I am getting problems with the current setting in an OpenVPN via PfSense. The situation is the following:
I have created a OpenVPN server in the network 192.168.222.0/24;
Created two client certificates, C1 and C2.
C1 has 192.168.222.2/24 as its static IPs through "Client Specific Overrides" tab.
- C2 has no special configration (so its IP will be dynamic according to its connection order with OpenVPN server).
When connecting C2 to the OpenVPN server, C2 gets IP 192.168.222.2.
After C2's connection, connecting C1 to the OpenVPN server, C1 gets IP 192.168.222.2 (its static IP address defined in "Client Specific Overrides") OOPS!
How can I prevent OpenVPN server giving C2's static defined IP address to C1?
I tried @Luca Gibelli's answer, and after restarting the server, it stops working. Looking into the logs openvpn is throwing the following error:
Oct 2 17:43:33 openvpn 36651 Use --help for more information.
Oct 2 17:43:33 openvpn 36651 Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly
Also, I have found a discussion about this here but with no solutions.
Any way of bypassing this error?
What you are looking for is the
ifconfig-pool
option of OpenVPN. It allows you to specify the IP range of dynamic IP addresses for clients. If you want to assign dynamic IPs in the range 192.168.222.10-254 use:You can add this option under the
Advanced configuration
tab of OpenVPN in pfSense.More info: https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
It is possible that you are misusing the user certificate's X.509 common name.
Each user certificate's CN must be unique and by default pfSense adds
username-as-common-name
in the server config.So in the Common Name field inside the Client Specific Override setting page:
OpenVPN Server
Device Mode: tun
Strict User-CN Matching: checked
Tunnel: 192.168.222.0/24
Topology: Subnet
C1 - Client Specific Override
Common Name: username or client cert's CN
Advanced: ifconfig-push 192.168.222.240 255.255.255.0
C3 - Client Specific Override
Common Name: username or client cert's CN
Advanced: ifconfig-push 192.168.222.241 255.255.255.0
C2, no override: should get 192.168.222.2/24
Since you're using the
--server 192.168.222.0 255.255.255.0
directive, and presumably the--topology subnet
option, you do have a way to make sure another client doesn't grab that IP address. Add the "client-config-dir" option to your server's config file and specify a directory, as follows:--client-config-dir /vpn/client-configs
then in the /vpn/client-configs directory, create a file with the statically assigned IP:
/vpn/client-configs/clientname
file:ifconfig-push 192.168.222.10 192.168.222.11
There's more information available on the OpenVPN website here