Static IP addresses in OpenVPN
Sometimes when working with OpenVPN it is nice to have a way to tell the OpenVPN server that you’d like to get the same IP address each time you connect to it, or in other words you’d like to get a static IP address instead a dynamic one from the IP pool.
Having a static IP address for your OpenVPN clients can be not just handy, but in some situations it could be even required.
One example of such situation would be to allow a person access to a database, which is restricting access by IP addresses.
What you would want to have is grant access to that person only, and not everyone in your OpenVPN subnet.
For completeness of this post I’m going to use the OpenVPN server’s configuration as described here as a reference.
The way that we assign static IP addresses for our clients in OpenVPN
is done via the
client-config-dir option. The
option points to a directory with files which contain client specific
configurations, like IP addresses for example.
openvpn(8) man page for more information on the
So, lets enable client-config-dir in our OpenVPN server’s configuration. Add these lines to your /etc/openvpn/server.conf file:
# Client config directory client-config-dir /etc/openvpn/ccd
Next we create the
client-config-dir we’ve specified above:
$ sudo mkdir /etc/openvpn/ccd
It is important to note that after placing files in
directory they should be readable by the OpenVPN user after dropping
privileges, e.g. by user nobody.
Also OpenVPN will load a client configuration file only if it matches the clients common name. Say that we’ve created a client certificate and we’ve used a CN test.user then in /etc/openvpn/ccd you should place a file called test.user.
And here’s how we can tell the OpenVPN server to always provide the same IP address to our test.user by adding the below contents to /etc/openvpn/ccd/test.user file:
ifconfig-push 10.1.32.10 10.1.32.1
The OpenVPN client will get the 10.1.32.10 address and 10.1.32.1 is the address of the OpenVPN server from the 10.1.32.0/20 subnet.
Fix the permissions, so that OpenVPN can read the files:
$ sudo chown -R nobody:nogroup /etc/openvpn/ccd
One last thing that you need to do is to reserve this IP address, so that you don’t end up with duplicate client addresses in your OpenVPN subnet.
This is done by adding an entry in the persistent IP pool file, which
is usually called
ipp.txt and defined by the
ipp.txt you should add a pair of CommonName and IP address
separated by a comma, for each client you want to have this address
Here’s how our
test.user gets its IP address reserved:
And now restart the OpenVPN server:
$ sudo service openvpn restart
Test your configuration by connecting with your client to the OpenVPN server and verify that everything works fine.