited by

                    The thing that had me worried about that scenario was the slight chance one of us picks up a DHCP lease form the other.  Its not so much the pool that I'm worried about.  Thats easy enough to configure.  What I was worried about is the other one picking up gateway information from the dhcp.  thats the troublesome part.  Then our internet is actually routed through the other persons router and sent back out through the VPN.  Gaming, streaming video, watching youtube…  we'd run into a big bottleneck.

                    What if i forget about an incoming rule and set up a rule that blocks outgoing DHCP.  We do this on both ends and no dhcp junk goes over the vpn.

                    Source would be LAN Subnet
                    Desitnation would be OpenVPN Tap Subnet.
                    Ports would be 67/68.

                    Would it work best to set this rule on the LAN interface of the OpenVPN interface.

                    This sound better?

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      no, source * dst *, udp 67 to 68. Don't bother putting a source or destination. Block it on the OpenVPN interface, not on LAN.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • M
                        marvosa
                        last edited by

                        Why are you going with bridged vs. routed?

                        1 Reply Last reply Reply Quote 0
                        • J
                          jaredadams
                          last edited by

                          One word.  Broadcasts.

                          1 Reply Last reply Reply Quote 0
                          • M
                            marvosa
                            last edited by

                            Yes, I get that, you want broadcasts to traverse the VPN, but what's your end game?  What are you trying to set up that you think won't (or doesn't) work with a routed solution?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.