How To Assign Dedicated IPs to OpenVPN Accounts on pfSense

As a managed hosting provider, NetShop ISP offers Managed Firewall service for customers who utilize pfSense for Network routing, VPN, Firewall management and Traffic monitoring needs.

One of the most frequent requests we receive is to provide OpenVPN accounts to a company’s employees with a static/dedicated IP address on one or more VPN accounts.

The documentation found online is quite poor for this particular implementation as it involves in-depth knowledge and expertise on both the OpenVPN and pfSense services.

In this article we will explain in clear, easy steps how you can assign multiple IP address in pfSense and assign them to one or more OpenVPN accounts.

The pfSense version used in this article’s example is 2.5.0-RELEASE (amd64) and we tested it on one a UK VPS server.


Let’s get to work now.

Steps to Assign Multiple IPs in OpenVPN Accounts

Step 1: Add Virtual IPs

Assuming your Server has been assigned with multiple IPs, the first step is to add them as Virtual IPs from the pfSense GUI.

From the top menu click Firewall > Virtual IPs and then click the green “Add” button.

In the next page, please follow the same settings as shown in the screenshot below. The IP address is one of the additional IPs assigned on your server which you will eventually want to assign in a specific OpenVPN account.

When done, press Save at the bottom of the page.

The new Virtual IP has been added. Now proceed to Apply the Changes.

Step 2 — Create OpenVPN User

At this point we will create a new user for whom, later in this tutorial, we will assign a dedicated IP address.

From the top menu click System > User Manager and then click the “Add” button

The important setting when creating a new user, is the Certificate option. Check the box to ensure the new user will be associated with a dedicated Certificate on server-side.

Step 3 — Assign Static Local IP (Tunnel Network)

Upon creating successfully a new User (Step 2) we must now assign a static Tunnel Network IP. We assume you have already created the tunnel network when installing the OpenVPN Service. In our example, the tunnel network is

To proceed with the local IP assignment, navigate to VPN > OpenVPN

From the tabs click “Client Specific Overrides” and then click the “Add” button.

The Common Name must match exactly the username of the respective user. Then, as a good practice, add the tunnel network IP in the description field so you can quickly identify the IPs assigned to each user.

Under the Client Settings / Advanced section, add the command ifconfig-push Remember that in this example we are using the IP for our new OpenVPN user Spyros2.

Step 4 — Setup 1:1 NAT Rule

So far, we have created the OpenVPN Account for our user and assigned a static IP address for the tunnel network. Now it’s time to setup a 1:1 NAT rule for the tunnel’s local IP address translation into one of our public IP Addresses.

From the top menu go to Firewall > NAT

Click the 1:1 tab and then click the “Add’ button

Add the Public IP address (the one you have added as Virtual IP in Step 1) as the External subnet IP.

Then, under the Internal IP field add the Tunnel Network IP used in Client Overrides in Step 3. Then press Save.

We are done with assigning a static IP address to the OpenVPN user! Now you can export the OpenVPN certificate for your user who can start browsing the Internet using the newly assigned Public IP address.

Facing Issues? Opt for a Fully Managed Firewall

NetShop ISP offers Virtual and Hardware Firewalls based on pfSense. Moreover you may opt for a Fully Managed Firewall service so you can focus on your core business while we take care of the following aspects of your Firewall:

  • pfSense Setup
  • Public and Private Network Configuration
  • High-Availability and pfSense Failover Setup (CARP)
  • Additional Services Installation (OpenVPN, Squid, etc)
  • Security Hardening
  • Network Administration
  • pfSense Backup Management





Web Hosting, Servers, Colocation & Data Center Services (

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

C-Christmas tree

The Case for Vim

Top Skills for a RPA Developer Job

Exploration and Practice of Database Disaster Recovery in the DT Era

SimScale’s Values — Part 4

Integrating Customized Scripts/Commands into PyCharm Pro

How We Developed DingTalk: Implementing the Message System Architecture

Automatic detection of new construction sites

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
NetShop ISP

NetShop ISP

Web Hosting, Servers, Colocation & Data Center Services (

More from Medium

The shift from cloud-to-edge

Creating a shellcode: Reverse tcp shell

Remediating Log4J using osquery: a quick reference guide of tables and actions

How to bounce ATCTS off AD