OpenVPN: Set a static IP Address for a client

Hi,

sometimes you have to set a static IP Address for some VPN Clients. Because they provide some server services which always must be reached at the same IP Address.

The client configuration do not provide any option to do that, set a static IP Address on the adapter itself is also always being overwritten when the client establish a connection to the OpenVPN server.

Solution: Define a client specific script at the server.

In this example the openvpn server’s OS is linux (tap Interface IP 10.1.134.62), the client runs at Windows (static IP 10.1.134.1).

Define a directory where the client scripts should be stored , e.g. /etc/openvpn/staticclients and create the directory

mkdir /etc/openvpn/staticclients

Add this directory as option to your openvpn configfile at the server:

client-config-dir /etc/openvpn/staticclients

For each client you have to create a file. The filename must match the “common name” attribute that was specified at the X509 certificate of the client.This command gets the CN from the computers certificate:

root@devdeb~ > openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e 's/.*CN=\(.*\)\/.*/\1/'

TESTCLIENT

This example pushs the IP Address 10.1.134.1/255.255.255.192 to the Client with the common name TESTCLIENT and also pushes a additional route for subnet 10.1.135.0.

cat /etc/openvpn/staticclients/TESTCLIENT

ifconfig-push 10.1.134.1 255.255.255.192
push "route 10.1.135.0 255.255.255.0 10.1.134.62"
# push "dhcp-option WINS addr"
# push "dhcp-option DNS addr"

Michael

Advertisment to support michlstechblog.info

23 thoughts on “OpenVPN: Set a static IP Address for a client”

  1. Thanks for this. Works perfect. The config file is as.conf in Ubuntu if anyone else needs to find it.

  2. in the line
    ifconfig-push 10.1.134.1 255.255.255.192

    i thought it should be like
    ifconfig-push ClientIP ServerIP
    for example:
    ifconfig-push 10.8.0.2 10.8.01

    can some1 explain whats going on here

    1. It depends on the topology mode. I use the “topology subnet” mode. In this mode you have to set the IP Address and the subnet mask. When you are using a topology mode which makes a point-to-point connection (net30, p2p) then you have to set the client IP Address and the corresponting Server IP Address.

  3. I had to change up the CN regex a bit to get just the common name:
    root@devdeb~ > openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e ‘s/.*CN=\([^\/]*\)\/.*/\1/’

    Your article was a great help. Thanks for taking the time to put it together.

  4. Hey, I’ve been using this technique for certain clients, but still using a generic client that multiple computers connect on for others that should pull the ip from a “pool”.. Unfortunately, the server occasionally assigns 10.8.0.6 to these non-static ip clients, even though that ip is used in one of the static clients configs. Is there a way to prevent this from happening? Do I need to somehow limit the openvpn IP pool to not include those that the static clients are using? I have to keep logging into that IP, restarting the openvpn service, and then trying to get into the computer that is supposed to use that IP and restart its openvpn service.

      1. Hi Michael,

        Can you give me some hints how to do that? At least the topic I should search for. Thanks!!!

  5. If you only need static IPs (without other options e.g. push route) you can add the line “ifconfig-pool-persist ipp.txt” to the config and place lines like “TESTCLIENT,10.2.3.23” in /etc/openvpn/ipp.txt.

  6. Which openssl option should I use for keys generated by easy-rsa? (like client.crt)

    1. Hi Articice,

      the openssl command shows the common name of the certifcate. Replace yourClientCertificate.cer with the path to your client.crt file.

      Michael

  7. Great article !

    Now how would one go about doing this when the VPN does not use client certificates, but is only based on username\password ?

    Can one just use the client login name, instead of the CN ?

    KR
    kamaradski

    1. Hi Kamaradski,

      add the

      username-as-common-name

      directive to your OpenVPN Server config file. This should map the Username as the commonname (CN) but I never tried this.

      Let me know if this works:-)

      Michael

  8. Another thank you 🙂

    I use a ClearOS server and tried the “ifconfig-pool-persist ipp.txt” method which didn’t work, so this solved it.

    Thanks again!
    Eduard

  9. Hi guys, now it seems the best practice is to use /etc/openvpn/ipp.txt file to manually adjust IP addresses. It just needs one line to be included in server.conf:
    ifconfig-pool-persist ipp.txt

  10. I was using tun device, but failed to assign static IP’s, then I switch over to tap device and ur solution work fine.
    Is there any way to use tun device with static IP’s

  11. openssl x509 -in `pwd`/servidor-desenvolvimento-windows.crt -noout -subject | sed -e ‘s/.*CN=\(.*\)\/.*/\1/’ | grep -P -o “CN = \K.+,” | tr -d ‘,’

  12. Thanks for your very useful guide, unfortunately the VPN I have to work with uses pk12 keys for users authentication. Does anybody know hot to extract the common name from this key format?

    1. Hi Lorenzo


      openssl pkcs12 -in "/home/openvpn/yourClient.p12" -clcerts |openssl x509 -text

      When openssl asks for a password simply press enter. Its not necessary for showing cert data.

      Michael

  13. Hi Michael,

    I am running OpenVPN 2.4.9 version on CentOS Linux release 7.8.2003 (Core) server.
    I have not mentioned topology subnet in /etc/openvpn/server.conf file and have run the below command to find out Common Name.

    #openssl x509 -in rameshreddy.crt -noout -subject | sed -e ‘s/.*CN=\([^\/]*\)\/.*/\1/’
    subject= /CN=OpenVPN-Client

    #cat /etc/openvpn/ipp.txt
    OpenVPN-Client.rameshreddy,10.8.0.6

    #cat /etc/openvpn/ccd/OpenVPN-Client.rameshreddy
    ifconfig-push 10.8.0.6 10.8.0.5

    Please let me know if the above configurations are correct?

    Best Regards,

    Kaushal

Comments are closed.