In this guide, we are going to learn how to assign static IP addresses for OpenVPN clients. In most cases, say, if you have some controls in your environment which requires that the hosts have static IP address for the manageability of such controls, you will most likely need to assign a static IP address to your specific clients. OpenVPN supports the assignment of static IP addresses.
Assign Static IP Addresses for OpenVPN Clients
OpenVPN has the ability to assign clients specific IP addresses from the IP pool defined. To achieve this, it uses three types of client IP address selection algorithms. These include, in the order in which they are used;
- Use of
--client-connect script. This involves execution of the specified script that generates file containing static IP addresses on the server when a client connects. This method is usually the first choice to be considered.
- Use of
--client-config-dir. This involves the use of a file which contains static IP addresses for the clients as per their client certificate common name (CN) (second choice).
- Use of
--ifconfig-poolfor the allocation for dynamic IP (last choice).
For more information, consult
In this guide, we are going to use the second option, where by we will configure our OpenVPN server to read a specific file, that contains the client common names and mapped IP addresses. This ensures that, a connecting client is assigned static IP address based on the common name defined on their client certificate.
In our previous guide, we covered the installation and configuration of an OpenVPN server on CentOS 8 system.
Create a File to Store Static IP addresses
The use of the
client-config-dir option, requires that the static IP addresses to be assigned to connecting clients be stored in a file that can be read by OpenVPN server.
Therefore, open the OpenVPN server configuration file,
/etc/openvpn/server/server.conf, and set your path to static IP assignment file as the value for the
... # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: client-config-dir /etc/openvpn/ccd ...
In this demo, we set the path to store static/fixed IP addresses assignment file to,
/etc/openvpn/ccd. Well, i tried to use the default, /etc/openvpn/server/ccd, path but it resulted in the error below;
Could not access file 'ccd/koromicha': Permission denied (errno=13) Could not access file 'ccd/DEFAULT': Permission denied (errno=13)
So as a work-around, we opted to use a different path, as in above.
Assign Static IP Addresses to OpenVPN Clients
For every OpenVPN client that you want to assign static IP address to, you need to extract the common name from that specific client certificate.
In our demo, we have two OpenVPN clients created, koromicha and johndoe. To extract the common names from the clients certificate, use
openssl command as shown below. Be sure to replace the clients certificates.
openssl x509 -subject -noout -in /etc/openvpn/client/koromicha/koromicha.crt
subject=CN = koromicha
openssl x509 -subject -noout -in /etc/openvpn/client/johndoe/johndoe.crt
subject=CN = johndoe
Once you have the common names for the clients, you can then assign them static IP addresses using the
ifconfig-push option. For example, to assign the client using the certificate with
koromicha as common name an IP address,
10.8.0.50 and client using the certificate with
johndoe as CN an IP addresses of
10.8.0.60, this is how the assignment is done;
echo "ifconfig-push 10.8.0.50 255.255.255.0" > /etc/openvpn/ccd/koromicha
echo "ifconfig-push 10.8.0.60 255.255.255.0" > /etc/openvpn/ccd/johndoe
Note that, how you assign the static IP addresses depends on the topology you configured your OpenVPN server. In our, case, we set the topology to subnet;
# Network topology ... topology subnet
Read more on OpenVPN Addressing Concepts.
Restart OpenVPN Server;
systemctl restart [email protected]
Be sure to always check the logs;
tail -f /var/log/openvpn/openvpn.log
Verify Static IP Address Assignment on OpenVPN Clients
Assuming you already have the respective client OpenVPN configuration file on your clients, initiate the connection and verify the IP address assignment.
sudo openvpn johndoe.ovpn
Checking the assigned IP address;
ip add show tun0
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.60/24 brd 10.8.0.255 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::ea62:fbae:5b45:2d78/64 scope link stable-privacy valid_lft forever preferred_lft forever
On the other client;
ip add show tun0
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.50/24 brd 10.8.0.255 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::c928:c76d:fbd4:6c6a/64 scope link stable-privacy valid_lft forever preferred_lft forever
Checking connectivity between the two clients;
ping 10.8.0.60 -c 3
PING 10.8.0.60 (10.8.0.60) 56(84) bytes of data. 64 bytes from 10.8.0.60: icmp_seq=1 ttl=64 time=4.67 ms 64 bytes from 10.8.0.60: icmp_seq=2 ttl=64 time=3.86 ms 64 bytes from 10.8.0.60: icmp_seq=3 ttl=64 time=4.05 ms --- 10.8.0.60 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 3.864/4.196/4.670/0.351 ms
That is it. We have come to an end of our guide on how to assign static IP addresses for OpenVPN clients.