OPNsense Forum

English Forums => General Discussion => Topic started by: superfox on April 05, 2018, 01:10:13 pm

Title: OpenVPN - static client IP address to a user
Post by: superfox on April 05, 2018, 01:10:13 pm
Hey there, OPNsense community :-)

I was wondering how to assign a static VPN client IP address to a connecting user?

This is important, if you want to have user-specific firewall rules for your tunnel network.


Title: Re: OpenVPN - static client IP address to a user
Post by: bartjsmit on April 05, 2018, 03:45:18 pm
From the OpenVPN docs:

   --ifconfig-pool-persist file [seconds]

Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600), as well as on program startup and shutdown. The  goal of this option is to provide a long-term association between clients (denoted by their common name) and the virtual IP address assigned to them from the ifconfig-pool.  Maintaining a long-term association is good for clients because it allows them to effectively use the --persist-tun option.
file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>. If seconds = 0, file will be treated as read-only.  This is useful if you would like to treat file as a configuration file.

Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address.  They do not guarantee that the given common name will always receive the given IP address.  If you want guaranteed assignment, use --ifconfig-push


If you have different groups of VPN clients with different security policies, you may be better off running two OpenVPN servers on different ports and set different firewall rules for each tunnel.

Bart...
Title: Re: OpenVPN - static client IP address to a user
Post by: superfox on April 09, 2018, 03:48:24 pm
OK, thanks, i see.

So this is not included as a feature of OPNsense itself, at the moment(?)

I would prefer it as a basic feature, so i'll do a feature-request.

Or maybe there´s already a plugin enhancement, someone knows?


Based on your description, how do i create the needed file up on the system?


A second OpenVPN-instance is an idea, but it´s also another reachable service...
Title: Re: OpenVPN - static client IP address to a user
Post by: bartjsmit on April 10, 2018, 08:16:48 am
OPNsense implements a wrapper around OpenVPN, which is otherwise largely unchanged. You add the 'ifconfig-pool-persist clientips.txt' option to the 'Advanced' section at the bottom of the edit server page.

As for a second server, it uses the same binaries and options, so not really another reachable service. I see it more as forks of the same daemon with a different destination port ;-)

Bart...
Title: Re: OpenVPN - static client IP address to a user
Post by: superfox on April 11, 2018, 09:47:17 am
After adding the option, restarting and reconnecting a client, the file was created under /usr/local/www/clientips.txt

Because the file was empty, i inserted: myusername,172.28.28.55

It is an address from within the tunnel network.

The ip-address was never assigned to a connecting client.

Am i doing it wrong? :-)


What I've observed is that a client seems to always get the same address.
What information does this depend on?
How does this mechanism work?

Title: Re: OpenVPN - static client IP address to a user
Post by: mimugmail on April 11, 2018, 11:03:59 am
There was a FR for setting this up with Radius, I can try ping to get this started ...
Title: Re: OpenVPN - static client IP address to a user
Post by: beren on February 14, 2019, 08:42:29 pm
Would be nice to also get an interface to assign the client a static ip and not have to use the ifconfig-push line in advanced.
Title: Re: OpenVPN - static client IP address to a user
Post by: mimugmail on February 14, 2019, 10:21:54 pm
Isnt this already possible?
Title: Re: OpenVPN - static client IP address to a user
Post by: Akitoo on November 28, 2019, 05:05:19 pm
Any updates on this topic?
Title: Re: OpenVPN - static client IP address to a user
Post by: flehmann on March 16, 2020, 07:44:23 pm
FYI: https://www.andysblog.de/opnsense-openvpn-und-feste-ip-adressen-fuer-benutzer
Title: Re: OpenVPN - static client IP address to a user
Post by: ravenmaster887 on August 03, 2023, 03:33:06 pm
Hello together,

after updated to 23.7 the advanced option under VPN - OpenVPN - Client Specific Overrides is not available any more. this option to set a static client IP adresse to a OpenVPN user is no more possible.

Do you have an idea how can i set a static IP over another way?
Title: Re: OpenVPN - static client IP address to a user
Post by: franco on August 03, 2023, 04:57:36 pm
Only post once, I already replied with the answer and there was another thread also where this was discussed ;)

https://forum.opnsense.org/index.php?topic=35149.0


Cheers,
Franco