OpenVPN Assign static IP to client

Published by Tobias Hofmann on

2 min read

After configuring the overall OpenVPN client and server infrastructure, my clients can connect to a VPN. The client can access server resources and vice versa. While the server gets normally always the same IP assigned, the client IP address is assigned dynamically from a pool of IP addresses. Meaning: there is no guarantee that the client always gets the same IP address. Normally, this is not a problem, as the client connects to consume server resources. Such like a web site, or git repository. In my case, the architecture is that the OpenVPN server acts as a proxy to internal services. The web site, git repository, etc are running on the client. Therefore, the server must be able to connect to the client using a fix address.

To make this work, each time a client connects, the same IP must be assigned to. OpenVPN allows to assign a static IP to a client.


  1. In /etc/openvpn create folder ccd. Ccd stands for client config directory, meaning: it contains the configuration for a client.
  2. Edit file server.conf and add line “client-config-dir ccd
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as
# First, uncomment out these lines:
client-config-dir ccd

3. Create a configuration file for each client and put into directory ccd. As file name, use the same name for the client as used in the CN field of the client certificate.

ifconfig-push IP MASK



CLI steps

sudo mkdir /etc/openvpn/ccd
sudo touch /etc/openvpn/ccd/client1
sudo vim /etc/openvpn/server.conf
Uncomment the line containing client config parameter
client-config-dir ccd

sudo vim /etc/openvpn/ccd/client1
Restart OpenVPN service on server
sudo /etc/init.d/openvpn restart

Client with automatic assignment of IP:

After restart of OpenVPN server: IP is now

Server log


Additional information can be found in OpenVPN documentation.


“This file can specify a fixed IP address for a given client using –ifconfig-push, as well as fixed subnets owned by the client using –iroute.


„Push virtual IP endpoints for client tunnel, overriding the –ifconfig-pool dynamic allocation.”

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


Christian "kiko" Reis · November 14, 2018 at 01:00

Tobias, are you sure this is right for all topologies? For my net30 environment using PtP tun interfaces, I had to specify as second argument the IP address of the peer, not the netmask. I actually got an error when using a netmask:

Tue Nov 13 21:38:47 2018 WARNING: Since you are using –dev tun with a point-to-point topology, the second argument to –ifconfig must be an IP address. You are using something ( that looks more like a netmask. (silence this warning with –ifconfig-nowarn)

    Joshua Carter · April 18, 2019 at 18:08

    According to this page:

    With subnet topology, you pass the client ip address and a netmask to ifconfig-push, with net30 topology, you pass two ip addresses to ifconfig-push (I believe the first address is still the client ip address, but I’m not sure).

daniel · July 25, 2019 at 07:50

in the ccd/client1

i had to change:

otherwise i couldn’t establish a connection from the client

    Gato · January 4, 2022 at 23:41

    This is absolutely right, I’m glad I had two clients and chose to configure one at the time.
    I realized something was off as I could not ping or even ssh back into the client from the other client or server.

    The author should update this guide, because other then this issue it’s a very good guide that does work as expected.

Lucas Frohlich · October 15, 2019 at 22:46

Did you use reverse proxy to access the services? or have you set up a traffic redirection rule on the OS? (ufw / iptables)

    Tobias Hofmann · October 16, 2019 at 13:09

    The services are access through an Apache Reverse Proxy.

Saud Khan · November 21, 2019 at 14:30

Hi , I want to assign static IPs to my clients my openvpn ca server running of vmware workstation.


Davdi · September 13, 2022 at 14:27

Thank you :·D

5G + Public IP with OpenVPN – raynix 筆記 · April 17, 2020 at 12:27

[…] its tun0 network interface, so the nginx server can proxy traffic to this IP reliably. I followed this guide, except it suggested to do client-config-dir on both server and client sides but I only did on the […]

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.