OpenVPN - static client IP address to a user

[superfox]

Hey there, OPNsense community :-)

I was wondering how to assign a static VPN client IP address to a connecting user?

This is important, if you want to have user-specific firewall rules for your tunnel network.

[bartjsmit]

From the OpenVPN docs:

   --ifconfig-pool-persist file [seconds]

Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600), as well as on program startup and shutdown. The  goal of this option is to provide a long-term association between clients (denoted by their common name) and the virtual IP address assigned to them from the ifconfig-pool.  Maintaining a long-term association is good for clients because it allows them to effectively use the --persist-tun option.
file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>. If seconds = 0, file will be treated as read-only.  This is useful if you would like to treat file as a configuration file.

Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address.  They do not guarantee that the given common name will always receive the given IP address.  If you want guaranteed assignment, use --ifconfig-push


If you have different groups of VPN clients with different security policies, you may be better off running two OpenVPN servers on different ports and set different firewall rules for each tunnel.

Bart...

[superfox]

OK, thanks, i see.

So this is not included as a feature of OPNsense itself, at the moment(?)

I would prefer it as a basic feature, so i'll do a feature-request.

Or maybe there´s already a plugin enhancement, someone knows?


Based on your description, how do i create the needed file up on the system?


A second OpenVPN-instance is an idea, but it´s also another reachable service...

[bartjsmit]

OPNsense implements a wrapper around OpenVPN, which is otherwise largely unchanged. You add the 'ifconfig-pool-persist clientips.txt' option to the 'Advanced' section at the bottom of the edit server page.

As for a second server, it uses the same binaries and options, so not really another reachable service. I see it more as forks of the same daemon with a different destination port ;-)

Bart...

[superfox]

After adding the option, restarting and reconnecting a client, the file was created under /usr/local/www/clientips.txt

Because the file was empty, i inserted: myusername,172.28.28.55

It is an address from within the tunnel network.

The ip-address was never assigned to a connecting client.

Am i doing it wrong? :-)


What I've observed is that a client seems to always get the same address.
What information does this depend on?
How does this mechanism work?

[mimugmail]

There was a FR for setting this up with Radius, I can try ping to get this started ...

[beren]

Would be nice to also get an interface to assign the client a static ip and not have to use the ifconfig-push line in advanced.

[mimugmail]

Isnt this already possible?

[Akitoo]

Any updates on this topic?

[flehmann]

FYI: https://www.andysblog.de/opnsense-openvpn-und-feste-ip-adressen-fuer-benutzer

[ravenmaster887]

Hello together,

after updated to 23.7 the advanced option under VPN - OpenVPN - Client Specific Overrides is not available any more. this option to set a static client IP adresse to a OpenVPN user is no more possible.

Do you have an idea how can i set a static IP over another way?

[franco]

Only post once, I already replied with the answer and there was another thread also where this was discussed

https://forum.opnsense.org/index.php?topic=35149.0


Cheers,
Franco