pfSense openVPN static ip for clients

In this post I’ll describe how to specify a static IP for your vpn-client connection:

1) Open from main menu VPN\OpenVPN

2) Click on Client Specific Overrides

pfSense_client_specific_overrides_tab

3) Press “+” button to add a new client-specific-override

4) Specify a) Common Name, and b) Advanced option to bind IP address

In this case vpn-client will get ip 192.168.1.7

and server will use 192.168.1.1

pfSense_client_specific_override

NOTE: Common Name should be the same as specified in the clients certificate:

If you have forgotten this name go to System\Cert Manager\Certificates and check the value of the CN for your VPN user:

pfSense_Certificate_Manager_CN

5) Go to Status\OpenVPN and kill the session for this user (ONLY if it exists):

pfSense_kill_openVPN_session

6) Now you’re done with pfSense settings, so you can reconnect your VPN-client

So run on the client host:

sudo service openvpn restart

7) check that you got the correct IP:

ifconfig

Advertisements
6 comments
  1. dimy said:

    This is very good post , but there is other specific thing.
    With the same example from picture above.
    When PFSense distribute open vpn client addresses , It divide all range in /24 mask, in to groups with 4 ips with /30 mask . The first group is 192.168.1.4 – name of network ,192.168.1.5 gate only for this group, 192.168.1.6 assign to client, 192.168.1.7 broadcast for this group only.
    The next group 192.168.1.8 – 192.168.1.11
    the next one 192.168.1.12-192.168.1.15

    Only addresses 6,10,14,18, ….. will be assigned to clients.
    If you specify different from this addresses and different from theirs own gateway, it do not work.

    So the right line in Advanced options should be:
    ifconfig-push 192.168.1.6 192.168.1.5;
    the next one:
    ifconfig-push 192.168.1.10 192.168.1.9;
    ifconfig-push 192.168.1.14 192.168.1.13;
    and so on….

    in this way it works perfectly.

    • Dimy, to be honest, haven’t noticed such problems with my version of PFsense, everything works fine as described, could be the case for a particular setup though.

  2. Cyph3r said:

    I think Dimy is missing the point of using the ifconfig-push rather than the tunnel settings.
    – When you don’t use client specific overrides, you have a big subnet with .1 as gateway and .2, .3, .4, …. as vpn users.
    – When you use the tunnel network field to ensure specific IP’s are given, things are like Dimy says: you end up with a lot of tiny subnets.
    – BUT, if you use the ifconfig-push directive in the advanced settings, you will use the big subnet and the server forces the client to use the specified IP. Only catch is to make sure that your dynamic IP’s don’t overlap with the static ones.

  3. Cyph3r said:

    In pfSense 2.1, you have a checkbox in the OpenVPN server config page:
    “Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)”
    When unchecked, Dimy is 100% right: you get a /30 subnet for every VPN user. When checked however, you get the scenario as the op (and me) uses it: first IP is gateway and the next IP’s are being assigned to VPN users.

    To ADiEmme: I am using pfSense 2.1 with OpenVPN server configured for “topology subnet”. This setup is being used by +100 users (80% WinXP-7-8, the remaining 20% are *nix users) for the past 4 months on OpenVPN client 2.3.2. Zero issues 🙂

    Basically it boils down to this:
    Using topology subnet? Go on and follow the op.
    Using topology net30? Follow the op but keep Dimy’s comment in mind and change your config accordingly.

    Hope this info is is useful for someone 🙂

    • artbeat said:

      Very useful, thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: