Assign Static IP Addresses for OpenVPN Clients

|
Last Updated:
|
|
Assign Static IP Addresses for OpenVPN Clients

In this guide, we are going to learn how to assign static IP addresses for OpenVPN clients. In most cases, say, if you have some controls in your environment which requires that the hosts have static IP address for the manageability of such controls, you will most likely need to assign a static IP address to your specific clients. OpenVPN supports the assignment of static IP addresses.

Assigning OpenVPN Clients Static IP Addresses

OpenVPN has the ability to assign clients specific IP addresses from the IP pool defined. To achieve this, it uses three types of client IP address selection algorithms. These include, in the order in which they are used;

  1. Use of --client-connect script. This involves execution of the specified script that generates file containing static IP addresses on the server when a client connects. This method is usually the first choice to be considered.
  2. Use of --client-config-dir. This involves the use of a file which contains static IP addresses for the clients as per their client certificate common name (CN) (second choice).
  3. Use of --ifconfig-pool for the allocation for dynamic IP (last choice).

For more information, consult man openvpn.

In this guide, we are going to use the second option, where by we will configure our OpenVPN server to read a specific file, that contains the client common names and mapped IP addresses. This ensures that, a connecting client is assigned static IP address based on the common name defined on their client certificate.

In our previous guide, we covered the installation and configuration of an OpenVPN server on CentOS 8 system.

Create a File to Store Static IP addresses

The use of the client-config-dir option, requires that the static IP addresses to be assigned to connecting clients be stored in a file that can be read by OpenVPN server.

Therefore, open the OpenVPN server configuration file, /etc/openvpn/server/server.conf, and set your path to static IP assignment file as the value for the client-config-dir parameter.

vim /etc/openvpn/server/server.conf
...
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
client-config-dir /etc/openvpn/ccd
...

In this demo, we set the path to store static/fixed IP addresses assignment file to, /etc/openvpn/ccd. Well, I tried to use the default, /etc/openvpn/server/ccd, path but it resulted in the error below;

Could not access file 'ccd/koromicha': Permission denied (errno=13)
Could not access file 'ccd/DEFAULT': Permission denied (errno=13)

So as a work-around, we opted to use a different path, as in above.

Assign Static IP Addresses to OpenVPN Clients

For every OpenVPN client that you want to assign static IP address to, you need to extract the common name from that specific client certificate.

In our demo, we have two OpenVPN clients created, koromicha and johndoe. To extract the common names from the clients certificate, use openssl command as shown below. Be sure to replace the clients certificates.

openssl x509 -subject -noout -in /etc/openvpn/client/koromicha/koromicha.crt
subject=CN = koromicha
openssl x509 -subject -noout -in /etc/openvpn/client/johndoe/johndoe.crt
subject=CN = johndoe

Once you have the common names for the clients, you can then assign them static IP addresses using the ifconfig-push option. For example, to assign the client using the certificate with koromicha as common name an IP address, 10.8.0.50 and client using the certificate with johndoe as CN an IP addresses of 10.8.0.60, this is how the assignment is done;

echo "ifconfig-push 10.8.0.50 255.255.255.0" > /etc/openvpn/ccd/koromicha
echo "ifconfig-push 10.8.0.60 255.255.255.0" > /etc/openvpn/ccd/johndoe

Note that, how you assign the static IP addresses depends on the topology you configured your OpenVPN server. In our, case, we set the topology to subnet;

# Network topology
...
topology subnet

Read more on OpenVPN Addressing Concepts.

Restart OpenVPN Server;

systemctl restart openvpn-server@server

Be sure to always check the logs;

tail -f /var/log/openvpn/openvpn.log

Verify Static IP Address Assignment on OpenVPN Clients

Assuming you already have the respective client OpenVPN configuration file on your clients, initiate the connection and verify the IP address assignment.

sudo openvpn johndoe.ovpn

Checking the assigned IP address;

ip add show tun0
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.60/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::ea62:fbae:5b45:2d78/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

On the other client;

ip add show tun0
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.50/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::c928:c76d:fbd4:6c6a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Checking connectivity between the two clients;

ping 10.8.0.60 -c 3
PING 10.8.0.60 (10.8.0.60) 56(84) bytes of data.
64 bytes from 10.8.0.60: icmp_seq=1 ttl=64 time=4.67 ms
64 bytes from 10.8.0.60: icmp_seq=2 ttl=64 time=3.86 ms
64 bytes from 10.8.0.60: icmp_seq=3 ttl=64 time=4.05 ms

--- 10.8.0.60 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.864/4.196/4.670/0.351 ms

That is it. We have come to an end of our guide on how to assigning OpenVPN clients static IP addresses.

Connect to OpenVPN using Network Manager on CentOS 8/Ubuntu 18.04

Install and Configure OpenVPN Client on CentOS 8/Ubuntu 18.04

Configure strongSwan VPN Client on Ubuntu 18.04/CentOS 8

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

1 thought on “Assign Static IP Addresses for OpenVPN Clients”

  1. i had the same error in Openvpn 2.4.7:

    Could not access file ‘/etc/openvpn/ccd/client4’: Permission denied (errno=13)

    i had to change the directory outside of openvpn to make it work:

    client-config-dir /etc/ccd

    Reply

Leave a Comment