OpenVPN Assign static IP to client
After configuring the overall OpenVPN client and server infrastructure, my clients can connect to a VPN. The client can access server resources and vice versa. While the server gets normally always the same IP assigned, the client IP address is assigned dynamically from a pool of IP addresses. Meaning: there is no guarantee that the client always gets the same IP address. Normally, this is not a problem, as the client connects to consume server resources. Such like a web site, or git repository. In my case, the architecture is that the OpenVPN server acts as a proxy to internal services. The web site, git repository, etc are running on the client. Therefore, the server must be able to connect to the client using a fix address.
To make this work, each time a client connects, the same IP must be assigned to. OpenVPN allows to assign a static IP to a client.
- In /etc/openvpn create folder ccd. Ccd stands for client config directory, meaning: it contains the configuration for a client.
- Edit file server.conf and add line “client-config-dir ccd“
# EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: client-config-dir ccd
3. Create a configuration file for each client and put into directory ccd. As file name, use the same name for the client as used in the CN field of the client certificate.
ifconfig-push IP MASK
ifconfig-push 10.8.0.2 255.255.255.255
sudo mkdir /etc/openvpn/ccd sudo touch /etc/openvpn/ccd/client1 sudo vim /etc/openvpn/server.conf Uncomment the line containing client config parameter client-config-dir ccd
sudo vim /etc/openvpn/ccd/client1 Insert: ifconfig-push 10.8.0.2 255.255.255.255 Restart OpenVPN service on server sudo /etc/init.d/openvpn restart
Client with automatic assignment of IP: 10.8.0.6
After restart of OpenVPN server: IP is now 10.8.0.2
Additional information can be found in OpenVPN documentation.
“This file can specify a fixed IP address for a given client using –ifconfig-push, as well as fixed subnets owned by the client using –iroute.” https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
„Push virtual IP endpoints for client tunnel, overriding the –ifconfig-pool dynamic allocation.” https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
Christian "kiko" Reis · November 14, 2018 at 01:00
Tobias, are you sure this is right for all topologies? For my net30 environment using PtP tun interfaces, I had to specify as second argument the IP address of the peer, not the netmask. I actually got an error when using a netmask:
Tue Nov 13 21:38:47 2018 WARNING: Since you are using –dev tun with a point-to-point topology, the second argument to –ifconfig must be an IP address. You are using something (255.255.0.0) that looks more like a netmask. (silence this warning with –ifconfig-nowarn)
Joshua Carter · April 18, 2019 at 18:08
According to this page:
With subnet topology, you pass the client ip address and a netmask to ifconfig-push, with net30 topology, you pass two ip addresses to ifconfig-push (I believe the first address is still the client ip address, but I’m not sure).
daniel · July 25, 2019 at 07:50
in the ccd/client1
i had to change:
ifconfig-push 10.8.0.2 255.255.255.255
ifconfig-push 10.8.0.2 255.255.255.0
otherwise i couldn’t establish a connection from the client
Gato · January 4, 2022 at 23:41
This is absolutely right, I’m glad I had two clients and chose to configure one at the time.
I realized something was off as I could not ping or even ssh back into the client from the other client or server.
The author should update this guide, because other then this issue it’s a very good guide that does work as expected.
Lucas Frohlich · October 15, 2019 at 22:46
Did you use reverse proxy to access the services? or have you set up a traffic redirection rule on the OS? (ufw / iptables)
Tobias Hofmann · October 16, 2019 at 13:09
The services are access through an Apache Reverse Proxy.
Saud Khan · November 21, 2019 at 14:30
Hi , I want to assign static IPs to my clients my openvpn ca server running of vmware workstation.
Davdi · September 13, 2022 at 14:27
Thank you :·D
5G + Public IP with OpenVPN – raynix 筆記 · April 17, 2020 at 12:27
[…] its tun0 network interface, so the nginx server can proxy traffic to this IP reliably. I followed this guide, except it suggested to do client-config-dir on both server and client sides but I only did on the […]