IP Reservations for OpenVPN Clients.

muellinger

Hi,
we just switched from an old IPCop box to pfSense 2.0.3. Everything works but thers one ToDo open:

i want / Need to assign fixed IPs to my OpenVPN Clients. So they get the same IP on every Connection.
How can i get this done?

In the IPCop box with it's OpenVPN AddOn (called Zerina) i had a drop down filed to select the IP for the Client.

Thanks!

Carsten

doktornotor

Use ifconfig-push in client specific overrides?

kejianshi

I've never thrown something that wasn't exported from pfsense directly into the client config.

However, might be some useful lines here to try.

http://john.de-graaff.net/wiki/doku.php/links/openvpn

It would be a good thing to know if worked or not…

muellinger

Hi,
thanks four your help! According with your info and a Little more Research i now
understand how OpenVPN assigns the IPs from the given Tunnel pool.

I divided my Tunnel IP-Space (192.168.209.0/24) in severral /30 subnets.
beginning with 192.168.209.4/30 ; 192.168.209.8/30 etc.

That's the exact way OpenVPN assigns tunnel subnets to the clients Clients.
Then i used these subnets in the Client Specific Overrides as Tunnel-Network.

This seems to work.

Thanks again for your help.

best regards
Carsten

mtisza

So I have a follow on question to this topic.  I have the same type of configuration where the tunnel IPs on the pfsense OVPN server side is 192.168.254.0/24.  Then for each of my 3 "power users" I assign a client specific override, which gives them a static IP of 192.168.254.x/30, where x is 4, 8, and 12.

Then I take those statip IPs and allow them to access more/all of the internal network, whereas others coming in without client specific override would not get 4, 8, or 12 and would then have only limited access (also setup via FW rules).  I've tested all this and it seems to work well.  I'm about to go live with these pfsense units.

So now the question.  Assume no clients from the client specific override section are currently connected, and then a user (non-override type) connects to the VPN, what IP will they be assigned?  I'm hoping the answer is that pfsense will definitely know that 4, 8 and 12 are "reserved" for the overrides and MUST not be used.

Is this the case?  If yes then phew, all is good, don't bother reading below.

If not then this scenario is not secure since I could potentially have a normal user get one of the 4, 8, 12 IPs.  The only way I see to keep this scheme and prevent this issue, is to assign EVERY user an overridden static IP.  Which is a potential nightmare if you have a lot of users.  In my case I have 3 "power users" and >20 normal users.  That would not be easy to maintain.

Thanks for any help.

broncoBrad

Can someone confirm the question posed by mtisza:

Assume no clients from the client specific override section are currently connected, and then a user (non-override type) connects to the VPN, what IP will they be assigned?  I'm hoping the answer is that pfsense will definitely know that 4, 8 and 12 are "reserved" for the overrides and MUST not be used.

Is that how pfSense behaves?

Thanks!