OpenVPN Range of IPs Assigned



  • First, I read through most of the topics and I didn't see this posted anywhere before I posted.

    Second, I'm really new at this pfsense deal…  please don't kill me... and talk slow, I'm from Texas.

    Here's the deal, I needed a VPN solution because what I teach I needed to have port forwarding enabled and the IT people at different places where I teach won't let me set up rules on their routers for port forwarding... so a friend had used a pfsense device with OpenVPN with port forwarding rules (nat) set up for each IP to forward to certain ports... for example, internal IP 192.168.1.101 would forward to port 1101, .102 would forward to port 1102, .103 would forward to port 1103 etc.

    So I spent hours learning pfsense and finally got it all set up and working, forwarding all traffic through the tunnel etc etc.  it works... what doesn't work is that the IP addresses that are being assigned by pfsense when connecting via OpenVPN are like 192.168.1.6, then 192.168.1.10, then .14, then .18, instead of .101, .102, .103 etc etc.

    My question is... why are they skipping 4 each time and is there a way to set them to .101, .102, .103, etc etc through like .151 so I could have 50 nat rules set up instead of hoping they all connect and making rules for .6, then .10, then .14 etc?

    Lastly, and this is really not that important but since I have your attention...  Is there a way that I could create one user account for all 50 students that would be assigned a different internal IP (within the range above) rather than having 50 accounts and having to install 50 different OpenVPN configurations on the machines?  Or do i have to create 50 accounts then export all 50 then assign them to the users during class?

    Thanks in advance!



  • Sorry, I don't understand the sense of your goal, however, I think I have answers to your questions.  ;)

    the IP addresses that are being assigned by pfsense when connecting via OpenVPN are like 192.168.1.6, then 192.168.1.10, then .14, then .18, instead of .101, .102, .103 etc etc.

    My question is… why are they skipping 4 each time

    The OpenVPN server allocates a /30 subnet to each connection by default. That consists of 4 IPs:
    network address
    clients IP
    servers IP, this is to be used as gateway at client side
    broadcast address

    If you want to have all clients in the same subnet you have to check "Topology" in the server configuration > Client Settings.

    Is there a way that I could create one user account for all 50 students that would be assigned a different internal IP (within the range above)

    Increase the value for "Concurrent connections" as you need and check "Duplicate Connections" in server settings.


  • Rebel Alliance Developer Netgate

    In the normal mode we use, OpenVPN assigns each client a /30. One full subnet between the client and server (null route, server IP, client IP, broadcast), keeping the first (.0/30) for itself and then each client gets assigned blocks from there on up. The first client is .6, then .10, and so on as you saw. If your tunnel network is a /24 that means you can have up to 63 clients in that subnet. If you need more you can use a larger tunnel network (e.g./23)

    If you want to assign static IP addresses, you can do so by using a Client Specific Override with the client's certificate name and put their assigned /30 into the tunnel network box there.

    If you prefer, you can try to use the "topology subnet" checkbox so that it puts everyone inside the same larger subnet, each client receiving only one IP address from the server, which may be closer to what you're used to doing.

    For static IPs on topology subnet, you can't use the box in the GUI you have to use the advanced options, and enter it like so:

    ifconfig-push x.x.x.x 255.255.255.0;
    

    Where x.x.x.x is the IP address you wish to assign.

    When assigning static IPs, always assign from the end of the subnet down, since the automatic assignment starts at the beginning.

    While it is technically possible to share one client for all users (see the "duplicate connections" option), doing so is a dangerous shortcut. Should any single VPN client become compromised, you would need to reissue new clients to everyone.



  • OUTSTANDING HELP!

    Thanks so much for the answers.  Both were great and worked like a champ.

    Last question… instead of assigning .6, .7, .8, etc, is there a way to have it jump to .101, .102, .103, etc instead?  It makes it easier for my rules to apply.

    Thanks a bunch!


  • Rebel Alliance Developer Netgate

    You might try this:

    ifconfig-pool start-IP end-IP 255.255.255.0;
    


  • Thanks for the help,

    Well I entered the following:

    ifconfig-pool 10.0.2.101 10.0.2.151 255.255.255.0;

    and now it won't connect at all…

    Any other ideas?


  • Rebel Alliance Developer Netgate

    What, if any, errors show up in the firewall's OpenVPN log? It should provide the answer.



  • In the logs on the openvpn client side or server side?

    Remembering that I'm new to this, where might i find these?

    Weird that that command just disabled all connections to the firewall box from the remote clients…

    Thanks so much for your help.



  • By the way, you mentioned that allow dup connections wasn't that great because if one connection was compromised it would mean re-issuing all….  I would only be using the dups for classroom work then probably deleting and making a new ones after class (a day to two) anyway so it doesn't matter...  The ones that will be persistent will be unique.

    Make sense?


Log in to reply