Power Sysadmin Blog
Just Another Enterprise Admin Blog
OpenVPN: Assigning Static IP Addresses to Clients
By default, when connecting, OpenVPN clients receive a dynamic IP from the DHCP range that you set in the OpenVPN server configuration file ( server.ovpn ) server network netmask (for example, server 10.24.1.0 255.255.255.0 ). In some cases, you want certain OpenVPN clients to get the same static IP address every time they connect.
To do this, add the following line to the server.conf file:
client-config-dir /etc/openvpn/ccd
Create a directory:
The contents of the /etc/openvpn/ccd directory must be readable by the OpenVPN user.
If OpenVPN is running under nobody:
In this directory, create a file with the name of the client (the client file name must match the name of the client in the certificate Common Name). For example, for your user with certificate testuser1 ( subject=CN= testuser1 ), you need to create a file with exactly the same name:
If this is an OpenVPN client with Windows, you need to add the following configuration to the file:
#ifconfig-push clientIP serverIP ifconfig-push 10.24.1.10 10.24.1.1
If it’s a Linux OpenVPN client:
#ifconfig-push clientIP Netmask ifconfig-push 10.24.1.11 255.255.255.0
Restart the OpenVPN server service:
Connect to the OpenVPN server from the client and check that it has received the IP address you specified.
For example, on a Linux OpenVPN client, run the command ip add show tun0 and check that the tun0 interface is assigned the IP address 10.24.1.11.
You can also set a list of static IP addresses for OpenVPN clients using the ipp.txt file.
To do this, add the following line to the /etc/openvpn/server.conf configuration file:
ifconfig-pool-persist ipp.txt
Then fill in the list of clients and static IPs in the /etc/openvpn/ipp.txt file:
testuser1,10.24.1.11 testuser2,10.24.1.14 gw1,10.24.1.5
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
Current ye@r *
Leave this field empty
Assign Static IP Addresses for OpenVPN Clients
In this guide, we are going to learn how to assign static IP addresses for OpenVPN clients. In most cases, say, if you have some controls in your environment which requires that the hosts have static IP address for the manageability of such controls, you will most likely need to assign a static IP address to your specific clients. OpenVPN supports the assignment of static IP addresses.
Table of Contents
Assigning openvpn clients static ip addresses.
OpenVPN has the ability to assign clients specific IP addresses from the IP pool defined. To achieve this, it uses three types of client IP address selection algorithms. These include, in the order in which they are used;
- Use of --client-connect script . This involves execution of the specified script that generates file containing static IP addresses on the server when a client connects. This method is usually the first choice to be considered.
- Use of --client-config-dir . This involves the use of a file which contains static IP addresses for the clients as per their client certificate common name (CN) ( second choice ).
- Use of --ifconfig-pool for the allocation for dynamic IP ( last choice ).
For more information, consult man openvpn .
In this guide, we are going to use the second option, where by we will configure our OpenVPN server to read a specific file, that contains the client common names and mapped IP addresses. This ensures that, a connecting client is assigned static IP address based on the common name defined on their client certificate.
In our previous guide, we covered the installation and configuration of an OpenVPN server on CentOS 8 system.
Create a File to Store Static IP addresses
The use of the client-config-dir option, requires that the static IP addresses to be assigned to connecting clients be stored in a file that can be read by OpenVPN server.
Therefore, open the OpenVPN server configuration file, /etc/openvpn/server/server.conf , and set your path to static IP assignment file as the value for the client-config-dir parameter.
In this demo, we set the path to store static/fixed IP addresses assignment file to, /etc/openvpn/ccd . Well, I tried to use the default, /etc/openvpn/server/ccd , path but it resulted in the error below;
So as a work-around, we opted to use a different path, as in above.
Assign Static IP Addresses to OpenVPN Clients
For every OpenVPN client that you want to assign static IP address to, you need to extract the common name from that specific client certificate.
In our demo, we have two OpenVPN clients created, koromicha and johndoe . To extract the common names from the clients certificate, use openssl command as shown below. Be sure to replace the clients certificates .
Once you have the common names for the clients, you can then assign them static IP addresses using the ifconfig-push option. For example, to assign the client using the certificate with koromicha as common name an IP address, 10.8.0.50 and client using the certificate with johndoe as CN an IP addresses of 10.8.0.60 , this is how the assignment is done;
Note that, how you assign the static IP addresses depends on the topology you configured your OpenVPN server. In our, case, we set the topology to subnet;
Read more on OpenVPN Addressing Concepts .
Restart OpenVPN Server;
Be sure to always check the logs;
Verify Static IP Address Assignment on OpenVPN Clients
Assuming you already have the respective client OpenVPN configuration file on your clients, initiate the connection and verify the IP address assignment.
Checking the assigned IP address;
On the other client;
Checking connectivity between the two clients;
That is it. We have come to an end of our guide on how to assigning OpenVPN clients static IP addresses.
Related Tutorials
Connect to OpenVPN using Network Manager on CentOS 8/Ubuntu 18.04
Install and Configure OpenVPN Client on CentOS 8/Ubuntu 18.04
Configure strongSwan VPN Client on Ubuntu 18.04/CentOS 8
SUPPORT US VIA A VIRTUAL CUP OF COFFEE
We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!
Related Posts
Install mongodb on ubuntu 20.04, install mysql 8 on debian 10 buster, add hosts to zabbix server for monitoring, install and setup lynis security auditing tool on ubuntu 20.04, how marketing messages can help your product reach more people, install zabbix agent on windows systems, 1 thought on “assign static ip addresses for openvpn clients”.
i had the same error in Openvpn 2.4.7:
Could not access file ‘/etc/openvpn/ccd/client4’: Permission denied (errno=13)
i had to change the directory outside of openvpn to make it work:
client-config-dir /etc/ccd
Leave a Comment Cancel reply
© 2024 kifarunix.com
Setup a Static IP Address for OpenVPN Clients on your Synology NAS!
- Post author: WunderTech
- Post last modified: November 2, 2022
- Post category: Synology / VPN / Xpenology
- Reading time: 10 mins read
Today we are going to look at how you can setup a static IP address for OpenVPN on a Synology NAS.
When you setup a VPN server on your Synology device, the IP addresses are dynamic when a user connects. What this means is that every user will have a different IP address when they connect and the order in which they connect determines what the address will be. In other words, it’s totally random. There are many cases where using a static IP address is necessary, and today we are going to go through the process of configuring this.
If you have not configured your VPN Server, you must do it before proceeding. I have instructions on how to do it here .
Setup a Static IP Address for OpenVPN on a Synology NAS – Instructions
- First off, you need to be able to SSH into your Synology device. If you aren’t sure how to do that, you can watch this quick 90 second video that shows you how .
- SSH into your Synology NAS and navigate to the VPNCenter folder by running this command:
3. At this point, we need to create a directory which is where we will store our users and their predetermined IP addresses. Run this command to create a folder.
4. Now that this directory is created, we need to give users the rights to execute items in this folder by running the command below. If you’d like to read more about what permissions this command grants, you can do so here .
5. The next step involves reconfiguring the OpenVPN configuration file to check our newly added folder for files. Run these commands to navigate to the folder and edit the configuration file.
6. When you have the configuration file open, add the line below inside of the file. NOTE: you will need to use vi to edit this file. If you aren’t sure how to use the vi editor, check out this tutorial . In its simplest form, press “i” to insert and when the line is entered/changed, press “Escape” to stop editing, then type “:wq” to quit.
7. After the file has been saved, navigate to the radiusplugin.cnf folder by typing this command:
8. Edit the radiusplugin.cnf file by typing this command. See instructions above on how to use the vi editor.
9. Change the “true” flag to “false” for “overwriteccfiles”.
10. The server configuration is now complete. The final step is to determine which VPN users should have static IP’s and create a file letting the system know what IP address should be assigned to that user account. The file name must be the EXACT username that will be connecting to the VPN (in my case, vpnUser1 and vpnUser2). Another important note is that when you configured your VPN server, you defined a dynamic IP address that is the IP address that will be given to clients that are connecting. In my example, VPN connections are given an IP address of 10.5.0.X.
11. Navigate back to the userIPs directory
12. To show how the configuration is setup, I have created two user accounts (vpnUser1, vpnUser2). When they connect, I want vpnUser1 to connect to the 10.5.0.10 IP address and vpnUser2 to connect to the 10.5.0.14 IP address. By default, the first IP address given is 10.5.0.6. For this reason, I don’t recommend using the .6 IP address, so it’s best to start at .10 and increase that number by four for every additional user. Follow the instructions below to configure this.
13. Create a file with the username where you would like to setup the static IP (in my case, vpnUser1 and vpnUser2).
14. Enter the line below in the newly created file. NOTE : the IP address should always increment by 4 and the second IP address in the string should always be one less than the first.
15. I will do the same for vpnUser2.
16. We now need to change the permissions on these files. To do that, run the commands below. If you’re interested in seeing what these permissions are, you can view the information here .
17. Reboot your Synology device and try and connect to your VPN. I suggest using your mobile phone and mobile network (as you cannot be on the same network). You should see that each VPN user that connects has the IP address that we configured above.
In general, dynamic IP addresses are fine and the majority of people won’t need to know what IP address is assigned to each device. However, in very specific situations, there may be a requirement where an administrator needs to know that a specific device will be assigned to a specific IP address. This easy tutorial gives you the exact steps that you need to conduct to accomplish that. After setting this up, you can take this one step further and backup your Synology NAS to a Raspberry Pi off-site using Hyper Backup !
Thanks for reading, and leave any questions you have in the comments!
You Might Also Like
Synology vs. QNAP: Side-by-Side Comparison
Unraid vs. Synology: Side-by-Side Comparison
How to Install Grafana on a Synology NAS
How to SSH into a Synology NAS
This post has 23 comments.
How about static IP addresses for L2TP/IPSEC? I can do this fine with OpenVPN, but can’t find a way to do it with L2TP. Any suggestions?
I unfortunately haven’t setup L2TP/IPSEC, but if I get some time, I will see if I can come up with something. If I can, I will try and create a tutorial for it!
Thank you. I’ve followed your easy instructions .. and it works.
Do you have an idea how to resolve the issue with the DNS names. It’s necessary to use the fixed IP address for setting up the backup process. Using the given Synology Server name (e.g. SynoBackup) would be fine.
brg Wolfgang
Is there a possibility to set a static IP when connected with DSM as an OpenVPN Client (to any other server)?
Can you explain this a little further? When you say set a static IP when connected with DSM, what exactly do you mean by that?
Let me know and hopefully I can help!
Sure, There’s an OpenVPN Server somewhere on the internet (OPNSense, non DSM), my DS is connected to that server. Usually the Server assigns an IP (lets say 10.11.12.13) to that server. Upon reconnect it would assign a new IP. Now I want to find a way to set a static IP (lets say the same 10.11.12.13 or something in that /24 subnet) so other components can reliably access the DS with that IP.
I did some preliminary research on OPNSense as I’ve never used it, but I don’t want to point you in the wrong direction. You would know better than me, but this link looks like it might have what you’re looking for: https://forum.opnsense.org/index.php?topic=2516.0
One thought I had is if you’re trying to access DSM through the mDNS name (NASName.local)? If it doesn’t work, you might have to figure out how to get DNS to work on OPNSense.
I apologize for not having a better answer. I just haven’t used OPNSense and for that reason, can only try and give a few suggestions. If you have any other questions that you think I can help with, please let me know!
Many thanks for this! I have my main Diskstation at home and a remote smaller Diskstation on a University network which I use for backups.
I can’t connect to the remote one directly, but I can tell it to connect to my home VPN and, using this, I can give it a predictable IP address there, which means I can set up snapshot replication to it. Splendid!
Glad to hear it worked, thanks for reading the tutorial!
It worked with my DSM. Thank you.
Glad to hear it worked, thanks for checking out the tutorial!
Thanks for this article this really helped. I did discover a few things that will make this easier. With the ifconfig-push command I believe the second IP should be the gateway. So instead of: ifconfig-push 10.5.0.10 10.5.0.9 This would be: ifconfig-push 10.5.0.10 10.5.0.1
It’s also not necessary to restart your Synology, you can actually just restart the vpn service with the command synoservice –restart pkgctl-VPNCenter I actually just setup a scheduled task that is disabled,so I can restart this from the web interface.
This is very helpful, thanks so much for sharing it!
Hello, According to this page : https://linuxfr.org/forums/linux-debian-ubuntu/posts/tuto-howto-fixer-ip-des-clients-sur-openvpn it should be the network mask : ifconfig-push 10.5.0.10 255.255.255.0 according to the official website : https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/ it whould be like written in the tutorial
A second thing, the “synoservice” command is not working under DSM 7. I think one can stop and launch again the vpnserver in the application portal.
I used version of this tutorial and my method for application portal and it connected with the good ip.
on my nas under DSM 7.0 $ openvpn –version OpenVPN 2.4.9 according to the official doc of 2.4 https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ the second argument should be the remote-netmask so ifconfig-push 10.5.0.10 255.255.255.0
I will have to look and see if anything changed with DSM 7. I created this tutorial for DSM 6, but have no doubt that there could be some changes with DSM 7. Thanks for letting me know!
I have implemented this configuration and my client is unable to connect with the VPN Server when I have the client config dir directive in my openvpn.conf. All file modes have been set properly, and connecting with a dynamic ip goes perfect, but once i enable the client-config-dir is just fails. I have configured everything as user root.
Has anyone else experienced this problem? And solved it?
I unfortunately haven’t seen that error before, so it might be a little harder to troubleshoot. Are you receiving any errors in Synology’s log?
Not sure which log(s) to look at, the VPNCenter logs at the vpn server dont show anything (useful). BUt if you have suggestions, they’re welcome 🙂 Maybe at the client side or something…
The logs are buried in the terminal, unfortunately. I have used them, but I’m not exactly sure where they are off the top of my head. If I get some time, I will check and let you know. If you want to explore, they’re in there!
Hmm strangely enough it seems to work now with static ip. Not sure anymore what I changed, but I enabled the client config dir yesterday and restarted the VPNCenter package and after that the client got the assigned static ip…
Thank you for this, it’s incredibly useful! I dont expect it to be reliable but I combined this with 4 4TB usb hdd’s in raid 10 with mdadm. Works well so far.
I noticed my pi doesnt seem be mapped to a hostname anymore, is it possible to assign a hostname that devices that my regular subnet will recognize? thanks!
Do you mean through the OpenVPN connection? If so, you can, but you have to implement a DNS server and pass that DNS server to the device through the config file. It should then be resolvable through domain name!
Comments are closed.
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
How Does a VPN Manage Local IP Addresses
When you have devices with the same static IP addresses on two networks how does a VPN keep them straight?
Example: I have a small network in my home office with 3 computers. I routinely connect to a remote office that has a Sonicwall router w/VPN using the Sinicwall VPN client on my main machine. Once connected, I am still able to access devices on both networks which use static IPs (they are servers.)
Both LANs use 192.168.0.x addressing. When I specify using a device like a server or printer at say 192.168.0.10 how does it determine whether to use the address on my physical local LAN or the one on the remote LAN?
Is it doing NAT translation similar to what the router does when it connects to the Internet?
Am I just "lucky" it's working?
2 Answers 2
To answer your question, Yes, you're "lucky" it's working.
When you connect to your VPN, your tunnel interface is assigned an IP by that remote DHCP server. So you're technically routing from the VPN server to your remote devices. You're probably connecting to your servers via their DNS names or something, which is resolved by your DNS servers locally. In which case if it couldn't find it, it'll search in your remote office.
So technically yes, this'll work. But it is not very efficient.
So for eg. your VPN client is assigned an address by the SSL VPN. Which could be a different network address range. (eg. 172.16.32.0/16) While your remote network is working in the 192.168.1.0/24 range. The VPN server can be configured to bridge the two networks together.
The IP that your VPN client gets is not from the remote site's system/router's DHCP server, but rather the VPN server's DHCP server.
About the DNS, I don't really know how to explain properly. It uses a mix of DNS, ARP and RARP requests to determine the correct device. Hopefully this is enough to understand.
- How does it search the remote office if it's not finding it via "local" DNS servers? And which ones are the local DNS servers? If he's receiving DHCP from the remote machine, won't he be using the office's DNS servers? I'm confused. – rtf Jan 15, 2013 at 16:14
- @r.tanner.f Let's say A is the network he is in, and B is the remote site. He has 2 IP addresses in 2 "different" networks but his default path will be routed through the VPN(B). Which is why the remote servers(B) appear to be "local". Even so, because he is still technically on his local network(A), he will be able to access his local servers(A). I am guessing your confusion comes from thinking that he has 2 routers connected through a VPN tunnel. That'll be different, but in his current setup, only his computer is connected as a client. – whoiskai Jan 15, 2013 at 16:32
- Ah, yes that clears some things up. Still a little confused about the DHCP and DNS bits. Could you edit your answer? – rtf Jan 15, 2013 at 16:46
- @r.tanner.f edited, hope it helps (: – whoiskai Jan 15, 2013 at 17:46
How Does a VPN Manage Local IP Addresses and how does a VPN keep them straight?
I had this exact same question!
The thing is, it depends entirely on the VPN Technology, and there's well over ten different VPN Technologies. I'll discuss three popular ones.
- VTIs (new, somewhat similar effect to DMVPN)
OpenVPN (Which I think works similarly to your Sonicwall): You install client software on your PC that creates a virtual adapter. So now your PC has a physical Ethernet Port with an IP address on your local LAN, that allows you to ping to static servers on your local LAN. When you connect to the Remote VPN your virtual network adapter will get a virtual IP address. Where does it get this virtual IP address? You won't get it from your Local DHCP Server, and you won't get it from the DHCP server on the remote network either. The VPN Server has it's own pool of IP Addresses just for VPN clients, and the VPN Server has a spot to configure the DNS info given to remote VPN clients. I think OpenVPN uses 10.8.0.0/16. Your Virtual Interface will get a Virtual IP address from the range reserved for remote VPN clients. Note that the Virtual IP address is an IP address that exists on the remote Private LAN, and that's how you can ping the static IP address of servers on the remote private LAN. So by having two interfaces one physical and one virtual, you can ping local LAN servers and remote LAN servers, also the physical interface is configured with your local DNS server, and the virtual interface is configured with the remote DNS server. So you can resolve both local DNS and remote DNS.
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged networking vpn ip ..
- The Overflow Blog
- Want to be a great software engineer? Don’t be a jerk.
- Climbing the GenAI decision tree sponsored post
- Featured on Meta
- New Focus Styles & Updated Styling for Button Groups
- Upcoming initiatives on Stack Overflow and across the Stack Exchange network
- Google Cloud will be Sponsoring Super User SE
Hot Network Questions
- What is the difference between mind and consciousness?
- She got her bag caught vs. She had her bag caught
- How do I properly exit a program and return to the CCP in CP/M?
- How precise are future Solar eclipse timing, path and dates, what could change timing/path?
- Is adapting existing melodies a useful way to improve composition skill?
- Was cuneiform ever 'written'?
- Why are Let's Encrypt security certificates invalidated prior to schedule on affected Android devices?
- Space before superscript and Subscript
- QGIS: Count points directly left/right of line using geometry generator
- Why does one airliner fly along the coast and the other doesn't?
- I need a word for the atmosphere between two people
- Calculate the offset needed to invert / collapse faces to center of a dodecahedron usiing geometry nodes
- First mention of Einstein in Science Fiction?
- can a manager ask me to find someone to cover shifts AFTER I quit?
- How to equally split college fund between 2 children going to college 5 years apart?
- What's to stop domain registrars from price gouging renewals?
- Split String Function Implementation in Python
- Cheapest unstoppable, mandatory infinite loops in Magic the Gathering
- What is SpaceX doing differently with their Falcon 9 so that it doesn't cost as much as the Space Shuttle?
- Does the book of Revelation teach that all miracles during the end times will be of Satan?
- Is the EUPL circumventable?
- Is this self-plagiarism?
- Almost sure probability in convergence, versus 0 probability in reality
- Fixed Repeating Output
DEV Community
Posted on Nov 18, 2019 • Updated on Dec 30, 2019
Assigning Static IP for OpenVPN on Asus Routers
Configure a static IP so that you will always be assigned the same VPN IP address based on your username
SSH into Router
Open your router at 192.168.0.1 (or whichever gateway you're using)
Administration > System > Enable SSH > LAN only
Open SSH client of choice Windows - Use Windows Powershell Mac - Use Terminal
SSH into router by typing the following command (change your username to whichever you use when logging in, and IP address to your default gateway)
Enter your password when prompted
Create Script
Create a scripts folder in '/jffs/scripts'
cd ../../../jffs; mkdir scripts; cd scripts;
Create new file 'clientconnect.sh'
cat > clientconnect.sh
Enter this script: (explanation later)
Save by pressing Enter, then Ctrl-D
Verify that the script has been saved. You should see the full code.
cat clientconnect.sh
Grant execution permissions
chmod +x clientconnect.sh
Execute script on connect
VPN > OpenVPN > VPN Details > Advanced Settings
Enter this code under "Custom Configurations"
Reference #1 Reference #2
Connect to OpenVPN
Create two OpenVPN users User 1: test User 2: test2
Connect to OpenVPN with both accounts using your OpenVPN client of choice
You should be connected to 10.8.0.18 with test , and 10.8.0.22 with test2
Modifying the script
If you wish to add more users, simply copy the "elif then echo" block and change the IP address and username.
The first IP can only be in multiples of 4 + 2 (18,22,26,30...), while the second IP must be one number lower than the first (17,21,25,29...)
I suggest not to use lower IPs to avoid collisions as OpenVPN will assign lower numbers first. (OpenVPN starts from 10.8.0.6)
If you wish to change the username, simply replace 'test' or 'test2' with the username of your choice.
Top comments (6)
Templates let you quickly answer FAQs or store snippets for re-use.
- Joined Sep 5, 2020
Hi i follow your steps but, if i activate in the router the script script-security 2 --client-connect /jffs/scripts/clientconnect.sh
i cant conecct in clients, always say user authentication failed, and if quit the srcript conect fine, what happen? can yuou helpme please?
- Joined Apr 17, 2021
Perhaps the error is that the router does not have bash. Try replacing #!/bin/bash with #!/bin/sh On my RT-AC58U it did the trick.
- Joined Apr 3, 2022
Hi, I followed instructions and I think I am basically there but I run into an issue where I can't connect after I enable. Note that everything works fine (server is running etc.) if I don't use the script (i.e. I can connect multiple clients, no issues, with dynamic VPN addresses 10.8.0.2 etc.)
I used the script exactly as shown with the same custom config as above:
script-security 2 --client-connect /jffs/scripts/clientconnect.sh
I am using the script with /sh and not /bash. Running latest Merlin on Asus Router AX88U.
I get an ECONREFUSED error... the rest seems fine I think (though I am intermediary at this stuff at best).
Here is my log (I modified by public IP and login ID):
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 TLS: Initial packet from [AF_INET]80.45.135.65:62920 (via [AF_INET]91.133.25.56%eth0), sid=12971714 0ee6aadb Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U, emailAddress= [email protected] Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress= [email protected] Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_VER=3.git::58b92569 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_PLAT=ios Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_NCP=2 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_TCPNL=1 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_PROTO=2 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_SSO=openurl Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_BS64DL=1 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 TLS: Username/Password authentication succeeded for username 'bobbarker' Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1541' Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 [client] Peer Connection Initiated with [AF_INET]80.45.135.65:62920 (via [AF_INET]91.133.25.56%eth0) Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled) Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_7a70e4845c391ec1.tmp Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI: Learn: 10.8.0.22 -> client/80.45.135.65:62920 Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI: primary virtual IP for client/80.45.135.65:62920: 10.8.0.22 Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Data Channel: using negotiated cipher 'AES-256-GCM' Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 PUSH: Received control message: 'PUSH_REQUEST' Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.50.0 255.255.255.0 vpn_gateway 500,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.22 10.8.0.21,peer-id 1,cipher AES-256-GCM' (status=1) Apr 3 11:35:14 ovpn-server1[6149]: read UDPv4 [CMSG=8|ECONNREFUSED]: Connection refused (code=111)
Any help would be greatly appreciated...
I found my answer... no idea why but I have to use 10.8.0.18 255.255.255.0 in the script instead of 10.8.0.18 10.8.0.19 in the push command.
- Joined Jun 28, 2021
I tried IP ends with [100,99] and it was not working in Windows. But [102,101] works.
openvpn.net/community-resources/co... Refer to the openvpn manual, the last octet in the IP address of each endpoint pair must be taken from the following sets:
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254]
- Joined Nov 14, 2021
it worked perfectly
Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink .
Hide child comments as well
For further actions, you may consider blocking this person and/or reporting abuse
Top 10 Trending Progamming Language
j4acks0n - Apr 10
Desenvolvendo um widget de upload com Flutter 🩵
Suami Rocha - Apr 10
Kafka vs. RabbitMQ: Which is the Right Messaging Broker for your use case?
yogini16 - Apr 10
Digital Identity Solution Market Regional Outlook | Assessing Market Opportunities
Bethany Stewart - Apr 10
We're a place where coders share, stay up-to-date and grow their careers.
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
OpenVPN server assigns same IP address (10.8.0.6) to all connected clients
I followed How To Set Up and Configure an OpenVPN Server on Ubuntu 20.04 to setup OpenVPN server. I noticed, when any clients connects to OpenVPN Server, each of them is getting same IP address: 10.8.0.6 .
In /etc/openvpn/server/server.conf , I have these settings so that it can assigns IP addresses in 10.8.0.X .
In ubuntu client:
On my Mac PC:
106.73.138.98 is my IP address I checked with https://whatismyipaddress.com/
Ubuntu, Mac OS and iPhone are behind 106.73.138.98 , which is assigned by local ISP.
/var/log/syslog of when 3 clients connected at the same time:
- Yeah. I intentionally connected all 3 clients at the same time and they're assigned same IP address. By logs do you mean /var/log/syslog ? – Askar Feb 24, 2021 at 15:21
- Just updated the post with logs information. Thanks! – Askar Feb 24, 2021 at 15:37
Your logs show that each client connected using the same client certificate, and when that happened OpenVPN dropped the other connection.
As a general rule, different users should have different certificates, but if you want to allow the same user to use the same certificate on multiple devices, you can do what it says and start OpenVPN with the --duplicate-cn option. On Ubuntu you can do this by editing the /etc/default/openvpn file and adding the option to OPTARGS.
would become:
Then restart OpenVPN.
- Awesome! But it looks like this option should be configured in /etc/openvpn/server/server.conf according to community.cisco.com/t5/small-business-routers/… After restarting OpenVPN, now I have 3 different IPs assigned: 10.8.0.10 , 10.8.0.14 and 10.8.0.18 . :) – Askar Feb 24, 2021 at 15:54
- 1 I should learn reading logs... – Askar Feb 24, 2021 at 15:54
- You can do it either way. – Michael Hampton Feb 24, 2021 at 15:57
- For some reason, OPTARGS="--duplicate-cn" didn't work for me... – Askar Feb 24, 2021 at 15:58
- Hi Michael. You mentioned: "As a general rule, different users should have different certificates". In the tutorial I pasted in my post, I think it was not mentioned about it. Could you please share other good tutorials on OpenVPN stuff? – Askar Feb 25, 2021 at 11:07
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged ubuntu openvpn ip-address ..
- The Overflow Blog
- Want to be a great software engineer? Don’t be a jerk.
- Climbing the GenAI decision tree sponsored post
- Featured on Meta
- New Focus Styles & Updated Styling for Button Groups
- Upcoming initiatives on Stack Overflow and across the Stack Exchange network
Hot Network Questions
- What's the name of the room where you watch a movie inside the movie theater?
- Do faster responding low-pass filters exist compared to a traditional RC filter?
- NSF grant proposal not reviewed despite being received
- What does an intersection between two universes look like?
- Do you say "my car is high on fuel" as a counterpart of "my car is low on fuel"?
- Colorbar to illustrate the change of a specific parameter
- People who frequently travel in planes are called…?
- First mention of Einstein in Science Fiction?
- Why is remote desktop very slow when host monitor is off unless HDMI cable is used?
- Where is the large cook promotion?
- Bash 4: unexpected EOF while looking for matching `)'
- How do I exhibit the character Ň (U+0147) in my Word 2010? Why the method described in the first paragraph below doesn't work for this character?
- Extreme anxiety before boarding a plane
- How Long Will Boeing Keep the 737 in Production?
- What is this glyph on Feb 23 1940 in a Finnish military calendar?
- Calculate the offset needed to invert / collapse faces to center of a dodecahedron usiing geometry nodes
- Is this self-plagiarism?
- FizzFizzFizzBuzz!
- When teaching Computer Architecture, why are universities using obscure or even made-up CPUs? Why not x86, ARM or RISC-V?
- A false "proof" that record setting events are dependent
- How to rotate a triangle to get this picture?
- Has famine been officially declared in (parts of) Gaza?
- I need a word for the atmosphere between two people
- Legendre's Irrationality Condition for Generalized Continued Fractions
OpenVPN Support Forum
Community Support Forum
Skip to content
- Home Board index Community Project Server Administration Configuration
openvpn IP address pool and client-config-dir
Moderators: TinCanTech , TinCanTech , TinCanTech , TinCanTech , TinCanTech , TinCanTech
Post by vieri » Sun Oct 09, 2016 5:22 pm
Code: Select all
Re: openvpn IP address pool and client-config-dir
Post by TinCanTech » Sun Oct 09, 2016 8:10 pm
- Example: View Original Server mode server tls-server ifconfig 192.168.144.1 192.168.144.2 ifconfig-pool 192.168.144.100 192.168.144.119 In net30 that gives -- ifconfig-pool 5 usable client subnets. View Original Client98 ifconfig-push 192.168.144.198 192.168.144.197 iroute ... etc ... -- client-config-dir does not conflict with -- ifconfig-pool addresses
Return to “Configuration”
- Forum & Website Support
- Community Project
- ↳ Server Administration
- ↳ Configuration
- ↳ Examples
- ↳ Routed Example
- ↳ Installation Help
- ↳ Tutorials
- ↳ Testing branch
- ↳ Scripting and Customizations
- ↳ Authentication Scripts
- ↳ Routing and Firewall Scripts
- ↳ Rolling Your Own Installer
- ↳ Wishlist
- ↳ Cert / Config management
- ↳ Easy-RSA
- OpenVPN Inc. enterprise business solutions
- ↳ The OpenVPN Access Server
- ↳ CloudConnexa (previously OpenVPN Cloud)
- ↳ OpenVPN Connect (Windows)
- ↳ OpenVPN Connect (macOS)
- ↳ OpenVPN Connect (Android)
- ↳ OpenVPN Connect (iOS)
- Off Topic, Related
- Braggin' Rights
- ↳ My VPN
- ↳ Doh!
- Pay OpenVPN Service Provider Reviews/Comments
- Home Board index
- All times are UTC
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
How can I obtain the IP address of OpenVPN clients
The OpenVPN server gives an internal IP addresses to each client that is connecting outside of the network. I want to store these IP addresses in a database after they are assigned. Is there an easy way to tell which IP addresses were handed out by the OpenVPN Server?
thanks for Help
- Have you looked at the logs of the OpenVPN server? It should just be a simple matter of grep ing for a successful log in line and piping that to your database utility. – tudor -Reinstate Monica- Jun 27, 2019 at 3:12
- You can predefine an IP address for each client using entries in the ccd directory. – Organic Marble Jun 27, 2019 at 16:10
- the address are dynamically assigned – taybinakh Jun 27, 2019 at 21:23
2 Answers 2
If these aren't statically assigned there isn't a good way to do this other than to extract them from the logfiles since the connections will be randomly assigned IP addresses.
If they are statically assigned AND you are using the Open VPN AccessServer you can do it this way:
which should yield a list of the IP addresses in the output which should look something like this:
where the conn_ip is the connection IP address.
If you are trying to merely log users IP addresses and deposit that info into a DB then you might look at this:
Where are the OpenVPN connection logs and configuration files?
In that case you are using an OpenVPN Access Server you may want to try:
which will give you a file with all of the IP addresses associated with all the users. From there you can further modify the output to get just the bits you want from the file.
- Thanks, yes he address are dynamically assigned i will try that, my goal is to applicate for each user a rule to connect for just some device, for example ,this user X can connect just to device X. also i must first know for each user that he have, and store it in Database. – taybinakh Jun 27, 2019 at 21:16
- I've modified the answer to get you more/less exactly what you're looking for in your case--it should work on virtually any OpenVPN server--not just the professional one (with a few modifications, like your log names may be a little different.) If that's good enough you can mark it as 'answered'. – Penguino Jun 27, 2019 at 22:16
- thanks , i will try it, my senrio is when clients are connected get IP and when they are disconnected get IP of disconnected , also for any change ==> update DB i want to use Option --client connect /path/script_parsing_connected_IP.sh -- client disconnecz /path/script_parsing_disconnected_IP.sh when i try it, i will tell you if work – taybinakh Jun 29, 2019 at 22:14
- 1 hi, i tried what you tell me , its work. i write also a script client-connect and can know adress IP with variable env. common_name and ip_config_pool ans its work... know i will develop my scipt , to know in runtime (receive notification) when a client connect or disconnect and store in DB – taybinakh Jul 4, 2019 at 14:49
- cat /var/log/openvpnas.log | grep "primary virtual IP" worked perfectly for me 👍 – Sean McCarthy Feb 23, 2023 at 18:34
You should have a look at /etc/openvpn/openvpn-status.log:
- 1 I used openvpn-hook "--client-connect" and "--learn-address". Via comon name, virtual address , when the user connect openvp the script return these values – taybinakh Sep 4, 2020 at 9:24
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged scripts openvpn client ..
- The Overflow Blog
- Want to be a great software engineer? Don’t be a jerk.
- Climbing the GenAI decision tree sponsored post
- Featured on Meta
- New Focus Styles & Updated Styling for Button Groups
- Upcoming initiatives on Stack Overflow and across the Stack Exchange network
- AI-generated content is not permitted on Ask Ubuntu
- Let's organize some chat workshops
Hot Network Questions
- What caused pink flares during the eclipse
- What is SpaceX doing differently with their Falcon 9 so that it doesn't cost as much as the Space Shuttle?
- What is the correct formulation of Newton's Second Law of Motion?
- Specify layer when using a geopackage in ogr2ogr
- What's to stop domain registrars from price gouging renewals?
- Can You Train A Neural Network By Simply Giving It Ratings Each Time It Runs?
- Do Trump's lawyers have a fiduciary duty to delay the proceedings?
- Do you say "my car is high on fuel" as a counterpart of "my car is low on fuel"?
- What's the name of the room where you watch a movie inside the movie theater?
- Where is the large cook promotion?
- Why did Nicaragua file a case against only Germany at the ICJ?
- Is it possible to find sum of x^x from a to b without using summation but rather a less computationally heavy method?
- Does the book of Revelation teach that all miracles during the end times will be of Satan?
- How Long Will Boeing Keep the 737 in Production?
- What does an intersection between two universes look like?
- Space before superscript and Subscript
- People who frequently travel in planes are called…?
- Why is a peak in the gain a sign of instability in a closed loop op-amp circuit?
- How important was the US steel industry to the allies during World War II?
- No stomach, how do I eat?
- First mention of Einstein in Science Fiction?
- Can I make attacks non-lethal?
- Almost sure probability in convergence, versus 0 probability in reality
- Why is remote desktop very slow when host monitor is off unless HDMI cable is used?
IMAGES
VIDEO
COMMENTS
See the picture below to see what this looks like: Next go to User Permissions and select a user you want to assign a static IP address. Click show to reveal more options for this particular user, and then set Select IP addressing to use static. Now a field is revealed where you can enter an IP address that falls within the static IP address ...
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (codified in RFC 1918): 10.0.0.0: ... Running an OpenVPN server on a dynamic IP address. While OpenVPN clients can easily access the server via a dynamic IP address without any special configuration, things get ...
I had some problems configuring like @jas_raj. Now I am doing the next: 1) In /etc/openvpn create a new folder. For example " dir ". 2) server.conf add line " client-config-dir dir/ ". 3) Inside "dir", you need to create a new file with the **same name that you wrote in your cert ** and type: ifconfig-push IP MASK.
For example if you wish that your server uses 10.8.0.254 IP instead 10.8.0.1 then you need to make few changes to your config file. First change "proto tcp" or "proto udp" line into "proto tcp-server" or "proto udp-server". Then comment out this line: server 10.8.0.0 255.255.255.. and add these lines instead:
Connect to the OpenVPN server from the client and check that it has received the IP address you specified. For example, on a Linux OpenVPN client, run the command ip add show tun0 and check that the tun0 interface is assigned the IP address 10.24.1.11. You can also set a list of static IP addresses for OpenVPN clients using the ipp.txt file.
Verify Static IP Address Assignment on OpenVPN Clients. Assuming you already have the respective client OpenVPN configuration file on your clients, initiate the connection and verify the IP address assignment. sudo openvpn johndoe.ovpn. Checking the assigned IP address; ip add show tun0
13. Create a file with the username where you would like to setup the static IP (in my case, vpnUser1 and vpnUser2). sudo vi vpnUser1. 14. Enter the line below in the newly created file. NOTE: the IP address should always increment by 4 and the second IP address in the string should always be one less than the first.
I'm using bridged openvpn server and the openvpn 'dhcp' emulation (server-bridge instruction in my server.conf) to assign ip addresses to my clients. When I connect to it, I see no errrors in logs and everthing seems to be fine. However, the tap0 interface on the client side has no ip address assigned.
Here's a diagram: In this VPN Scenario you keep your IP address from your local DHCP server, but your router now has a route to the remote Private LAN, through the tunnel, and you can ping the private IP addresses of the Remote LAN. (The tunnel is able to bypass NAT and Firewall, Tunnel = a virtual interface on your local router that connects ...
Administration > System > Enable SSH > LAN only. Open SSH client of choice. Windows - Use Windows Powershell. Mac - Use Terminal. SSH into router by typing the following command (change your username to whichever you use when logging in, and IP address to your default gateway) ssh [email protected]. Enter your password when prompted.
Option 2: Assign IPv6 IP addresses to VPN clients from a group pool. Follow these steps to use a group address pool to assign IPv6 IP addresses to your VPN clients through their assigned group. Note: In our example, we have a group named "Brandon-Test" and the VPN user named "test." The user, test is already assigned to the group, Brandong-Test.
I noticed, when any clients connects to OpenVPN Server, each of them is getting same IP address: 10... Stack Exchange Network. Stack Exchange network consists of 183 Q&A communities including Stack ... After restarting OpenVPN, now I have 3 different IPs assigned: 10.8.0.10, 10.8.0.14 and 10.8.0.18. :) - Askar. Feb 24, 2021 at 15:54. 1. I ...
When a VPN Client connects to your Access Server, it is assigned a unique IP address on the virtual VPN IP network. This is managed by the dynamic IP address network you can configure with this page. You can define the VPN IP subnetworks that an address is pulled from when a user connects to the network.
For a multiclient OpenVPN configuration, as we can find from the relevant documentation (server.conf comments), Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from. The server will take 10.8.0.1 for itself, the rest will be made available to clients. Each client will be able to reach the server on 10.8.0.1.
Although it's possible to assign a static IP address to a user, there is currently no option to assign a static IP address to a device. In addition, static IP address assignment imposes other limitations that make the option challenging. Also, the inability to connect to geographically dispersed VPN servers is severely limiting.
The OpenVPN server always uses the first usable IP address in the client network and only that IP is pingable. E.g. if you configured a /24 for the client network mask, the .1 address will be used. The P-t-P address you see in the ip addr output above is usually not answering ping requests. Check out your routes:
The network mask is /22 while the IP address pool is a lot smaller. So in this case, openvpn will serve dynamic IP addresses within 192.168.144.4-192.168.144.251 and "known clients" identified within client-config-dir will get static addresses within the range 192.168.145.1-192.168.147.254 (manually set).
In that case you are using an OpenVPN Access Server you may want to try: grep "primary virtual IP" /var/log/openvpnas.log** > output_file_name. which will give you a file with all of the IP addresses associated with all the users. From there you can further modify the output to get just the bits you want from the file. Share.
An OpenVPN client can dynamically allocate a network interface device (e.g. tun0) for a connection to a server which can dynamically issue an IP address to the client. Given a shell script that launches the OpenVPN client (which successfully establishes a server connection), how can I find out the network interface, the assigned client IP address and the server's IP address from within the script?
Real IP: The real IP address of the client connected to the Access Server or the user attempting to connect to a web service. VPN IP: The IP address assigned to the client by the Access Server. Proto: The protocol used for the OpenVPN tunnel itself — UDP is generally the better choice here. Port
By default, the VPN server will only request DHCP addresses from a scope that matches the same subnet as the IP address assigned to the VPN server's network adapter. If the VPN server has more than one network interface, it will send DHCP requests from the network interface listed on the Adapter drop-down list, as shown here.
Visit a website that displays your IP address, such as What Is My IP or IP Address Lookup. Take note of the original IP address your Internet Service Provider (ISP) assigned. Open your VPN client ...