Hi,
sometimes you have to set a static IP Address for some VPN Clients. Because they provide some server services which always must be reached at the same IP Address.
The client configuration do not provide any option to do that, set a static IP Address on the adapter itself is also always being overwritten when the client establish a connection to the OpenVPN server.
Solution: Define a client specific script at the server.
In this example the openvpn server’s OS is linux (tap Interface IP 10.1.134.62), the client runs at Windows (static IP 10.1.134.1).
Define a directory where the client scripts should be stored , e.g. /etc/openvpn/staticclients and create the directory
mkdir /etc/openvpn/staticclients
Add this directory as option to your openvpn configfile at the server:
client-config-dir /etc/openvpn/staticclients
For each client you have to create a file. The filename must match the “common name” attribute that was specified at the X509 certificate of the client.This command gets the CN from the computers certificate:
root@devdeb~ > openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e 's/.*CN=\(.*\)\/.*/\1/'
TESTCLIENT
This example pushs the IP Address 10.1.134.1/255.255.255.192 to the Client with the common name TESTCLIENT and also pushes a additional route for subnet 10.1.135.0.
cat /etc/openvpn/staticclients/TESTCLIENT
ifconfig-push 10.1.134.1 255.255.255.192
push "route 10.1.135.0 255.255.255.0
10.1.134.62"
# push "dhcp-option WINS addr"
# push "dhcp-option DNS addr"
Michael
Thanks! This helped me save time.
Thanks for this. Works perfect. The config file is as.conf in Ubuntu if anyone else needs to find it.
in the line
ifconfig-push 10.1.134.1 255.255.255.192
i thought it should be like
ifconfig-push ClientIP ServerIP
for example:
ifconfig-push 10.8.0.2 10.8.01
can some1 explain whats going on here
It depends on the topology mode. I use the “topology subnet” mode. In this mode you have to set the IP Address and the subnet mask. When you are using a topology mode which makes a point-to-point connection (net30, p2p) then you have to set the client IP Address and the corresponting Server IP Address.
I had to change up the CN regex a bit to get just the common name:
root@devdeb~ > openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e ‘s/.*CN=\([^\/]*\)\/.*/\1/’
Your article was a great help. Thanks for taking the time to put it together.
Hey, I’ve been using this technique for certain clients, but still using a generic client that multiple computers connect on for others that should pull the ip from a “pool”.. Unfortunately, the server occasionally assigns 10.8.0.6 to these non-static ip clients, even though that ip is used in one of the static clients configs. Is there a way to prevent this from happening? Do I need to somehow limit the openvpn IP pool to not include those that the static clients are using? I have to keep logging into that IP, restarting the openvpn service, and then trying to get into the computer that is supposed to use that IP and restart its openvpn service.
Hi Programster,
yes use different ranges for dynamic and static IP addresses.
Michael
Hi Michael,
Can you give me some hints how to do that? At least the topic I should search for. Thanks!!!
If you only need static IPs (without other options e.g. push route) you can add the line “ifconfig-pool-persist ipp.txt” to the config and place lines like “TESTCLIENT,10.2.3.23” in /etc/openvpn/ipp.txt.
It won’t help. After reboot openVPN will rewrite the ipp.txt
Which openssl option should I use for keys generated by easy-rsa? (like client.crt)
Hi Articice,
the openssl command shows the common name of the certifcate. Replace yourClientCertificate.cer with the path to your client.crt file.
Michael
Great article !
Now how would one go about doing this when the VPN does not use client certificates, but is only based on username\password ?
Can one just use the client login name, instead of the CN ?
KR
kamaradski
Hi Kamaradski,
add the
username-as-common-name
directive to your OpenVPN Server config file. This should map the Username as the commonname (CN) but I never tried this.
Let me know if this works:-)
Michael
Hello,
I tried and it works 🙂 Searched a lot but find the solution finally here !
Another thank you 🙂
I use a ClearOS server and tried the “ifconfig-pool-persist ipp.txt” method which didn’t work, so this solved it.
Thanks again!
Eduard
Hi guys, now it seems the best practice is to use /etc/openvpn/ipp.txt file to manually adjust IP addresses. It just needs one line to be included in server.conf:
ifconfig-pool-persist ipp.txt
great.
I was using tun device, but failed to assign static IP’s, then I switch over to tap device and ur solution work fine.
Is there any way to use tun device with static IP’s
openssl x509 -in `pwd`/servidor-desenvolvimento-windows.crt -noout -subject | sed -e ‘s/.*CN=\(.*\)\/.*/\1/’ | grep -P -o “CN = \K.+,” | tr -d ‘,’
Thanks for your very useful guide, unfortunately the VPN I have to work with uses pk12 keys for users authentication. Does anybody know hot to extract the common name from this key format?
Hi Lorenzo
openssl pkcs12 -in "/home/openvpn/yourClient.p12" -clcerts |openssl x509 -text
When openssl asks for a password simply press enter. Its not necessary for showing cert data.
Michael
Hi Michael,
I am running OpenVPN 2.4.9 version on CentOS Linux release 7.8.2003 (Core) server.
I have not mentioned topology subnet in /etc/openvpn/server.conf file and have run the below command to find out Common Name.
#openssl x509 -in rameshreddy.crt -noout -subject | sed -e ‘s/.*CN=\([^\/]*\)\/.*/\1/’
subject= /CN=OpenVPN-Client
#cat /etc/openvpn/ipp.txt
OpenVPN-Client.rameshreddy,10.8.0.6
#cat /etc/openvpn/ccd/OpenVPN-Client.rameshreddy
ifconfig-push 10.8.0.6 10.8.0.5
Please let me know if the above configurations are correct?
Best Regards,
Kaushal