4

I am trying to set up a pfSense server with OpenVPN.

The OpenVPN will use the tap interface, tun clients are no option for us.

The LAN network is 10.0.0.0/24, the pfSense machine is 10.0.0.10 and clients DHCP range is currently 10.0.0.200-10.0.0.220.

The clients connect just fine with DHCP and can use the network.

I have tried to assign static IPs with the client specific overrides in pfSense. I used the commonly advised ifconfig-push command, but the clients I tested with(Windows 8 and Arch Linux) just don't take the IP assigned in their respective override. I've tried ifconfig-push with different arguments(client-IP + server, client-IP + subnet mask, ..).

If I leave the DHCP for the tap-interface on, clients will take an IP address from the client DHCP range, if I switch DHCP off clients don't get an IP at all. I have tried to push the static IP inside and outside of the DHCP range.

Is there any way to make the override work and force the assigned IP to the client? I would need this especially for access limitations with pfSense's firewall.

Izzy
  • 786
  • 2
  • 8
  • 29

3 Answers3

2

After some deep digging I found a bug in pfSense's Redmine tracker. This states that the OpenVPN server is missing the client-config-dir variable.

Adding 

mode server;client-config-dir /var/etc/openvpn-csc;

to the advanced server options as well as providing the client specific override 

ifconfig-push [IP] [netmask]

did the trick.

Izzy
  • 786
  • 2
  • 8
  • 29
2

Some update from my experience:

Valid for pfsense 2.3.2

Missing option "client-config-dir" was fixed. now its good.

but now, by default, openvpn server config in pfsense has option "username-as-common-name"

So in client specific override in field "Common Name" try to write username instead of the Common Name.

if you have problems with assigning static IPs, try to inspect your openvpn server config in "/var/etc/openvpn/server1.conf" for that option.

P.S. ifconfig-push option remain the same

Yar V
  • 21
  • 3
0

I have two vpn servers configured, thus I had two folders under /var/etc/openvpn-csc

 /var/etc/openvpn-csc/server2
 /var/etc/openvpn-csc/server3

I am not sure why the index was from server2. Anyways after inspecting cat /var/etc/openvpn/server2.conf and server3.conf and figuring out to which each server folder belongs to, I added : mode server;client-config-dir /var/etc/openvpn-csc/server2; to the advanced server options as well as client specific override ifconfig-push [IP] [netmask]. After that I got the static IP.

Dmitry
  • 101
  • 1