openvpn ip address assignment

Power Sysadmin Blog

Just Another Enterprise Admin Blog

OpenVPN: Assigning Static IP Addresses to Clients

By default, when connecting, OpenVPN clients receive a dynamic IP from the DHCP range that you set in the OpenVPN server configuration file ( server.ovpn ) server network netmask (for example, server 10.24.1.0 255.255.255.0 ). In some cases, you want certain OpenVPN clients to get the same static IP address every time they connect.

To do this, add the following line to the server.conf file:

client-config-dir /etc/openvpn/ccd

Create a directory:

The contents of the /etc/openvpn/ccd directory must be readable by the OpenVPN user.

If OpenVPN is running under nobody:

In this directory, create a file with the name of the client (the client file name must match the name of the client in the certificate Common Name). For example, for your user with certificate testuser1 ( subject=CN= testuser1 ), you need to create a file with exactly the same name:

If this is an OpenVPN client with Windows, you need to add the following configuration to the file:

#ifconfig-push clientIP serverIP ifconfig-push 10.24.1.10 10.24.1.1

If it’s a Linux OpenVPN client:

#ifconfig-push clientIP Netmask ifconfig-push 10.24.1.11 255.255.255.0

Restart the OpenVPN server service:

Connect to the OpenVPN server from the client and check that it has received the IP address you specified.

For example, on a Linux OpenVPN client, run the command ip add show tun0 and check that the tun0 interface is assigned the IP address 10.24.1.11.

You can also set a list of static IP addresses for OpenVPN clients using the ipp.txt file.

To do this, add the following line to the /etc/openvpn/server.conf configuration file:

ifconfig-pool-persist ipp.txt

Then fill in the list of clients and static IPs in the /etc/openvpn/ipp.txt file:

testuser1,10.24.1.11 testuser2,10.24.1.14 gw1,10.24.1.5

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Current ye@r *

Leave this field empty

Assign Static IP Addresses for OpenVPN Clients

In this guide, we are going to learn how to assign static IP addresses for OpenVPN clients. In most cases, say, if you have some controls in your environment which requires that the hosts have static IP address for the manageability of such controls, you will most likely need to assign a static IP address to your specific clients. OpenVPN supports the assignment of static IP addresses.

Table of Contents

Assigning openvpn clients static ip addresses.

OpenVPN has the ability to assign clients specific IP addresses from the IP pool defined. To achieve this, it uses three types of client IP address selection algorithms. These include, in the order in which they are used;

• Use of --client-connect script . This involves execution of the specified script that generates file containing static IP addresses on the server when a client connects. This method is usually the first choice to be considered.
• Use of --client-config-dir . This involves the use of a file which contains static IP addresses for the clients as per their client certificate common name (CN) ( second choice ).
• Use of --ifconfig-pool for the allocation for dynamic IP ( last choice ).

For more information, consult man openvpn .

In this guide, we are going to use the second option, where by we will configure our OpenVPN server to read a specific file, that contains the client common names and mapped IP addresses. This ensures that, a connecting client is assigned static IP address based on the common name defined on their client certificate.

In our previous guide, we covered the installation and configuration of an OpenVPN server on CentOS 8 system.

Create a File to Store Static IP addresses

The use of the client-config-dir option, requires that the static IP addresses to be assigned to connecting clients be stored in a file that can be read by OpenVPN server.

Therefore, open the OpenVPN server configuration file, /etc/openvpn/server/server.conf , and set your path to static IP assignment file as the value for the client-config-dir parameter.

In this demo, we set the path to store static/fixed IP addresses assignment file to, /etc/openvpn/ccd . Well, I tried to use the default, /etc/openvpn/server/ccd , path but it resulted in the error below;

So as a work-around, we opted to use a different path, as in above.

Assign Static IP Addresses to OpenVPN Clients

For every OpenVPN client that you want to assign static IP address to, you need to extract the common name from that specific client certificate.

In our demo, we have two OpenVPN clients created, koromicha and johndoe . To extract the common names from the clients certificate, use openssl command as shown below. Be sure to replace the clients certificates .

Once you have the common names for the clients, you can then assign them static IP addresses using the ifconfig-push option. For example, to assign the client using the certificate with koromicha as common name an IP address, 10.8.0.50 and client using the certificate with johndoe as CN an IP addresses of 10.8.0.60 , this is how the assignment is done;

Note that, how you assign the static IP addresses depends on the topology you configured your OpenVPN server. In our, case, we set the topology to subnet;

Read more on OpenVPN Addressing Concepts .

Restart OpenVPN Server;

Be sure to always check the logs;

Verify Static IP Address Assignment on OpenVPN Clients

Assuming you already have the respective client OpenVPN configuration file on your clients, initiate the connection and verify the IP address assignment.

Checking the assigned IP address;

On the other client;

Checking connectivity between the two clients;

That is it. We have come to an end of our guide on how to assigning OpenVPN clients static IP addresses.

Related Tutorials

Connect to OpenVPN using Network Manager on CentOS 8/Ubuntu 18.04

Install and Configure OpenVPN Client on CentOS 8/Ubuntu 18.04

Configure strongSwan VPN Client on Ubuntu 18.04/CentOS 8

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Related Posts

Install mongodb on ubuntu 20.04, install mysql 8 on debian 10 buster, add hosts to zabbix server for monitoring, install and setup lynis security auditing tool on ubuntu 20.04, how marketing messages can help your product reach more people, install zabbix agent on windows systems, 1 thought on “assign static ip addresses for openvpn clients”.

i had the same error in Openvpn 2.4.7:

Could not access file ‘/etc/openvpn/ccd/client4’: Permission denied (errno=13)

i had to change the directory outside of openvpn to make it work:

client-config-dir /etc/ccd

Leave a Comment Cancel reply

© 2024 kifarunix.com

Setup a Static IP Address for OpenVPN Clients on your Synology NAS!

• Post author: WunderTech
• Post last modified: November 2, 2022
• Post category: Synology / VPN / Xpenology
• Reading time: 10 mins read

Today we are going to look at how you can setup a static IP address for OpenVPN on a Synology NAS.

When you setup a VPN server on your Synology device, the IP addresses are dynamic when a user connects. What this means is that every user will have a different IP address when they connect and the order in which they connect determines what the address will be. In other words, it’s totally random. There are many cases where using a static IP address is necessary, and today we are going to go through the process of configuring this.

If you have not configured your VPN Server, you must do it before proceeding. I have instructions on how to do it here .

Setup a Static IP Address for OpenVPN on a Synology NAS – Instructions

• First off, you need to be able to SSH into your Synology device. If you aren’t sure how to do that, you can watch this quick 90 second video that shows you how .
• SSH into your Synology NAS and navigate to the VPNCenter folder by running this command:

3. At this point, we need to create a directory which is where we will store our users and their predetermined IP addresses. Run this command to create a folder.

4. Now that this directory is created, we need to give users the rights to execute items in this folder by running the command below. If you’d like to read more about what permissions this command grants, you can do so  here .

5. The next step involves reconfiguring the OpenVPN configuration file to check our newly added folder for files. Run these commands to navigate to the folder and edit the configuration file.

6. When you have the configuration file open, add the line below inside of the file. NOTE: you will need to use vi to edit this file. If you aren’t sure how to use the vi editor, check out this tutorial . In its simplest form, press “i” to insert and when the line is entered/changed, press “Escape” to stop editing, then type “:wq” to quit.

7. After the file has been saved, navigate to the radiusplugin.cnf folder by typing this command:

8. Edit the radiusplugin.cnf file by typing this command. See instructions above on how to use the vi editor.

9. Change the “true” flag to “false” for “overwriteccfiles”.

10. The server configuration is now complete. The final step is to determine which VPN users should have static IP’s and create a file letting the system know what IP address should be assigned to that user account. The file name must be the EXACT username that will be connecting to the VPN (in my case, vpnUser1 and vpnUser2). Another important note is that when you configured your VPN server, you defined a dynamic IP address that is the IP address that will be given to clients that are connecting. In my example, VPN connections are given an IP address of 10.5.0.X.

11. Navigate back to the userIPs directory

12. To show how the configuration is setup, I have created two user accounts (vpnUser1, vpnUser2). When they connect, I want vpnUser1 to connect to the 10.5.0.10 IP address and vpnUser2 to connect to the 10.5.0.14 IP address. By default, the first IP address given is 10.5.0.6. For this reason, I don’t recommend using the .6 IP address, so it’s best to start at .10 and increase that number by four for every additional user. Follow the instructions below to configure this.

13. Create a file with the username where you would like to setup the static IP (in my case, vpnUser1 and vpnUser2).

14. Enter the line below in the newly created file. NOTE : the IP address should always increment by 4 and the second IP address in the string should always be one less than the first.

15. I will do the same for vpnUser2.

16. We now need to change the permissions on these files. To do that, run the commands below. If you’re interested in seeing what these permissions are, you can view the information here .

17. Reboot your Synology device and try and connect to your VPN. I suggest using your mobile phone and mobile network (as you cannot be on the same network). You should see that each VPN user that connects has the IP address that we configured above.

In general, dynamic IP addresses are fine and the majority of people won’t need to know what IP address is assigned to each device. However, in very specific situations, there may be a requirement where an administrator needs to know that a specific device will be assigned to a specific IP address. This easy tutorial gives you the exact steps that you need to conduct to accomplish that. After setting this up, you can take this one step further and backup your Synology NAS to a Raspberry Pi off-site using Hyper Backup !

Thanks for reading, and leave any questions you have in the comments!

You Might Also Like

Synology vs. QNAP: Side-by-Side Comparison

Unraid vs. Synology: Side-by-Side Comparison

How to Install Grafana on a Synology NAS

How to SSH into a Synology NAS

This post has 23 comments.

How about static IP addresses for L2TP/IPSEC? I can do this fine with OpenVPN, but can’t find a way to do it with L2TP. Any suggestions?

I unfortunately haven’t setup L2TP/IPSEC, but if I get some time, I will see if I can come up with something. If I can, I will try and create a tutorial for it!

Thank you. I’ve followed your easy instructions .. and it works.

Do you have an idea how to resolve the issue with the DNS names. It’s necessary to use the fixed IP address for setting up the backup process. Using the given Synology Server name (e.g. SynoBackup) would be fine.

brg Wolfgang

Is there a possibility to set a static IP when connected with DSM as an OpenVPN Client (to any other server)?

Can you explain this a little further? When you say set a static IP when connected with DSM, what exactly do you mean by that?

Let me know and hopefully I can help!

Sure, There’s an OpenVPN Server somewhere on the internet (OPNSense, non DSM), my DS is connected to that server. Usually the Server assigns an IP (lets say 10.11.12.13) to that server. Upon reconnect it would assign a new IP. Now I want to find a way to set a static IP (lets say the same 10.11.12.13 or something in that /24 subnet) so other components can reliably access the DS with that IP.

I did some preliminary research on OPNSense as I’ve never used it, but I don’t want to point you in the wrong direction. You would know better than me, but this link looks like it might have what you’re looking for: https://forum.opnsense.org/index.php?topic=2516.0

One thought I had is if you’re trying to access DSM through the mDNS name (NASName.local)? If it doesn’t work, you might have to figure out how to get DNS to work on OPNSense.

I apologize for not having a better answer. I just haven’t used OPNSense and for that reason, can only try and give a few suggestions. If you have any other questions that you think I can help with, please let me know!

Many thanks for this! I have my main Diskstation at home and a remote smaller Diskstation on a University network which I use for backups.

I can’t connect to the remote one directly, but I can tell it to connect to my home VPN and, using this, I can give it a predictable IP address there, which means I can set up snapshot replication to it. Splendid!

Glad to hear it worked, thanks for reading the tutorial!

It worked with my DSM. Thank you.

Glad to hear it worked, thanks for checking out the tutorial!

Thanks for this article this really helped. I did discover a few things that will make this easier. With the ifconfig-push command I believe the second IP should be the gateway. So instead of: ifconfig-push 10.5.0.10 10.5.0.9 This would be: ifconfig-push 10.5.0.10 10.5.0.1

It’s also not necessary to restart your Synology, you can actually just restart the vpn service with the command synoservice –restart pkgctl-VPNCenter I actually just setup a scheduled task that is disabled,so I can restart this from the web interface.

This is very helpful, thanks so much for sharing it!

Hello, According to this page : https://linuxfr.org/forums/linux-debian-ubuntu/posts/tuto-howto-fixer-ip-des-clients-sur-openvpn it should be the network mask : ifconfig-push 10.5.0.10 255.255.255.0 according to the official website : https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/ it whould be like written in the tutorial

A second thing, the “synoservice” command is not working under DSM 7. I think one can stop and launch again the vpnserver in the application portal.

I used version of this tutorial and my method for application portal and it connected with the good ip.

on my nas under DSM 7.0 $ openvpn –version OpenVPN 2.4.9 according to the official doc of 2.4 https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ the second argument should be the remote-netmask so ifconfig-push 10.5.0.10 255.255.255.0

I will have to look and see if anything changed with DSM 7. I created this tutorial for DSM 6, but have no doubt that there could be some changes with DSM 7. Thanks for letting me know!

I have implemented this configuration and my client is unable to connect with the VPN Server when I have the client config dir directive in my openvpn.conf. All file modes have been set properly, and connecting with a dynamic ip goes perfect, but once i enable the client-config-dir is just fails. I have configured everything as user root.

Has anyone else experienced this problem? And solved it?

I unfortunately haven’t seen that error before, so it might be a little harder to troubleshoot. Are you receiving any errors in Synology’s log?

Not sure which log(s) to look at, the VPNCenter logs at the vpn server dont show anything (useful). BUt if you have suggestions, they’re welcome 🙂 Maybe at the client side or something…

The logs are buried in the terminal, unfortunately. I have used them, but I’m not exactly sure where they are off the top of my head. If I get some time, I will check and let you know. If you want to explore, they’re in there!

Hmm strangely enough it seems to work now with static ip. Not sure anymore what I changed, but I enabled the client config dir yesterday and restarted the VPNCenter package and after that the client got the assigned static ip…

Thank you for this, it’s incredibly useful! I dont expect it to be reliable but I combined this with 4 4TB usb hdd’s in raid 10 with mdadm. Works well so far.

I noticed my pi doesnt seem be mapped to a hostname anymore, is it possible to assign a hostname that devices that my regular subnet will recognize? thanks!

Do you mean through the OpenVPN connection? If so, you can, but you have to implement a DNS server and pass that DNS server to the device through the config file. It should then be resolvable through domain name!

Comments are closed.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How Does a VPN Manage Local IP Addresses

When you have devices with the same static IP addresses on two networks how does a VPN keep them straight?

Example: I have a small network in my home office with 3 computers. I routinely connect to a remote office that has a Sonicwall router w/VPN using the Sinicwall VPN client on my main machine. Once connected, I am still able to access devices on both networks which use static IPs (they are servers.)

Both LANs use 192.168.0.x addressing. When I specify using a device like a server or printer at say 192.168.0.10 how does it determine whether to use the address on my physical local LAN or the one on the remote LAN?

Is it doing NAT translation similar to what the router does when it connects to the Internet?

Am I just "lucky" it's working?

2 Answers 2

To answer your question, Yes, you're "lucky" it's working.

When you connect to your VPN, your tunnel interface is assigned an IP by that remote DHCP server. So you're technically routing from the VPN server to your remote devices. You're probably connecting to your servers via their DNS names or something, which is resolved by your DNS servers locally. In which case if it couldn't find it, it'll search in your remote office.

So technically yes, this'll work. But it is not very efficient.

So for eg. your VPN client is assigned an address by the SSL VPN. Which could be a different network address range. (eg. 172.16.32.0/16) While your remote network is working in the 192.168.1.0/24 range. The VPN server can be configured to bridge the two networks together.

The IP that your VPN client gets is not from the remote site's system/router's DHCP server, but rather the VPN server's DHCP server.

About the DNS, I don't really know how to explain properly. It uses a mix of DNS, ARP and RARP requests to determine the correct device. Hopefully this is enough to understand.

• How does it search the remote office if it's not finding it via "local" DNS servers? And which ones are the local DNS servers? If he's receiving DHCP from the remote machine, won't he be using the office's DNS servers? I'm confused. –  rtf Jan 15, 2013 at 16:14
• @r.tanner.f Let's say A is the network he is in, and B is the remote site. He has 2 IP addresses in 2 "different" networks but his default path will be routed through the VPN(B). Which is why the remote servers(B) appear to be "local". Even so, because he is still technically on his local network(A), he will be able to access his local servers(A). I am guessing your confusion comes from thinking that he has 2 routers connected through a VPN tunnel. That'll be different, but in his current setup, only his computer is connected as a client. –  whoiskai Jan 15, 2013 at 16:32
• Ah, yes that clears some things up. Still a little confused about the DHCP and DNS bits. Could you edit your answer? –  rtf Jan 15, 2013 at 16:46
• @r.tanner.f edited, hope it helps (: –  whoiskai Jan 15, 2013 at 17:46

How Does a VPN Manage Local IP Addresses and how does a VPN keep them straight?

I had this exact same question!

The thing is, it depends entirely on the VPN Technology, and there's well over ten different VPN Technologies. I'll discuss three popular ones.

• VTIs (new, somewhat similar effect to DMVPN)

OpenVPN (Which I think works similarly to your Sonicwall): You install client software on your PC that creates a virtual adapter. So now your PC has a physical Ethernet Port with an IP address on your local LAN, that allows you to ping to static servers on your local LAN. When you connect to the Remote VPN your virtual network adapter will get a virtual IP address. Where does it get this virtual IP address? You won't get it from your Local DHCP Server, and you won't get it from the DHCP server on the remote network either. The VPN Server has it's own pool of IP Addresses just for VPN clients, and the VPN Server has a spot to configure the DNS info given to remote VPN clients. I think OpenVPN uses 10.8.0.0/16. Your Virtual Interface will get a Virtual IP address from the range reserved for remote VPN clients. Note that the Virtual IP address is an IP address that exists on the remote Private LAN, and that's how you can ping the static IP address of servers on the remote private LAN. So by having two interfaces one physical and one virtual, you can ping local LAN servers and remote LAN servers, also the physical interface is configured with your local DNS server, and the virtual interface is configured with the remote DNS server. So you can resolve both local DNS and remote DNS.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged networking vpn ip ..

• The Overflow Blog
• Want to be a great software engineer? Don’t be a jerk.
• Climbing the GenAI decision tree sponsored post
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network
• Google Cloud will be Sponsoring Super User SE

Hot Network Questions

• What is the difference between mind and consciousness?
• She got her bag caught vs. She had her bag caught
• How do I properly exit a program and return to the CCP in CP/M?
• How precise are future Solar eclipse timing, path and dates, what could change timing/path?
• Is adapting existing melodies a useful way to improve composition skill?
• Was cuneiform ever 'written'?
• Why are Let's Encrypt security certificates invalidated prior to schedule on affected Android devices?
• Space before superscript and Subscript
• QGIS: Count points directly left/right of line using geometry generator
• Why does one airliner fly along the coast and the other doesn't?
• I need a word for the atmosphere between two people
• Calculate the offset needed to invert / collapse faces to center of a dodecahedron usiing geometry nodes
• First mention of Einstein in Science Fiction?
• can a manager ask me to find someone to cover shifts AFTER I quit?
• How to equally split college fund between 2 children going to college 5 years apart?
• What's to stop domain registrars from price gouging renewals?
• Split String Function Implementation in Python
• Cheapest unstoppable, mandatory infinite loops in Magic the Gathering
• What is SpaceX doing differently with their Falcon 9 so that it doesn't cost as much as the Space Shuttle?
• Does the book of Revelation teach that all miracles during the end times will be of Satan?
• Is the EUPL circumventable?
• Is this self-plagiarism?
• Almost sure probability in convergence, versus 0 probability in reality
• Fixed Repeating Output

DEV Community

Posted on Nov 18, 2019 • Updated on Dec 30, 2019

Assigning Static IP for OpenVPN on Asus Routers

Configure a static IP so that you will always be assigned the same VPN IP address based on your username

SSH into Router

Open your router at 192.168.0.1 (or whichever gateway you're using)

Administration > System > Enable SSH > LAN only

Open SSH client of choice Windows - Use Windows Powershell Mac - Use Terminal

SSH into router by typing the following command (change your username to whichever you use when logging in, and IP address to your default gateway)

ssh [email protected]

Enter your password when prompted

Create Script

Create a scripts folder in '/jffs/scripts'

cd ../../../jffs; mkdir scripts; cd scripts;

Create new file 'clientconnect.sh'

cat > clientconnect.sh

Enter this script: (explanation later)

Save by pressing Enter, then Ctrl-D

Verify that the script has been saved. You should see the full code.

cat clientconnect.sh

Grant execution permissions

chmod +x clientconnect.sh

Execute script on connect

VPN > OpenVPN > VPN Details > Advanced Settings

Enter this code under "Custom Configurations"

Reference #1 Reference #2

Connect to OpenVPN

Create two OpenVPN users User 1: test User 2: test2

Connect to OpenVPN with both accounts using your OpenVPN client of choice

You should be connected to 10.8.0.18 with test , and 10.8.0.22 with test2

Modifying the script

If you wish to add more users, simply copy the "elif then echo" block and change the IP address and username.

The first IP can only be in multiples of 4 + 2 (18,22,26,30...), while the second IP must be one number lower than the first (17,21,25,29...)

I suggest not to use lower IPs to avoid collisions as OpenVPN will assign lower numbers first. (OpenVPN starts from 10.8.0.6)

If you wish to change the username, simply replace 'test' or 'test2' with the username of your choice.

Top comments (6)

Templates let you quickly answer FAQs or store snippets for re-use.

• Joined Sep 5, 2020

Hi i follow your steps but, if i activate in the router the script script-security 2 --client-connect /jffs/scripts/clientconnect.sh

i cant conecct in clients, always say user authentication failed, and if quit the srcript conect fine, what happen? can yuou helpme please?

• Joined Apr 17, 2021

Perhaps the error is that the router does not have bash. Try replacing #!/bin/bash with #!/bin/sh On my RT-AC58U it did the trick.

• Joined Apr 3, 2022

Hi, I followed instructions and I think I am basically there but I run into an issue where I can't connect after I enable. Note that everything works fine (server is running etc.) if I don't use the script (i.e. I can connect multiple clients, no issues, with dynamic VPN addresses 10.8.0.2 etc.)

I used the script exactly as shown with the same custom config as above:

script-security 2 --client-connect /jffs/scripts/clientconnect.sh

I am using the script with /sh and not /bash. Running latest Merlin on Asus Router AX88U.

I get an ECONREFUSED error... the rest seems fine I think (though I am intermediary at this stuff at best).

Here is my log (I modified by public IP and login ID):

Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 TLS: Initial packet from [AF_INET]80.45.135.65:62920 (via [AF_INET]91.133.25.56%eth0), sid=12971714 0ee6aadb Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U, emailAddress= [email protected] Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress= [email protected] Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_VER=3.git::58b92569 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_PLAT=ios Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_NCP=2 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_TCPNL=1 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_PROTO=2 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_SSO=openurl Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_BS64DL=1 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 TLS: Username/Password authentication succeeded for username 'bobbarker' Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1541' Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256 Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 [client] Peer Connection Initiated with [AF_INET]80.45.135.65:62920 (via [AF_INET]91.133.25.56%eth0) Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled) Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_7a70e4845c391ec1.tmp Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI: Learn: 10.8.0.22 -> client/80.45.135.65:62920 Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI: primary virtual IP for client/80.45.135.65:62920: 10.8.0.22 Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Data Channel: using negotiated cipher 'AES-256-GCM' Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 PUSH: Received control message: 'PUSH_REQUEST' Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.50.0 255.255.255.0 vpn_gateway 500,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.22 10.8.0.21,peer-id 1,cipher AES-256-GCM' (status=1) Apr 3 11:35:14 ovpn-server1[6149]: read UDPv4 [CMSG=8|ECONNREFUSED]: Connection refused (code=111)

Any help would be greatly appreciated...

I found my answer... no idea why but I have to use 10.8.0.18 255.255.255.0 in the script instead of 10.8.0.18 10.8.0.19 in the push command.

• Joined Jun 28, 2021

I tried IP ends with [100,99] and it was not working in Windows. But [102,101] works.

openvpn.net/community-resources/co... Refer to the openvpn manual, the last octet in the IP address of each endpoint pair must be taken from the following sets:

[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254]

• Joined Nov 14, 2021

it worked perfectly

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink .

Hide child comments as well

For further actions, you may consider blocking this person and/or reporting abuse

Top 10 Trending Progamming Language

j4acks0n - Apr 10

Desenvolvendo um widget de upload com Flutter 🩵

Suami Rocha - Apr 10

Kafka vs. RabbitMQ: Which is the Right Messaging Broker for your use case?

yogini16 - Apr 10

Digital Identity Solution Market Regional Outlook | Assessing Market Opportunities

Bethany Stewart - Apr 10

We're a place where coders share, stay up-to-date and grow their careers.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

OpenVPN server assigns same IP address (10.8.0.6) to all connected clients

I followed How To Set Up and Configure an OpenVPN Server on Ubuntu 20.04 to setup OpenVPN server. I noticed, when any clients connects to OpenVPN Server, each of them is getting same IP address: 10.8.0.6 .

In /etc/openvpn/server/server.conf , I have these settings so that it can assigns IP addresses in 10.8.0.X .

In ubuntu client:

On my Mac PC:

106.73.138.98 is my IP address I checked with https://whatismyipaddress.com/

Ubuntu, Mac OS and iPhone are behind 106.73.138.98 , which is assigned by local ISP.

/var/log/syslog of when 3 clients connected at the same time:

• Yeah. I intentionally connected all 3 clients at the same time and they're assigned same IP address. By logs do you mean /var/log/syslog ? –  Askar Feb 24, 2021 at 15:21
• Just updated the post with logs information. Thanks! –  Askar Feb 24, 2021 at 15:37

Your logs show that each client connected using the same client certificate, and when that happened OpenVPN dropped the other connection.

As a general rule, different users should have different certificates, but if you want to allow the same user to use the same certificate on multiple devices, you can do what it says and start OpenVPN with the --duplicate-cn option. On Ubuntu you can do this by editing the /etc/default/openvpn file and adding the option to OPTARGS.

would become:

Then restart OpenVPN.

• Awesome! But it looks like this option should be configured in /etc/openvpn/server/server.conf according to community.cisco.com/t5/small-business-routers/… After restarting OpenVPN, now I have 3 different IPs assigned: 10.8.0.10 , 10.8.0.14 and 10.8.0.18 . :) –  Askar Feb 24, 2021 at 15:54
• 1 I should learn reading logs... –  Askar Feb 24, 2021 at 15:54
• You can do it either way. –  Michael Hampton Feb 24, 2021 at 15:57
• For some reason, OPTARGS="--duplicate-cn" didn't work for me... –  Askar Feb 24, 2021 at 15:58
• Hi Michael. You mentioned: "As a general rule, different users should have different certificates". In the tutorial I pasted in my post, I think it was not mentioned about it. Could you please share other good tutorials on OpenVPN stuff? –  Askar Feb 25, 2021 at 11:07

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged ubuntu openvpn ip-address ..

• The Overflow Blog
• Want to be a great software engineer? Don’t be a jerk.
• Climbing the GenAI decision tree sponsored post
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network

Hot Network Questions

• What's the name of the room where you watch a movie inside the movie theater?
• Do faster responding low-pass filters exist compared to a traditional RC filter?
• NSF grant proposal not reviewed despite being received
• What does an intersection between two universes look like?
• Do you say "my car is high on fuel" as a counterpart of "my car is low on fuel"?
• Colorbar to illustrate the change of a specific parameter
• People who frequently travel in planes are called…?
• First mention of Einstein in Science Fiction?
• Why is remote desktop very slow when host monitor is off unless HDMI cable is used?
• Where is the large cook promotion?
• Bash 4: unexpected EOF while looking for matching `)'
• How do I exhibit the character Ň (U+0147) in my Word 2010? Why the method described in the first paragraph below doesn't work for this character?
• Extreme anxiety before boarding a plane
• How Long Will Boeing Keep the 737 in Production?
• What is this glyph on Feb 23 1940 in a Finnish military calendar?
• Calculate the offset needed to invert / collapse faces to center of a dodecahedron usiing geometry nodes
• Is this self-plagiarism?
• FizzFizzFizzBuzz!
• When teaching Computer Architecture, why are universities using obscure or even made-up CPUs? Why not x86, ARM or RISC-V?
• A false "proof" that record setting events are dependent
• How to rotate a triangle to get this picture?
• Has famine been officially declared in (parts of) Gaza?
• I need a word for the atmosphere between two people
• Legendre's Irrationality Condition for Generalized Continued Fractions

OpenVPN Support Forum

Community Support Forum

Skip to content

• Home Board index Community Project Server Administration Configuration

openvpn IP address pool and client-config-dir

Moderators: TinCanTech , TinCanTech , TinCanTech , TinCanTech , TinCanTech , TinCanTech

Post by vieri » Sun Oct 09, 2016 5:22 pm

Code: Select all

Re: openvpn IP address pool and client-config-dir

Post by TinCanTech » Sun Oct 09, 2016 8:10 pm

• Example: View Original Server mode server tls-server ifconfig 192.168.144.1 192.168.144.2 ifconfig-pool 192.168.144.100 192.168.144.119 In net30 that gives -- ifconfig-pool 5 usable client subnets. View Original Client98 ifconfig-push 192.168.144.198 192.168.144.197 iroute ... etc ... -- client-config-dir does not conflict with -- ifconfig-pool addresses

Return to “Configuration”

• Forum & Website Support
• Community Project
• ↳   Server Administration
• ↳   Configuration
• ↳   Examples
• ↳   Routed Example
• ↳   Installation Help
• ↳   Tutorials
• ↳   Testing branch
• ↳   Scripting and Customizations
• ↳   Authentication Scripts
• ↳   Routing and Firewall Scripts
• ↳   Rolling Your Own Installer
• ↳   Wishlist
• ↳   Cert / Config management
• ↳   Easy-RSA
• OpenVPN Inc. enterprise business solutions
• ↳   The OpenVPN Access Server
• ↳   CloudConnexa (previously OpenVPN Cloud)
• ↳   OpenVPN Connect (Windows)
• ↳   OpenVPN Connect (macOS)
• ↳   OpenVPN Connect (Android)
• ↳   OpenVPN Connect (iOS)
• Off Topic, Related
• Braggin' Rights
• ↳   My VPN
• ↳   Doh!
• Pay OpenVPN Service Provider Reviews/Comments
• Home Board index
• All times are UTC

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How can I obtain the IP address of OpenVPN clients

The OpenVPN server gives an internal IP addresses to each client that is connecting outside of the network. I want to store these IP addresses in a database after they are assigned. Is there an easy way to tell which IP addresses were handed out by the OpenVPN Server?

thanks for Help

• Have you looked at the logs of the OpenVPN server? It should just be a simple matter of grep ing for a successful log in line and piping that to your database utility. –  tudor -Reinstate Monica- Jun 27, 2019 at 3:12
• You can predefine an IP address for each client using entries in the ccd directory. –  Organic Marble Jun 27, 2019 at 16:10
• the address are dynamically assigned –  taybinakh Jun 27, 2019 at 21:23

2 Answers 2

If these aren't statically assigned there isn't a good way to do this other than to extract them from the logfiles since the connections will be randomly assigned IP addresses.

If they are statically assigned AND you are using the Open VPN AccessServer you can do it this way:

which should yield a list of the IP addresses in the output which should look something like this:

where the conn_ip is the connection IP address.

If you are trying to merely log users IP addresses and deposit that info into a DB then you might look at this:

Where are the OpenVPN connection logs and configuration files?

In that case you are using an OpenVPN Access Server you may want to try:

which will give you a file with all of the IP addresses associated with all the users. From there you can further modify the output to get just the bits you want from the file.

• Thanks, yes he address are dynamically assigned i will try that, my goal is to applicate for each user a rule to connect for just some device, for example ,this user X can connect just to device X. also i must first know for each user that he have, and store it in Database. –  taybinakh Jun 27, 2019 at 21:16
• I've modified the answer to get you more/less exactly what you're looking for in your case--it should work on virtually any OpenVPN server--not just the professional one (with a few modifications, like your log names may be a little different.) If that's good enough you can mark it as 'answered'. –  Penguino Jun 27, 2019 at 22:16
• thanks , i will try it, my senrio is when clients are connected get IP and when they are disconnected get IP of disconnected , also for any change ==> update DB i want to use Option --client connect /path/script_parsing_connected_IP.sh -- client disconnecz /path/script_parsing_disconnected_IP.sh when i try it, i will tell you if work –  taybinakh Jun 29, 2019 at 22:14
• 1 hi, i tried what you tell me , its work. i write also a script client-connect and can know adress IP with variable env. common_name and ip_config_pool ans its work... know i will develop my scipt , to know in runtime (receive notification) when a client connect or disconnect and store in DB –  taybinakh Jul 4, 2019 at 14:49
• cat /var/log/openvpnas.log | grep "primary virtual IP" worked perfectly for me 👍 –  Sean McCarthy Feb 23, 2023 at 18:34

You should have a look at /etc/openvpn/openvpn-status.log:

• 1 I used openvpn-hook "--client-connect" and "--learn-address". Via comon name, virtual address , when the user connect openvp the script return these values –  taybinakh Sep 4, 2020 at 9:24

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged scripts openvpn client ..

• The Overflow Blog
• Want to be a great software engineer? Don’t be a jerk.
• Climbing the GenAI decision tree sponsored post
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network
• AI-generated content is not permitted on Ask Ubuntu
• Let's organize some chat workshops

Hot Network Questions

• What caused pink flares during the eclipse
• What is SpaceX doing differently with their Falcon 9 so that it doesn't cost as much as the Space Shuttle?
• What is the correct formulation of Newton's Second Law of Motion?
• Specify layer when using a geopackage in ogr2ogr
• What's to stop domain registrars from price gouging renewals?
• Can You Train A Neural Network By Simply Giving It Ratings Each Time It Runs?
• Do Trump's lawyers have a fiduciary duty to delay the proceedings?
• Do you say "my car is high on fuel" as a counterpart of "my car is low on fuel"?
• What's the name of the room where you watch a movie inside the movie theater?
• Where is the large cook promotion?
• Why did Nicaragua file a case against only Germany at the ICJ?
• Is it possible to find sum of x^x from a to b without using summation but rather a less computationally heavy method?
• Does the book of Revelation teach that all miracles during the end times will be of Satan?
• How Long Will Boeing Keep the 737 in Production?
• What does an intersection between two universes look like?
• Space before superscript and Subscript
• People who frequently travel in planes are called…?
• Why is a peak in the gain a sign of instability in a closed loop op-amp circuit?
• How important was the US steel industry to the allies during World War II?
• No stomach, how do I eat?
• First mention of Einstein in Science Fiction?
• Can I make attacks non-lethal?
• Almost sure probability in convergence, versus 0 probability in reality
• Why is remote desktop very slow when host monitor is off unless HDMI cable is used?