Toggle navigation
pfSense Logo
Community Edition
System
Advanced
Cert. Manager
General Setup
High Avail. Sync
Logout (admin)
Package Manager
Patches
Register
Routing
Setup Wizard
Update
User Manager
Interfaces
Assignments
WAN
LAN_VLAN8
VLAN600_TRANSIT
VLAN101
VLAN201
VLAN301
VLAN351
VLAN401_PRINTERS
VLAN501
OPT8_VLAN_601
OPT9_VLAN_701
OPT10_VLAN_801
OPT11_VLAN_901
VLAN107_GUEST
VLAN117_OFFLINE
OPENVPN_SERVER
VLAN151
JBL
Firewall
Aliases
NAT
Rules
Schedules
Traffic Shaper
Virtual IPs
Services
Auto Config Backup
Captive Portal
Cron
DHCP Relay
DHCP Server
DHCPv6 Relay
DHCPv6 Server & RA
DNS Forwarder
DNS Resolver
Dynamic DNS
IGMP Proxy
NTP
PPPoE Server
SNMP
Syslog-ng
UPnP & NAT-PMP
UPS
Wake-on-LAN
VPN
IPsec
L2TP
OpenVPN
Status
Captive Portal
CARP (failover)
Dashboard
DHCP Leases
DHCPv6 Leases
DNS Resolver
Filter Reload
Gateways
Interfaces
IPsec
Monitoring
NTP
OpenVPN
Queues
Services
System Logs
Traffic Graph
UPnP & NAT-PMP
Diagnostics
ARP Table
Authentication
Backup & Restore
Command Prompt
DNS Lookup
Edit File
Factory Defaults
Halt System
Limiter Info
NDP Table
Nmap
Packet Capture
pfInfo
pfTop
Ping
Reboot
Routes
S.M.A.R.T. Status
Sockets
States
States Summary
System Activity
Tables
Test Port
Traceroute
Help
About this Page
Bug Database
Documentation
FreeBSD Handbook
Paid Support
pfSense Book
Upgrade to pfSense Plus
User Forum
User survey
VPN
OpenVPN
Client Specific Overrides
Edit
Servers
Clients
Client Specific Overrides
Wizards
Client Export
Shared Key Export
General Information
Description
A description of this override for administrative reference.
Disable
Disable this override
Set this option to disable this client-specific override without removing it from the list.
Override Configuration
Common Name
Enter the X.509 common name for the client certificate, or the username for VPNs utilizing password authentication. This match is case sensitive. Enter "DEFAULT" to override default client behavior.
Connection blocking
Block this client connection based on its common name.
Prevents the client from connecting to this server. Do not use this option to permanently disable a client due to a compromised key or password. Use a CRL (certificate revocation list) instead.
Server List
OpenVPN Server 1: VPN Test OVPN
Select the servers that will utilize this override. When no servers are selected, the override will apply to all servers.
Select Server Overrides
Select server options to remove.
If unchecked, any client options specified in below form or Advanced section will be pushed to the client after the server options.
If checked, you can select the server options you want to remove. Any specified client option in below form or Advanced section will thus override the corresponding server-defined options.
Remove All Server Options
Prevent this client from receiving any server-defined client settings.
This option will send a push-reset to the client. It will thus remove any server-defined routes, the gateway and topology.
For the client to properly connect, you will need to enter at least the gateway and topology in the below form or in Advanced section.
Override Server Topology
Subnet -- One IP address per client in a common subnet
net30 -- Isolated /30 network per client
This will push the selected topology to the client. It should only be set when option "Remove All Server Options" is checked. It must match the actual topology specified in server.
NOTE: This will perform a "push topology [selection]" without a previous "push-remove topology". Alternetively you can push the topology in Advanced section.
Remove Server Local Routes
Prevent this client from receiving any server-defined local routes.
This option will send a "push-remove route" to the client, removing any server-defined ipv4 or ipv6 local routes, including the gateway.
NOTE: Remember to either enter the proper gateway and any additional local routes in the below form or in Advanced section.
Remove Server Remote Routes
Prevent this client from receiving any server-defined remote routes.
This option will send a "push-remove iroute" to the client, removing any server-defined ipv4 or ipv6 remote routes
NOTE: You can set new client specific remote routes in below form or in Advanced section.
Remove Server DNS Domains
Prevent this client from receiving any server-defined remote DNS domains.
This option will send a "push-remove dhcp-option DOMAIN" to the client, removing any server-defined DNS domains.
NOTE: You can set new client specific DNS domain in below form or in Advanced section.
Remove Server DNS Servers
Prevent this client from receiving any server-defined DNS Servers.
This option will send a "push-remove dhcp-option DNS" to the client, removing any server-defined ipv4 or ipv6 DNS servers.
NOTE: You can set new client specific DNS servers in below form or in Advanced section.
Remove Server NTP Options.
Prevent this client from receiving any server-defined NTP Servers.
This option will send a "push-remove dhcp-option NTP" to the client, removing any server-defined NTP servers.
NOTE: You can set new client specific NTP servers in below form or in Advanced section.
Remove Server Netbios Type
Prevent this client from receiving any server-defined Netbios Node Type.
This option will send a "push-remove dhcp-option NBT" to the client, removing any server-defined Netbios Node Type.
NOTE: You can set new client specific Netbios options in below form or in Advanced section.
Remove Server Netbios Scope
Prevent this client from receiving any server-defined Netbios Scope.
This option will send a "push-remove dhcp-option NBS" to the client, removing any server-defined Netbios Scope.
NOTE: You can set new client specific Netbios Scope in below form or in Advanced section.
Remove Server WINS Options
Prevent this client from receiving any server-defined WINS servers.
This option will send a "push-remove dhcp-option WINS" to the client, removing any server-defined WINS servers.
NOTE: You can set new client specific WINS servers in below form or in Advanced section.
Tunnel Settings
IPv4 Tunnel Network
The virtual IPv4 network or network type alias with a single entry used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.5/24).
With subnet topology, enter the client IP address and the subnet mask must match the IPv4 Tunnel Network on the server.
With net30 topology, the first network address of the /30 is assumed to be the server address and the second network address will be assigned to the client.
IPv6 Tunnel Network
The virtual IPv6 network or network type alias with a single entry used for private communications between this client and the server expressed using prefix (e.g. 2001:db9:1:1::100/64).
Enter the client IPv6 address and prefix. The prefix must match the IPv6 Tunnel Network prefix on the server.
Local Routes Settings
Redirect IPv4 Gateway
Force all client generated traffic through the tunnel.
Redirect IPv6 Gateway
Force all client-generated IPv6 traffic through the tunnel.
IPv4 Local Network/s
These are the IPv4 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more CIDR ranges or host/network type aliases.
NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.
IPv6 Local Network/s
These are the IPv6 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more IP/PREFIX networks.
NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.
IPv4 Gateway
This is the IPv4 Gateway to push to the client. Normally it is left blank and configured on the server. The gateway IP should be entered if any of the options "Remove Server Local Routes" or "Remove All Server Options" is checked, as these 2 options will remove the gateway defined on the server and connection from the client will likely fail.
NOTE: Remember that, unless configured specifically, the gateway should match the IPv4 Tunnel gateway configured on the selected OpenVPN servers settings.
Remote Routes Settings
IPv4 Remote Network/s
These are the IPv4 client-side networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed.
NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.
IPv6 Remote Network/s
These are the IPv6 client-side networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. Expressed as a comma-separated list of one or more IP/PREFIX networks. May be left blank if there are no client-side networks to be routed.
NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.
Other Client Settings
Ping Interval
Push ping to VPN client
Override server ping interval.
Ping Seconds
Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds.
Ping Action
Push ping-restart/ping-exit to VPN client
Override server ping restart/exit.
Ping restart or exit
ping-restart -- Restart OpenVPN after timeout
ping-exit -- Exit OpenVPN after timeout
Exit or restart OpenVPN after timeout from remote.
Ping restart or exit seconds
DNS Default Domain
Provide a default domain name to clients
DNS Domain
DNS Servers
Provide a DNS server list to clients
Server 1
Server 2
Server 3
Server 4
Block Outside DNS
Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers.
Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected.
Force DNS cache update
Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation.
This is known to kick Windows into recognizing pushed DNS servers.
NTP Servers
Provide an NTP server list to clients
Server 1
Server 2
NetBIOS Options
Enable NetBIOS over TCP/IP
If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled.
Node Type
none
b-node
p-node
m-node
h-node
Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast).
A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID.
WINS servers
Provide a WINS server list to clients
Server 1
Server 2
Advanced
Enter any additional options to add for this client specific override, separated by a semicolon.
The options will be pushed to the client after all above custom options.
EXAMPLE: push "route 10.0.0.0 255.255.255.0";
Save