OpenVPN: Set a static IP Address for a client

Hi,

sometimes you have to set a static IP Address for some VPN Clients. Because they provide some server services which always must be reached at the same IP Address.

The client configuration do not provide any option to do that, set a static IP Address on the adapter itself is also always being overwritten when the client establish a connection to the OpenVPN server.

Solution: Define a client specific script at the server.

In this example the openvpn server’s OS is linux (tap Interface IP 10.1.134.62), the client runs at Windows (static IP 10.1.134.1).

Define a directory where the client scripts should be stored , e.g. /etc/openvpn/staticclients and create the directory

mkdir /etc/openvpn/staticclients

Add this directory as option to your openvpn configfile at the server:

client-config-dir /etc/openvpn/staticclients

For each client you have to create a file. The filename must match the “common name” attribute that was specified at the X509 certificate of the client.This command gets the CN from the computers certificate:

root@devdeb~ > openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e 's/.*CN=\(.*\)\/.*/\1/'

TESTCLIENT

This example pushs the IP Address 10.1.134.1/255.255.255.192 to the Client with the common name TESTCLIENT and also pushes a additional route for subnet 10.1.135.0.

cat /etc/openvpn/staticclients/TESTCLIENT

ifconfig-push 10.1.134.1 255.255.255.192
push "route 10.1.135.0ย 255.255.255.0 10.1.134.62"
# push "dhcp-option WINS addr"
# push "dhcp-option DNS addr"

Michael

Add a comment »19 comments to this article

  1. Thanks! This helped me save time.

    Reply

  2. Thanks for this. Works perfect. The config file is as.conf in Ubuntu if anyone else needs to find it.

    Reply

  3. in the line
    ifconfig-push 10.1.134.1 255.255.255.192

    i thought it should be like
    ifconfig-push ClientIP ServerIP
    for example:
    ifconfig-push 10.8.0.2 10.8.01

    can some1 explain whats going on here

    Reply

    • It depends on the topology mode. I use the “topology subnet” mode. In this mode you have to set the IP Address and the subnet mask. When you are using a topology mode which makes a point-to-point connection (net30, p2p) then you have to set the client IP Address and the corresponting Server IP Address.

      Reply

  4. I had to change up the CN regex a bit to get just the common name:
    root@devdeb~ > openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e ‘s/.*CN=\([^\/]*\)\/.*/\1/’

    Your article was a great help. Thanks for taking the time to put it together.

    Reply

  5. Hey, I’ve been using this technique for certain clients, but still using a generic client that multiple computers connect on for others that should pull the ip from a “pool”.. Unfortunately, the server occasionally assigns 10.8.0.6 to these non-static ip clients, even though that ip is used in one of the static clients configs. Is there a way to prevent this from happening? Do I need to somehow limit the openvpn IP pool to not include those that the static clients are using? I have to keep logging into that IP, restarting the openvpn service, and then trying to get into the computer that is supposed to use that IP and restart its openvpn service.

    Reply

    • Hi Programster,

      yes use different ranges for dynamic and static IP addresses.

      Michael

      Reply

      • Hi Michael,

        Can you give me some hints how to do that? At least the topic I should search for. Thanks!!!

        Reply

  6. If you only need static IPs (without other options e.g. push route) you can add the line “ifconfig-pool-persist ipp.txt” to the config and place lines like “TESTCLIENT,10.2.3.23” in /etc/openvpn/ipp.txt.

    Reply

    • It won’t help. After reboot openVPN will rewrite the ipp.txt

      Reply

  7. Which openssl option should I use for keys generated by easy-rsa? (like client.crt)

    Reply

    • Hi Articice,

      the openssl command shows the common name of the certifcate. Replace yourClientCertificate.cer with the path to your client.crt file.

      Michael

      Reply

  8. Great article !

    Now how would one go about doing this when the VPN does not use client certificates, but is only based on username\password ?

    Can one just use the client login name, instead of the CN ?

    KR
    kamaradski

    Reply

    • Hi Kamaradski,

      add the

      username-as-common-name

      directive to your OpenVPN Server config file. This should map the Username as the commonname (CN) but I never tried this.

      Let me know if this works:-)

      Michael

      Reply

      • Hello,

        I tried and it works ๐Ÿ™‚ Searched a lot but find the solution finally here !

        Reply

  9. Another thank you ๐Ÿ™‚

    I use a ClearOS server and tried the “ifconfig-pool-persist ipp.txt” method which didn’t work, so this solved it.

    Thanks again!
    Eduard

    Reply

  10. Hi guys, now it seems the best practice is to use /etc/openvpn/ipp.txt file to manually adjust IP addresses. It just needs one line to be included in server.conf:
    ifconfig-pool-persist ipp.txt

    Reply

    • great.

      Reply

  11. I was using tun device, but failed to assign static IP’s, then I switch over to tap device and ur solution work fine.
    Is there any way to use tun device with static IP’s

    Reply

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress