Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IP Reservations for OpenVPN Clients.

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 5 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      muellinger
      last edited by

      Hi,
      we just switched from an old IPCop box to pfSense 2.0.3. Everything works but thers one ToDo open:

      i want / Need to assign fixed IPs to my OpenVPN Clients. So they get the same IP on every Connection.
      How can i get this done?

      In the IPCop box with it's OpenVPN AddOn (called Zerina) i had a drop down filed to select the IP for the Client.

      Thanks!

      Carsten

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Use ifconfig-push in client specific overrides?

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by

          I've never thrown something that wasn't exported from pfsense directly into the client config.

          However, might be some useful lines here to try.

          http://john.de-graaff.net/wiki/doku.php/links/openvpn

          It would be a good thing to know if worked or not…

          1 Reply Last reply Reply Quote 0
          • M
            muellinger
            last edited by

            Hi,
            thanks four your help! According with your info and a Little more Research i now
            understand how OpenVPN assigns the IPs from the given Tunnel pool.

            I divided my Tunnel IP-Space (192.168.209.0/24) in severral /30 subnets.
            beginning with 192.168.209.4/30 ; 192.168.209.8/30 etc.

            That's the exact way OpenVPN assigns tunnel subnets to the clients Clients.
            Then i used these subnets in the Client Specific Overrides as Tunnel-Network.

            This seems to work.

            Thanks again for your help.

            best regards
            Carsten

            1 Reply Last reply Reply Quote 0
            • M
              mtisza
              last edited by

              So I have a follow on question to this topic.  I have the same type of configuration where the tunnel IPs on the pfsense OVPN server side is 192.168.254.0/24.  Then for each of my 3 "power users" I assign a client specific override, which gives them a static IP of 192.168.254.x/30, where x is 4, 8, and 12.

              Then I take those statip IPs and allow them to access more/all of the internal network, whereas others coming in without client specific override would not get 4, 8, or 12 and would then have only limited access (also setup via FW rules).  I've tested all this and it seems to work well.  I'm about to go live with these pfsense units.

              So now the question.  Assume no clients from the client specific override section are currently connected, and then a user (non-override type) connects to the VPN, what IP will they be assigned?  I'm hoping the answer is that pfsense will definitely know that 4, 8 and 12 are "reserved" for the overrides and MUST not be used.

              Is this the case?  If yes then phew, all is good, don't bother reading below.

              If not then this scenario is not secure since I could potentially have a normal user get one of the 4, 8, 12 IPs.  The only way I see to keep this scheme and prevent this issue, is to assign EVERY user an overridden static IP.  Which is a potential nightmare if you have a lot of users.  In my case I have 3 "power users" and >20 normal users.  That would not be easy to maintain.

              Thanks for any help.

              1 Reply Last reply Reply Quote 0
              • B
                broncoBrad
                last edited by

                Can someone confirm the question posed by mtisza:

                Assume no clients from the client specific override section are currently connected, and then a user (non-override type) connects to the VPN, what IP will they be assigned?  I'm hoping the answer is that pfsense will definitely know that 4, 8 and 12 are "reserved" for the overrides and MUST not be used.

                Is that how pfSense behaves?

                Thanks!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.