After configuring the overall OpenVPN client and server infrastructure, my clients can connect to a VPN. The client can access server resources and vice versa. While the server gets normally always the same IP assigned, the client IP address is assigned dynamically from a pool of IP addresses. Meaning: there is no guarantee that the client always gets the same IP address. Normally, this is not a problem, as the client connects to consume server resources. Such like a web site, or git repository. In my case, the architecture is that the OpenVPN server acts as a proxy to internal services. The web site, git repository, etc are running on the client. Therefore, the server must be able to connect to the client using a fix address.
To make this work, each time a client connects, the same IP must be assigned to. OpenVPN allows to assign a static IP to a client.
- In /etc/openvpn create folder ccd. Ccd stands for client config directory, meaning: it contains the configuration for a client.
- Edit file server.conf and add line “client-config-dir ccd“
# EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: client-config-dir ccd
3. Create a configuration file for each client and put into directory ccd. As file name, use the same name for the client as used in the CN field of the client certificate.
ifconfig-push IP MASK
ifconfig-push 10.8.0.2 255.255.255.255
sudo mkdir /etc/openvpn/ccd sudo touch /etc/openvpn/ccd/client1 sudo vim /etc/openvpn/server.conf Uncomment the line containing client config parameter client-config-dir ccd
sudo vim /etc/openvpn/ccd/client1 Insert: ifconfig-push 10.8.0.2 255.255.255.255 Restart OpenVPN service on server sudo /etc/init.d/openvpn restart
Client with automatic assignment of IP: 10.8.0.6
After restart of OpenVPN server: IP is now 10.8.0.2
Additional information can be found in OpenVPN documentation.
“This file can specify a fixed IP address for a given client using –ifconfig-push, as well as fixed subnets owned by the client using –iroute.” https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
„Push virtual IP endpoints for client tunnel, overriding the –ifconfig-pool dynamic allocation.” https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html