Client Settings

These settings control behavior of clients connecting to this sever.

Dynamic IP

Checking this box adds the float configuration option to the OpenVPN configuration. This allows clients to retain their connection if their IP address changes, similar to MOBIKE for IKEv2 in IPsec.

For clients on Internet connections where the IP address changes frequently, or mobile users who commonly move between different Internet connections, check this option for more stable connectivity. Where the client IP address is static or rarely changes, not using this option offers a small security improvement.

Topology

Sets the method OpenVPN uses to allocate addresses for clients in a client/server setup on tun device mode VPNs. The Topology option is relevant only when supplying a virtual adapter IP address to clients using tun mode on IPv4. Some clients may require this even for IPv6, such as OpenVPN Connect, though in reality IPv6 always runs with a subnet topology even when IPv4 uses net30. OpenVPN instances using tap mode always use subnet topology as well.

subnet:

Uses the first IP address in the subnet for the server and allocates one IP address per client in a single shared subnet.

By default OpenVPN on pfSense® software prefers a topology style of subnet when using a Device Mode of tun. This is the only available style when using the tap Device Mode.

Note

Some very old clients may not support this mode on certain platforms, such as before OpenVPN 2.1.x which as of this writing was over 10 years old, or before 2.3.x which was around 8 years ago. These clients are rare in practice on modern environments.

Always make sure the client and associated drivers are fully up-to-date when using a subnet topology.

net30:

OpenVPN allocates a /30 CIDR network (four IP addresses, two usable) to each connecting client, including one for the server itself. This style has a longer history, but can be confusing for administrators and users alike.

Warning

The OpenVPN project has declared the net30 style as deprecated, indicating it will be removed in future versions. Avoid using it when possible.