Setup

OpenVPN server

Create the OpenVPN server as normal
Set TCP, port 443, and mode tun
Set the IPV4 Tunnel Network as something similar to 10.33.249.0/24
Do not set IPv4 Local Network(s).

The third octet should be a number far removed from VLAN/subnet numbers, a /24 is enough for most configurations.

This means that all connections will get an address from a global pool but they are useless unless access is allowed from that subnet in the firewall rules for the OpenVPN “interface”

Pick a subnet such as 10.33.250.0/24 which is not in use. This will be broken up into /30 mini subnets – one per client. If those run out, then start on 10.33.251.0/24. Each of these new subnets needs a route in the main OpenVPN server Advanced settings, such as:

route 10.33.250.0 255.255.255.0;

OpenVPN certificate

Create a certificate in the usual way. I suggest setting the common name to first.last or company.first.last.

OpenVPN Client specific overrides

For each client create a Client specific override.

The tunnel networks will be /30s (i.e. One address for the network, one for the AZTCO-FW OpenVPN server, one for the client and one for broadcast). So the first one will be 10.33.127.0/30 and the second one will be 10.33.127.4/30 and so on.

Set the Common Name to first.last or what ever was used for the certificate
Description – set to the Tunnel Network range, to make it easy to spot who has what
Tunnel Network = last one allocated + 4 (see above)
Advanced – push “route 10.33.x.0 255.255.255.0”;

In the route above x is the customer network that this client may access.

Firewall rules

The client specific override forces a static IP onto the client which will be the third address in the range, for example:

10.33.250.8/30
10.33.250.9
10.33.250.10 – this is the static IP address for the client. 10.33.250.11

If there are several clients that access the same VLANs/subnets then put them together in an alias. Now add a rule on the OpenVPN tab of the Firewall rules granting access from the alias to the relevant subnets.