TransWikia.com

How to prevent clients from getting static IPs (set by Client Specific Overrides) in OpenVPN via PfSense?

Server Fault Asked by Tiago Stapenhorst Martins on January 16, 2021

I am getting problems with the current setting in an OpenVPN via PfSense. The situation is the following:

  1. I have created a OpenVPN server in the network 192.168.222.0/24;

  2. Created two client certificates, C1 and C2.

  3. C1 has 192.168.222.2/24 as its static IPs through “Client Specific Overrides” tab.

  4. C2 has no special configration (so its IP will be dynamic according to its connection order with OpenVPN server).

When connecting C2 to the OpenVPN server, C2 gets IP 192.168.222.2.

After C2’s connection, connecting C1 to the OpenVPN server, C1 gets IP 192.168.222.2 (its static IP address defined in “Client Specific Overrides”) OOPS!

How can I prevent OpenVPN server giving C2’s static defined IP address to C1?

I tried @Luca Gibelli’s answer, and after restarting the server, it stops working. Looking into the logs openvpn is throwing the following error:

Oct 2 17:43:33  openvpn 36651   Use --help for more information.
Oct 2 17:43:33  openvpn 36651   Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly

Also, I have found a discussion about this here but with no solutions.

Any way of bypassing this error?

openvpnpfsense

3 Answers

Since you're using the --server 192.168.222.0 255.255.255.0 directive, and presumably the --topology subnet option, you do have a way to make sure another client doesn't grab that IP address. Add the "client-config-dir" option to your server's config file and specify a directory, as follows:

--client-config-dir /vpn/client-configs

then in the /vpn/client-configs directory, create a file with the statically assigned IP:

/vpn/client-configs/clientname file:

ifconfig-push 192.168.222.10 192.168.222.11

There's more information available on the OpenVPN website here

Answered by sippybear on January 16, 2021

It is possible that you are misusing the user certificate's X.509 common name.

Each user certificate's CN must be unique and by default pfSense adds username-as-common-name in the server config.

So in the Common Name field inside the Client Specific Override setting page:

  • If your client certificate' CN is empty, use the username.
  • Otherwise use the client certificate Common Name's value, preferred.

OpenVPN Server

Device Mode: tun
Strict User-CN Matching: checked
Tunnel: 192.168.222.0/24
Topology: Subnet

C1 - Client Specific Override

Common Name: username or client cert's CN
Advanced: ifconfig-push 192.168.222.240 255.255.255.0

C3 - Client Specific Override

Common Name: username or client cert's CN
Advanced: ifconfig-push 192.168.222.241 255.255.255.0

C2, no override: should get 192.168.222.2/24

Answered by MarcoP on January 16, 2021

What you are looking for is the ifconfig-pool option of OpenVPN. It allows you to specify the IP range of dynamic IP addresses for clients. If you want to assign dynamic IPs in the range 192.168.222.10-254 use:

ifconfig-pool 192.168.222.10 192.168.222.254 255.255.255.0

You can add this option under the Advanced configuration tab of OpenVPN in pfSense.

More info: https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

Answered by Luca Gibelli on January 16, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP