Request: Manage DHCP for VPN Clients



  • When clients connect to my OpenVPN server, they seem to get the first available IP address in the scope.  I would like to be able to manage those IP leases on a nice page like the "Status > DHCP Leases" page.  Specifically, I'd like to be able to configure static reservations so that each client always gets the same IP address.

    Relevant settings on OpenVPN settings page: "IPv4 Tunnel Network" and "Address Pool".

    I found this page that shows how to manually edit some files to make it work:
    http://www.iceflatline.com/2014/01/how-to-assign-static-ip-addresses-to-openvpn-clients-in-pfsense/


  • Rebel Alliance Developer Netgate

    VPN > OpenVPN > Client-Specific Overrides tab
    Add an entry for their certificate CN, with the IP you want to assign as the tunnel network. If you're on a normal SSL/TLS type setup that would be a /30.

    If it's something else (tap or topology subnet) then you can drop the right OpenVPN ifconfig-push syntax in the advanced options in the override and it works fine there.



  • @jimp:

    VPN > OpenVPN > Client-Specific Overrides tab
    Add an entry for their certificate CN, with the IP you want to assign as the tunnel network. If you're on a normal SSL/TLS type setup that would be a /30.

    If it's something else (tap or topology subnet) then you can drop the right OpenVPN ifconfig-push syntax in the advanced options in the override and it works fine there.

    I'm having trouble getting this to work.  I already have a user with a certificate.  It connects fine but always gets the first IP available instead of the one I want.  I am using the Windows OpenVPN client v2.3.5 64 bit.

    Current Settings:

    OpenVPN: Server
        Protocol: UDP
        Device Mode: tun
        Interface: WAN
        IPv4 Tunnel Network: 10.20.2.0/24
        IPv4 Local Networks: 10.20.1.0/24
        Dynamic IP: checked
        Address Pool: checked
        Topology: checked

    Client Specific Overrides
        Common name: jeremy_Laptop (this matches the cert's common name)
        Advanced: ifconfig-push 10.20.2.201 255.255.255.0;
        (everything else is blank)

    Things I have tried:
        -2 hours of Googling.
        -Added "mode server;client-config-dir /var/etc/openvpn-csc;" to the Server Advanced textbox.
        -Tried "ifconfig-push 10.20.2.201 10.20.2.1;" instead of the subnet mask.



  • I found the problem.

    pfSense adds "username-as-common-name" to the "server1.conf" file by default and has no options in the GUI to disable this.  Therefore, entering the certificate's common name into the textbox labelled "Common name" is wrong by default.  I think the GUI should have a checkbox to control the "username-as-common-name" setting and should make it clear whether we should enter the certificate's common name or the pfSense username on this page.

    In my case, since each user may connect from multiple devices simultaneously, and I want each device to have a static IP, I commented out the "username-as-common-name" line and restarted the OpenVPN service.  Now, it works as expected and I can specify static IPs for each device by using unique certificates for each device.  It would be nice if pfSense had a simple GUI to quickly manage all those static IPs instead of doing it this way.

    Thanks for pointing me in the right direction.


  • Rebel Alliance Developer Netgate

    Using a mismatched user and cert is not something we recommend.

    If someone wants to make a pull request to add a toggle for username-as-common-name it would probably be accepted, but given the rarity of (unrecommended) cases that it helps, it probably isn't something we'd go out of our way to accommodate any time soon.



  • I'd be happy to follow best practices but I can't think of how to do this.

    Let's say we have 5 users, each with a laptop, iPhone, and iPad.  All 15 devices are automatically connected to the VPN.  If I wanted to give each device a static IP by specifying their usernames, we'd have a problem where I can only specify 5 IPs for 15 devices, right?  So instead, I created certificates named "bsmith_laptop" and "bsmith_ipad" and disabled the "username-as-common-name" option. That way, I can safely specify an IP for each device.

    The reason I'd like each device to have a static IP is so I can access the devices by name using DNS.  Currently, my DNS server and its cache don't update quickly enough to handle these 15 devices coming up and down all day.