PfSense server, OVPN client …. ifconfig autoconfig?

  • I am doing some testing of an extremely simple OVPN setup, essentially using all the pfSense 2.02-Release default settings, and the OVPN Portable 1.8.2 for Windows:

    At the moment I am just trying to hack it into operation, without fully understanding all the options. This works from my home computer, and here's the config:

    pfSense, OpenVPN: Server

    Server mode: Peer to Peer (Shared key)
    Protocol: UDP
    Device mode: tun
    Interface: WAN
    Local port: 1194

    Shared key: (Generated by pfSense)
    Encryption algorithm: AES-128-CBC (128-bit)
    Hardware Crypto: No acceleration

    Tunnel network:
    Local network:
    Remote network: (blank)

    Concurrent connections: 16

    OVPN config, is a text file named .\data\config\client.ovpn

    ; Enable verbose logging
    verb 3

    ; Remote site to VPN into
    dev tun
    proto udp

    ; No idea what this is for. OVPN wants it in client mode

    ; static.key is a text file containing the generated key from pfSense
    secret static.key

    ; pfSense 2.0's default key cipher is not the default for Open VPN Portable, so must specify it
    cipher AES-128-CBC

    ; The above will get you connected, but nothing will work without a route to the remote network.
    ; This copypasta does the magic:
    route-method exe
    route-delay 2
    redirect-gateway def1

    I do not understand why the OVPN client DEMANDS I use the ifconfig option in the client configuration. During startup it reads the configuration info for ifconfig from the server by itself anyway, and will proceed to whine at me, if the ifconfig settings don't match the server settings.

    Um, if the OVPN client is reading the settings from the server, why not just use whatever the server is telling you rather than requiring me to hardcode it in the config?

    However, there does not appear to be an "ifconfig auto" option.

    My concern here is that I don't want to be hardcoding client addresses into the configuration. The eventual goal is to create a universal installer that I can hand our staff, and say "Install this on your home computer for remote desktop access".

    I do not want to have to be creating individual installers with separate custom ifconfig settings for each client, to keep people from accidentally using the same remote address, and then nothing works due to overlapping remote addresses.

    Is there some sort of "DHCP autoconfig" for the client ifconfig address?

  • Rebel Alliance Developer Netgate

    You're using shared key mode with tun, which requires that you set an IP with ifconfig.

    If you use a server mode (ssl/tls) then it can automatically supply an IP to clients.

Log in to reply