OpenVPN static IPs for clients



  • Hi

    I appreciate it if anyone can help me with this, please…

    I'm trying to assign a static ip for openVPN clients to then be able to control through the firewall access to the network resources (example: User1 with ip 172.35.35.5 allow access to the "server 1". The user 2 with ip 172.35.35.6 deny access to the "server 1", etc.)

    I am doing it as follow, but does not work (clients have aleatory IPs):

    Settings -> OpenVPN Server:

    Client Settings

    Address Pool: Provide a virtual adapter IP address to clients (see Tunnel Network)
    Topology: Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30).

    Tunnel Settings

    IPv4 Tunnel Network : 172.35.35.0/24

    Settings -> Client Specific Override:

    General information

    Common name: user1_OpenVPN_Cert

    Client Settings:

    Advanced: ifconfig-push 172.35.35.200 172.35.35.1;

    More info what i am traing to do: http://fastinetserver.wordpress.com/2013/03/09/pfsense-openvpn-static-ip-for-clients/

    Thanks in advance for any suggestion or comment...



  • @mbazuher:

    Advanced: ifconfig-push 172.35.35.200 172.35.35.1;

    What you need is:

    ifconfig-push 172.35.35.200 255.255.255.0;



  • Hi

    I tray to do this and then i restart the service openvpn, but the problem persist.

    please, help …

    Thanks



  • I'm not clear on exactly what is not working.  I'm doing the same thing you are trying to do and it does work.

    Are the clients not getting the expected IP address?

    Are access rules not working?

    When you created the firewall rules, did you apply them to the OpenVPN interface?



  • Hi

    The clients not getting the expected IP address. The get dynamic IPs for example 172.35.35.2, 3, 4, etc ..

    I have active the option/check: Provide a virtual adapter IP address to clients (see Tunnel Network) and the Device Mode is "tun", is necessary ?

    I disable the option/check: Strict User/CN Matching

    The openvpn clients is Windows 7 (64bits) i download the configuration and settings from "client export"

    I have pfsense 2.1.3 (x64bits).



  • @mbazuher:

    I have active the option/check: Provide a virtual adapter IP address to clients (see Tunnel Network) and the Device Mode is "tun", is necessary ?

    I have that option checked and Device Mode "tun".  Your config looks the same as mine.

    I only have Mac clients with Viscosity and iOS with OpenVPN clients.  No Windows clients.



  • Hi,

    I just figured this out the other day. I don't know if it's a bug or not, but I couldn't get the OpenVPN clients to get the address I assigned to them until I unchecked this option: "Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)."

    This also means that you will need to assign to the client a /30 network. So, for example, if the server's tunnel network is 10.9.9.0/24, then you might assign 10.9.9.4/30 to client1. This /30 has four IP addresses (10.9.9.4 - 10.9.9.7). The first is the network address; the second is for the OpenVPN server; the third is for the client; the fourth is the broadcast address. So this means that client1 will have the IP address 10.9.9.6. And this IP address is what you want to specify as the source address in client1's rule(s) in the OpenVPN tab.

    Then client2 could be assigned 10.9.9.8/30, which would give it an IP address of 10.9.9.10. Probably you see the pattern by now.

    In my Client Specific Overrides, I only specify the Common name, and the Tunnel Network. No ifconfig push in the advanced box in either the server config or the client specific override. And it works just the way I want it to now.

    Let me know if you have any additional questions.

    James



  • I'm not sure if it has changed but it used to be that the net30 system was only needed with windows clients when using a TUN device. It was necessary to use on windows clients because of some odd limitation in Windows. Anyone know if the limitation is now gone?



  • @jdietrch:

    Hi,

    I just figured this out the other day. I don't know if it's a bug or not, but I couldn't get the OpenVPN clients to get the address I assigned to them until I unchecked this option: "Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)."

    This also means that you will need to assign to the client a /30 network. So, for example, if the server's tunnel network is 10.9.9.0/24, then you might assign 10.9.9.4/30 to client1. This /30 has four IP addresses (10.9.9.4 - 10.9.9.7). The first is the network address; the second is for the OpenVPN server; the third is for the client; the fourth is the broadcast address. So this means that client1 will have the IP address 10.9.9.6. And this IP address is what you want to specify as the source address in client1's rule(s) in the OpenVPN tab.

    Then client2 could be assigned 10.9.9.8/30, which would give it an IP address of 10.9.9.10. Probably you see the pattern by now.

    In my Client Specific Overrides, I only specify the Common name, and the Tunnel Network. No ifconfig push in the advanced box in either the server config or the client specific override. And it works just the way I want it to now.

    Let me know if you have any additional questions.

    James

    Awesome, just was looking for.

    I know the thread is a tad old but wanted others to know this still works on 2.2.6

    Note: I did not have to un-check "Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)."



  • Good day,

    In case anyone has problems with this still in 2017;

    This is what I was following to set the static IP

    More info what i am traing to do: http://fastinetserver.wordpress.com/2013/03/09/pfsense-openvpn-static-ip-for-clients/

    I did this to set the IP i wanted

    What you need is:

    ifconfig-push 172.35.35.200 255.255.255.0;

    and for the common name field, instead of using the CN in the certificate, i used the name of the certificate itself.


  • Netgate

    That is completely incorrect. It matches on the common name.

    Please start a new thread if this is an issue. Locking to prevent further necro here.


Locked