Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Request: Manage DHCP for VPN Clients

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jeremy11one
      last edited by

      When clients connect to my OpenVPN server, they seem to get the first available IP address in the scope.  I would like to be able to manage those IP leases on a nice page like the "Status > DHCP Leases" page.  Specifically, I'd like to be able to configure static reservations so that each client always gets the same IP address.

      Relevant settings on OpenVPN settings page: "IPv4 Tunnel Network" and "Address Pool".

      I found this page that shows how to manually edit some files to make it work:
      http://www.iceflatline.com/2014/01/how-to-assign-static-ip-addresses-to-openvpn-clients-in-pfsense/

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        VPN > OpenVPN > Client-Specific Overrides tab
        Add an entry for their certificate CN, with the IP you want to assign as the tunnel network. If you're on a normal SSL/TLS type setup that would be a /30.

        If it's something else (tap or topology subnet) then you can drop the right OpenVPN ifconfig-push syntax in the advanced options in the override and it works fine there.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          Jeremy11one
          last edited by

          @jimp:

          VPN > OpenVPN > Client-Specific Overrides tab
          Add an entry for their certificate CN, with the IP you want to assign as the tunnel network. If you're on a normal SSL/TLS type setup that would be a /30.

          If it's something else (tap or topology subnet) then you can drop the right OpenVPN ifconfig-push syntax in the advanced options in the override and it works fine there.

          I'm having trouble getting this to work.  I already have a user with a certificate.  It connects fine but always gets the first IP available instead of the one I want.  I am using the Windows OpenVPN client v2.3.5 64 bit.

          Current Settings:

          OpenVPN: Server
              Protocol: UDP
              Device Mode: tun
              Interface: WAN
              IPv4 Tunnel Network: 10.20.2.0/24
              IPv4 Local Networks: 10.20.1.0/24
              Dynamic IP: checked
              Address Pool: checked
              Topology: checked

          Client Specific Overrides
              Common name: jeremy_Laptop (this matches the cert's common name)
              Advanced: ifconfig-push 10.20.2.201 255.255.255.0;
              (everything else is blank)

          Things I have tried:
              -2 hours of Googling.
              -Added "mode server;client-config-dir /var/etc/openvpn-csc;" to the Server Advanced textbox.
              -Tried "ifconfig-push 10.20.2.201 10.20.2.1;" instead of the subnet mask.

          1 Reply Last reply Reply Quote 0
          • J
            Jeremy11one
            last edited by

            I found the problem.

            pfSense adds "username-as-common-name" to the "server1.conf" file by default and has no options in the GUI to disable this.  Therefore, entering the certificate's common name into the textbox labelled "Common name" is wrong by default.  I think the GUI should have a checkbox to control the "username-as-common-name" setting and should make it clear whether we should enter the certificate's common name or the pfSense username on this page.

            In my case, since each user may connect from multiple devices simultaneously, and I want each device to have a static IP, I commented out the "username-as-common-name" line and restarted the OpenVPN service.  Now, it works as expected and I can specify static IPs for each device by using unique certificates for each device.  It would be nice if pfSense had a simple GUI to quickly manage all those static IPs instead of doing it this way.

            Thanks for pointing me in the right direction.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Using a mismatched user and cert is not something we recommend.

              If someone wants to make a pull request to add a toggle for username-as-common-name it would probably be accepted, but given the rarity of (unrecommended) cases that it helps, it probably isn't something we'd go out of our way to accommodate any time soon.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • J
                Jeremy11one
                last edited by

                I'd be happy to follow best practices but I can't think of how to do this.

                Let's say we have 5 users, each with a laptop, iPhone, and iPad.  All 15 devices are automatically connected to the VPN.  If I wanted to give each device a static IP by specifying their usernames, we'd have a problem where I can only specify 5 IPs for 15 devices, right?  So instead, I created certificates named "bsmith_laptop" and "bsmith_ipad" and disabled the "username-as-common-name" option. That way, I can safely specify an IP for each device.

                The reason I'd like each device to have a static IP is so I can access the devices by name using DNS.  Currently, my DNS server and its cache don't update quickly enough to handle these 15 devices coming up and down all day.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.