{"id":5482,"date":"2020-04-18T12:59:18","date_gmt":"2020-04-18T09:59:18","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5482"},"modified":"2024-03-14T20:20:22","modified_gmt":"2024-03-14T17:20:22","slug":"assign-static-ip-addresses-for-openvpn-clients","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/assign-static-ip-addresses-for-openvpn-clients\/","title":{"rendered":"Assign Static IP Addresses for OpenVPN Clients"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1059\" height=\"595\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/10\/openvpn-static-IP-address.png\" alt=\"Assign Static IP Addresses for OpenVPN Clients\" class=\"wp-image-18901\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/10\/openvpn-static-IP-address.png?v=1696393364 1059w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/10\/openvpn-static-IP-address-768x432.png?v=1696393364 768w\" sizes=\"(max-width: 1059px) 100vw, 1059px\" \/><\/figure>\n\n\n\n<p>In this guide, we are going to learn how to assign static IP addresses for OpenVPN clients. In most cases, say, if you have some controls in your environment which requires that the hosts have static IP address for the manageability of such controls, you will most likely need to assign a static IP address to your specific clients. OpenVPN supports the assignment of static IP addresses.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#assigning-open-vpn-clients-static-ip-addresses\">Assigning OpenVPN Clients Static IP Addresses<\/a><ul><li><a href=\"#create-a-file-to-store-static-ip-addresses\">Create a File to Store Static IP addresses<\/a><\/li><li><a href=\"#assign-static-ip-addresses-to-open-vpn-clients\">Assign Static IP Addresses to OpenVPN Clients<\/a><\/li><li><a href=\"#verify-static-ip-address-assignment-on-open-vpn-clients\">Verify Static IP Address Assignment on OpenVPN Clients<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"assigning-open-vpn-clients-static-ip-addresses\">Assigning OpenVPN Clients Static IP Addresses<\/h2>\n\n\n\n<p>OpenVPN has the ability to assign clients specific IP addresses from the IP pool defined. To achieve this, it uses three types of client IP address selection algorithms. These include, in the order in which they are used;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Use of <code><strong>--client-connect script<\/strong><\/code>. This involves execution of the specified script that generates file containing static IP addresses on the server when a client connects. This method is usually the <strong>first choice<\/strong> to be considered.<\/li>\n\n\n\n<li>Use of <code><strong>--client-config-dir<\/strong><\/code>. This involves the use of a file which contains static IP addresses for the clients as per their client certificate common name (CN) (<strong>second choice<\/strong>).<\/li>\n\n\n\n<li>Use of <code><strong>--ifconfig-pool<\/strong><\/code> for the allocation for dynamic IP (<strong>last choice<\/strong>).<\/li>\n<\/ol>\n\n\n\n<p>For more information, consult <strong><code>man openvpn<\/code><\/strong>.<\/p>\n\n\n\n<p>In this guide, we are going to use the second option, where by we will configure our OpenVPN server to read a specific file, that contains the client common names and mapped IP addresses. This ensures that, a connecting client is assigned static IP address based on the common name defined on their client certificate.<\/p>\n\n\n\n<p>In our previous guide, we covered the <a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/setup-openvpn-server-on-centos-8\/\" target=\"_blank\">installation and configuration of an OpenVPN server on CentOS 8<\/a> system. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-a-file-to-store-static-ip-addresses\">Create a File to Store Static IP addresses<\/h3>\n\n\n\n<p>The use of the <code>client-config-dir<\/code> option, requires that the static IP addresses to be assigned to connecting clients be stored in a file that can be read by OpenVPN server.<\/p>\n\n\n\n<p>Therefore, open the OpenVPN server configuration file, <code><strong>\/etc\/openvpn\/server\/server.conf<\/strong><\/code>, and set your path to static IP assignment file as the value for the <code><strong>client-config-dir<\/strong><\/code> parameter.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim \/etc\/openvpn\/server\/server.conf<\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>...\n# EXAMPLE: Suppose you want to give\n# Thelonious a fixed VPN IP address of 10.9.0.1.\n# First uncomment out these lines:\n<strong>client-config-dir \/etc\/openvpn\/ccd<\/strong>\n...\n<\/code><\/pre>\n\n\n\n<p>In this demo, we set the path to store static\/fixed IP addresses assignment file to, <strong><code>\/etc\/openvpn\/ccd<\/code><\/strong>. Well, I tried to use the default, <strong><code>\/etc\/openvpn\/server\/ccd<\/code><\/strong>, path but it resulted in the error below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>Could not access file 'ccd\/koromicha': Permission denied (errno=13)\nCould not access file 'ccd\/DEFAULT': Permission denied (errno=13)<\/strong><\/pre>\n\n\n\n<p>So as a work-around, we opted to use a different path, as in above.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"assign-static-ip-addresses-to-open-vpn-clients\">Assign Static IP Addresses to OpenVPN Clients<\/h3>\n\n\n\n<p>For every OpenVPN client that you want to assign static IP address to, you need to extract the common name from that specific client certificate.<\/p>\n\n\n\n<p>In our demo, we have two OpenVPN clients created, <strong>koromicha<\/strong> and <strong>johndoe<\/strong>. To extract the common names from the clients certificate, use <strong><code>openssl<\/code><\/strong> command as shown below. <strong>Be sure to replace the clients certificates<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl x509 -subject -noout -in \/etc\/openvpn\/client\/koromicha\/koromicha.crt<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">subject=CN = <strong>koromicha<\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl x509 -subject -noout -in \/etc\/openvpn\/client\/johndoe\/johndoe.crt<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">subject=CN = <strong>johndoe<\/strong><\/pre>\n\n\n\n<p>Once you have the common names for the clients, you can then assign them static IP addresses using the <code><strong>ifconfig-push <\/strong><\/code>option. For example, to assign the client using the certificate with <code><strong>koromicha<\/strong><\/code> as common name an IP address, <code>10.8.0.50<\/code> and client using the certificate with <code><strong>johndoe<\/strong><\/code> as CN an IP addresses of <code><strong>10.8.0.60<\/strong><\/code>, this is how the assignment is done;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"ifconfig-push 10.8.0.50 255.255.255.0\" &gt; \/etc\/openvpn\/ccd\/koromicha<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"ifconfig-push 10.8.0.60 255.255.255.0\" &gt; \/etc\/openvpn\/ccd\/johndoe<\/pre>\n\n\n\n<p>Note that, how you assign the static IP addresses depends on the topology you configured your OpenVPN server. In our, case, we set the topology to subnet;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code># Network topology\n...\n<strong>topology subnet<\/strong><\/code><\/pre>\n\n\n\n<p>Read more on <a rel=\"noreferrer noopener\" href=\"https:\/\/community.openvpn.net\/openvpn\/wiki\/Concepts-Addressing\" target=\"_blank\">OpenVPN Addressing Concepts<\/a>.<\/p>\n\n\n\n<p>Restart OpenVPN Server;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart openvpn-server@server<\/code><\/pre>\n\n\n\n<p>Be sure to always check the logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/openvpn\/openvpn.log<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-static-ip-address-assignment-on-open-vpn-clients\">Verify Static IP Address Assignment on OpenVPN Clients<\/h3>\n\n\n\n<p>Assuming you already have the respective client OpenVPN configuration file on your clients, initiate the connection and verify the IP address assignment.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo openvpn johndoe.ovpn<\/code><\/pre>\n\n\n\n<p>Checking the assigned IP address;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ip add show tun0<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>8: tun0: &lt;POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\n    link\/none \n    inet <strong>10.8.0.60\/24 brd 10.8.0.255<\/strong> scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::ea62:fbae:5b45:2d78\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>On the other client;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ip add show tun0<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>12: tun0: &lt;POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\n    link\/none \n    inet <strong>10.8.0.50\/24 brd 10.8.0.255<\/strong> scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::c928:c76d:fbd4:6c6a\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>Checking connectivity between the two clients;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ping 10.8.0.60 -c 3<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>PING 10.8.0.60 (10.8.0.60) 56(84) bytes of data.\n64 bytes from 10.8.0.60: icmp_seq=1 ttl=64 time=4.67 ms\n64 bytes from 10.8.0.60: icmp_seq=2 ttl=64 time=3.86 ms\n64 bytes from 10.8.0.60: icmp_seq=3 ttl=64 time=4.05 ms\n\n--- 10.8.0.60 ping statistics ---\n3 packets transmitted, 3 received, 0% packet loss, time 2003ms\nrtt min\/avg\/max\/mdev = 3.864\/4.196\/4.670\/0.351 ms\n<\/code><\/pre>\n\n\n\n<p>That is it. We have come to an end of our guide on how to assigning OpenVPN clients static IP addresses.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/connect-to-openvpn-using-network-manager-on-centos-8-ubuntu-18-04\/\" target=\"_blank\">Connect to OpenVPN using Network Manager on CentOS 8\/Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-configure-openvpn-client-on-centos-8-ubuntu-18-04\/\" target=\"_blank\">Install and Configure OpenVPN Client on CentOS 8\/Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-strongswan-vpn-client-on-ubuntu-18-04-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure strongSwan VPN Client on Ubuntu 18.04\/CentOS 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to assign static IP addresses for OpenVPN clients. In most cases, say, if you have some<\/p>\n","protected":false},"author":1,"featured_media":18901,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,282],"tags":[1449,1448,1446,1447],"class_list":["post-5482","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-openvpn","tag-assign-fixed-ip-address-openvpn","tag-ifconfig-push","tag-openvpn-static-ip-address","tag-static-ip-address-openvpn-clients","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5482"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5482"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5482\/revisions"}],"predecessor-version":[{"id":21372,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5482\/revisions\/21372"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/18901"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}