====== PFSense - VPN - OpenVPN - Assign a fixed IP to a remote client ======

By assigning a fixed IP to a client that connects to a VPN allows this IP to be used in firewall rules.

<WRAP info>
**NOTE:**  It is assumed that an OpenVPN server has already been created and one or more correctly configured users exist.
</WRAP>


----

===== Identify a fixed IP address for the Client to use ======

Navigate to **VPN -> OpenVPN**.

In **Servers**, check the Tunnel Network used by the specific VPN Server.

In this case it is **10.20.30.0/24**.

<WRAP info>
**NOTE:**  The fixed IP address for the client must be a unique IP within this subnet.

For example **10.20.30.69**.
</WRAP>


{{:pfsense:vpn:openvpn:pfsense_-_vpn_-_openvpn_-_servers.png?800|}}

----

===== Identify the user to whom we want to assign the IP just chosen =====

Navigate to **System -> User Manager -> Users**.

Select the specific user to assign the fixed IP address to.

  * Make a note of the actual username.  Lets assume this is **peter**.

{{:pfsense:vpn:openvpn:pfsense_-_system_-_user_manager_-_users.png?800|}}

----

===== Allocate the fixed IP to the User =====

Navigate to **VPN -> OpenVPN -> Client Specific Overrides**.

Click **Add**.

In **General Information**:

  * Server List:  **Select the desired OpenVPN server**.
  * Common Name:  **peter**.  This needs to be the **exact** name of the user, as identified in the earlier step **Identify the user to whom we want to assign the IP just chosen**.

{{:pfsense:vpn:openvpn:pfsense_-_vpn_-_openvpn_-_client_specific_overrides_-_general_information.png?800|}}

In **Client Settings**:

  * Advanced Settings:  **ifconfig-push 10.20.30.69 255.255.255.0**.

{{:pfsense:vpn:openvpn:pfsense_-_vpn_-_openvpn_-_client_specific_overrides_-_client_settings.png?800|}}


  * Click **Save**.

<WRAP info>
**NOTE:**  From now on when peter connects to the OpenVPN Server, he will always be assigned the IP 10.20.30.69,
</WRAP>


----

===== Test =====

Connect to the VPN Server from the Client.

Check the IP Address of the Connected Client.

Navigate to **Status -> OpenVPN**.

  * Check the **Virtual Address**.

{{:pfsense:vpn:openvpn:pfsense_-_status_-_openvpn.png?800|}}

----

===== Configure Firewall Rules for this User =====

We know that the user, peter, will connect with IP 10.20.30.69.

Firewall rules can therefore be configured using this IP.

By placing the IP 10.20.30.69 in the Source field, we can decide which IPs our VPN user can access and which ports/services.

For example:

  * Access is granted to IP Address 192.168.1.123 for the user connecting on 10.20.30.69, i.e. peter.
  * All other traffic is blocked.

{{:pfsense:vpn:openvpn:pfsense_-_firewall_-_rules_-_openvpn_-_updated.png?800|}}

<WRAP info>
**NOTE:**  The last deny rule is not actually needed.

It is only put in to to make explicit the deny which in fact is how the firewall behaves if no rule is applied.

</WRAP>



----

===== References =====