OpenVPN assigns wrong tunnel address

  • Hi!

    We have a pfSense 2.1 with OpenVPN (Road-Warrior setup). Some users get this message in their Windows OpenVPN client:

    Thu Oct 17 11:06:56 2013 There is a problem in your selection of --ifconfig endpoints [local=, remote=].  The local and remote VPN endpoints cannot use the first or last address within a given subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.

    I wonder why the pfSense would assign this address (.65 and .66 would be valid).



  • If you use the /30 network it contains 4 addresses.

    E.g.: /

    So these 4 addresses are valid for one OpenVPN RoadWarrior

  • I know that. But why does pfSense distribute mismatching adresses?

    Actually, the address is matching, as it fits the scheme. My colleage gets .26 as address, and it is accepted. thus .66 should work, too.

    And furthermore: I always get the same address, it is stuck to my user name, and it is even persistent over both client and server reboots. But I could not find any user-to-IP-file on the pfsense. Where can I find it?



  • Hi,

    you can use "Client specific override" if you are using RoadWarrior setup with certificates. Just put the CN of the certificate of the user in the "client specific override" and put there the tunner /30 network this user always should get.

    On pfsense 2.0.3 you have to do that for every user if the users on OpenVPN should always get the same IP-address/subnet. On pfsense 2.1 - if I remember correct - there could be an additional option which allows you to not user /30 tunnels but single addresses. But I did not test that.

    The tunne network on the OpenVPN server confing for example is /24. This means that there could be max. 64-1 clients connect which always use /30.

Log in to reply