IP Reservations for OpenVPN Clients.
muellinger last edited by
we just switched from an old IPCop box to pfSense 2.0.3. Everything works but thers one ToDo open:
i want / Need to assign fixed IPs to my OpenVPN Clients. So they get the same IP on every Connection.
How can i get this done?
In the IPCop box with it's OpenVPN AddOn (called Zerina) i had a drop down filed to select the IP for the Client.
doktornotor Banned last edited by
Use ifconfig-push in client specific overrides?
kejianshi last edited by
I've never thrown something that wasn't exported from pfsense directly into the client config.
However, might be some useful lines here to try.
It would be a good thing to know if worked or not…
muellinger last edited by
thanks four your help! According with your info and a Little more Research i now
understand how OpenVPN assigns the IPs from the given Tunnel pool.
I divided my Tunnel IP-Space (192.168.209.0/24) in severral /30 subnets.
beginning with 192.168.209.4/30 ; 192.168.209.8/30 etc.
That's the exact way OpenVPN assigns tunnel subnets to the clients Clients.
Then i used these subnets in the Client Specific Overrides as Tunnel-Network.
This seems to work.
Thanks again for your help.
mtisza last edited by
So I have a follow on question to this topic. I have the same type of configuration where the tunnel IPs on the pfsense OVPN server side is 192.168.254.0/24. Then for each of my 3 "power users" I assign a client specific override, which gives them a static IP of 192.168.254.x/30, where x is 4, 8, and 12.
Then I take those statip IPs and allow them to access more/all of the internal network, whereas others coming in without client specific override would not get 4, 8, or 12 and would then have only limited access (also setup via FW rules). I've tested all this and it seems to work well. I'm about to go live with these pfsense units.
So now the question. Assume no clients from the client specific override section are currently connected, and then a user (non-override type) connects to the VPN, what IP will they be assigned? I'm hoping the answer is that pfsense will definitely know that 4, 8 and 12 are "reserved" for the overrides and MUST not be used.
Is this the case? If yes then phew, all is good, don't bother reading below.
If not then this scenario is not secure since I could potentially have a normal user get one of the 4, 8, 12 IPs. The only way I see to keep this scheme and prevent this issue, is to assign EVERY user an overridden static IP. Which is a potential nightmare if you have a lot of users. In my case I have 3 "power users" and >20 normal users. That would not be easy to maintain.
Thanks for any help.
broncoBrad last edited by
Can someone confirm the question posed by mtisza:
Assume no clients from the client specific override section are currently connected, and then a user (non-override type) connects to the VPN, what IP will they be assigned? I'm hoping the answer is that pfsense will definitely know that 4, 8 and 12 are "reserved" for the overrides and MUST not be used.
Is that how pfSense behaves?