(20180407 – The steps in this post were amended to address changes in recent versions of software — iceflatline)
This post describes how to configure the OpenVPN server in pfSense to assign static IP addresses to its remote access client hosts.
pfSense (i.e., “making sense of packet filtering”) is a customized version of FreeBSD tailored specifically for use as a perimeter firewall and router, and can be managed entirely from a web-based or command line interface. In addition to being a firewall and routing platform, pfSense includes a long list of other features, as well as a package system allowing its capabilities to be expanded even further. pfSense is free, open source software distributed under the BSD license.
OpenVPN is a lightweight VPN software application supporting both remote access and site-to-site VPN configurations. It uses SSL/TLS security for encryption and is capable of traversing network address translation devices and firewalls. The OpenVPN community edition is free, open source software and portable to most major operating systems, including Linux, Windows 2000/XP/Vista/7, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. It is distributed under the GPL license version 2.
All steps involved assume that pfSense and its OpenVPN server are installed and operating correctly. The versions for the software used in this post were as follows:
- pfSense 2.4.3
Let’s get started…
Log into pfSense’ “webConfigurator” interface and navigate to VPN->OpenVPN. Select the icon to edit the server and ensure that the value for “Topology” under “Client Settings” is set to “net30 – Isolated /30 network per client”, then select “Save”.
Now connect to your pfSense firewall using SSH and open /var/etc/openvpn/server1.conf. Ensure that this configuration file contains the following line pointing to a valid directory for containing OpenVPN client host configuration files. The default directory in pfSense for this purpose is /var/etc/openvpn-csc/server1. You can change this directory if you wish but for our example we’ll retain the default:
|
1 |
client-config-dir /var/etc/openvpn-csc/server1 |
In this directory we will create a file for each remote access client host we want the OpenVPN server to assign a static IP address to. The file name of each file must be the same name as the client host’s OpenVPN SSL certificate. For example, if you would like to configure a static IP for a client host with the certificate name “bob” then create the following file:
|
1 |
touch /var/etc/openvpn-csc/server1/bob |
Open this newly created file and add the following line, which contains a pair of IP addresses from the IPv4 virtual network you’ve configured for private communications between the OpenVPN server and your client hosts. Note that you cannot use just any pair of addresses from within this subnet. Each pair of ifconfig-push addresses represent the OpenVPN client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows client hosts and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from set defined in the “Configuring client-specific rules and access policies” section of the OpenVPN HOWTO. In this example, our OpenVPN server is using the virtual network 192.168.20.0/24 and we’ve chosen an appropriate pair of endpoint addresses to use from this subnet. Note that the first IP address in following line is the IP address assigned to the client host, the second is the address the server uses:
|
1 |
ifconfig-push 192.168.20.6 192.168.20.5 |
Once you’ve added this line to /var/etc/openvpn-csc/server1/bob you’ll need to restart the OpenVPN server in pfSense. You can do this from Status->Services in the pfSense “webConfigurator” interface.
Note that any files added to /var/etc/openvpn-csc/server1 will be deleted by the system if it reboots. To protect these files you can use the chflags utility to set the system immutable flag on the file. Once this flag is set, no one can delete or modify file, including root. You must be the root user to set or clear the immutable flag:
|
1 |
chflags schg /var/etc/openvpn-csc/server1/bob |
To verify that the immutable flag has been set:
|
1 |
ls -lo /var/etc/openvpn-csc/server1/bob |
Output:
|
1 |
-rw-r--r-- 1 root wheel schg 42 Jan 20 15:58 bob |
To clear the immutable flag:
|
1 |
chflags noschg /var/etc/openvpn-csc/server1/bob |
Conclusion
There you have it. Some minor configuration of your pfSense machine and its OpenVPN server will start assigning static IP addresses to the remote access client hosts you designate.
References
http://openvpn.net/index.php/open-source/documentation/howto.html
Hello,
Thank you for your solution. This works for me as well.
However, when I reboot my pfsense, these setting are gone and I have to recreate them.
To be more precise, all files in dir /var/etc/openvpn-csc are gone.
Do you have a solution to this?
Regards,
Luke
Luke, thanks for bringing this to my attention. I was not aware that the files were not surviving a reboot. I’ll need to look into this further.
After looking into this further, it appears you can set the immutable flag on the file(s), thus preventing the system from deleting them when the system is rebooted. I’ve added these steps in the post.
Hello. Thanks for your article.
Turns out that if you have more than 1 OpenVPN servers configured in pfSense, the directory that the Client Override config files reside in is /var/etc/openvpn-csc/server/.
eg. the file location for the CN=bob configured for the first OpenVPN server will be
/var/etc/openvpn-csc/server1/bob
This has me scratching my head when suddenly my client overrides stopped working and I didn’t realize that creating a second openvpn server has caused the location to change in pfSense v2.6.1.
Hope this helps someone.
Very interesting Paresh. I’ve not run more than one instance of the server so had not encountered this issue before. Thanks for passing this information along.
So it turns out that pfSense now adds this new directory even when running a single instance of the OpenVPN server. I’ve modified the post to reflect this change.
Couldn’t you just add ‘ifconfig-push’ in “Custom options” on “Advanced Configuration” part of edit server page instead of all this trouble with files?
Leeroy, I seem to recall trying that approach and it didn’t work, or at least didn’t work reliably. Have you tried it?