In this guide, we are going to learn how to assign static IP addresses for OpenVPN clients. In most cases, say, if you have some controls in your environment which requires that the hosts have static IP address for the manageability of such controls, you will most likely need to assign a static IP address to your specific clients. OpenVPN supports the assignment of static IP addresses.
Table of Contents
Assigning OpenVPN Clients Static IP Addresses
OpenVPN has the ability to assign clients specific IP addresses from the IP pool defined. To achieve this, it uses three types of client IP address selection algorithms. These include, in the order in which they are used;
- Use of
--client-connect script. This involves execution of the specified script that generates file containing static IP addresses on the server when a client connects. This method is usually the first choice to be considered. - Use of
--client-config-dir. This involves the use of a file which contains static IP addresses for the clients as per their client certificate common name (CN) (second choice). - Use of
--ifconfig-poolfor the allocation for dynamic IP (last choice).
For more information, consult man openvpn.
In this guide, we are going to use the second option, where by we will configure our OpenVPN server to read a specific file, that contains the client common names and mapped IP addresses. This ensures that, a connecting client is assigned static IP address based on the common name defined on their client certificate.
In our previous guide, we covered the installation and configuration of an OpenVPN server on CentOS 8 system.
Create a File to Store Static IP addresses
The use of the client-config-dir option, requires that the static IP addresses to be assigned to connecting clients be stored in a file that can be read by OpenVPN server.
Therefore, open the OpenVPN server configuration file, /etc/openvpn/server/server.conf, and set your path to static IP assignment file as the value for the client-config-dir parameter.
vim /etc/openvpn/server/server.conf
...
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
client-config-dir /etc/openvpn/ccd
...
In this demo, we set the path to store static/fixed IP addresses assignment file to, /etc/openvpn/ccd. Well, I tried to use the default, /etc/openvpn/server/ccd, path but it resulted in the error below;
Could not access file 'ccd/koromicha': Permission denied (errno=13) Could not access file 'ccd/DEFAULT': Permission denied (errno=13)
So as a work-around, we opted to use a different path, as in above.
Assign Static IP Addresses to OpenVPN Clients
For every OpenVPN client that you want to assign static IP address to, you need to extract the common name from that specific client certificate.
In our demo, we have two OpenVPN clients created, koromicha and johndoe. To extract the common names from the clients certificate, use openssl command as shown below. Be sure to replace the clients certificates.
openssl x509 -subject -noout -in /etc/openvpn/client/koromicha/koromicha.crt
subject=CN = koromicha
openssl x509 -subject -noout -in /etc/openvpn/client/johndoe/johndoe.crt
subject=CN = johndoe
Once you have the common names for the clients, you can then assign them static IP addresses using the ifconfig-push option. For example, to assign the client using the certificate with koromicha as common name an IP address, 10.8.0.50 and client using the certificate with johndoe as CN an IP addresses of 10.8.0.60, this is how the assignment is done;
echo "ifconfig-push 10.8.0.50 255.255.255.0" > /etc/openvpn/ccd/koromicha
echo "ifconfig-push 10.8.0.60 255.255.255.0" > /etc/openvpn/ccd/johndoe
Note that, how you assign the static IP addresses depends on the topology you configured your OpenVPN server. In our, case, we set the topology to subnet;
# Network topology
...
topology subnetRead more on OpenVPN Addressing Concepts.
Restart OpenVPN Server;
systemctl restart openvpn-server@serverBe sure to always check the logs;
tail -f /var/log/openvpn/openvpn.logVerify Static IP Address Assignment on OpenVPN Clients
Assuming you already have the respective client OpenVPN configuration file on your clients, initiate the connection and verify the IP address assignment.
sudo openvpn johndoe.ovpnChecking the assigned IP address;
ip add show tun08: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.60/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::ea62:fbae:5b45:2d78/64 scope link stable-privacy
valid_lft forever preferred_lft forever
On the other client;
ip add show tun012: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.50/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::c928:c76d:fbd4:6c6a/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Checking connectivity between the two clients;
ping 10.8.0.60 -c 3
PING 10.8.0.60 (10.8.0.60) 56(84) bytes of data.
64 bytes from 10.8.0.60: icmp_seq=1 ttl=64 time=4.67 ms
64 bytes from 10.8.0.60: icmp_seq=2 ttl=64 time=3.86 ms
64 bytes from 10.8.0.60: icmp_seq=3 ttl=64 time=4.05 ms
--- 10.8.0.60 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.864/4.196/4.670/0.351 ms
That is it. We have come to an end of our guide on how to assigning OpenVPN clients static IP addresses.
Related Tutorials
Connect to OpenVPN using Network Manager on CentOS 8/Ubuntu 18.04
Install and Configure OpenVPN Client on CentOS 8/Ubuntu 18.04
i had the same error in Openvpn 2.4.7:
Could not access file ‘/etc/openvpn/ccd/client4’: Permission denied (errno=13)
i had to change the directory outside of openvpn to make it work:
client-config-dir /etc/ccd