Monday, March 10, 2008

OpenVPN - Clients's Static IP

In server.conf add this line:

client-config-dir /etc/openvpn/ccd

In directory /etc/openvpn/ccd has files named with the CN of the cert for each client, e.g. for gull.riseup.net, create a file gull.riseup.net, containing something like this:

for Windows Clients:
#ifconfig-push clientIP serverIP

ifconfig-push 10.8.0.3 10.8.0.1


for Ubuntu Clients:
#ifconfig-push clientIP Netmask

ifconfig-push 10.8.0.3 255.255.255.0

Restart OpenVPN Server and Client services.

11 comments:

Anonymous said...

Hello. Is there something else about this ?? It keeps messing my client IP`s as they boot up. And sorry for my bad english!

Tehrani said...

What do you mean? Do you want a static IP for your client? Then go to /etc/openvpn and edit the file ipp.txt. You can specify in this file your optional IP for your client.

For example:

YOURCLIENTNAME,10.38.0.14

Don't forget, YOURCLIENTNAME must the same you have said in Build Key Generation time.

Then restart your OpenVPN Serivce on Server.

Anonymous said...

you MUST stop openvpn before edit this file or edit copy to a temp file and then recopy after openvpn has restart ;)

Anonymous said...

On a Windows client I had to use
ifconfig-push 10.11.5.10 255.255.255.0

Client openvpn log:

WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0.

alberto said...

Hi,
I've tried to add more than one stati client ip I've the client in Windows XP
but this returns me this issue
"
There is a problem in your selection of --ifconfig endpoints [local=10.8.0.3, remote=10.8.0.1]. The local and remote VPN endpoints cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
"

Can you help me?

Neismer said...

"cannot use the first or last address within a given 255.255.255.252 subnet"

So if the mask is /30 and the first ip is for NetID and the last one is for broadcast then 10.8.0.3 is the broadcast for the first net /30

The usable ips are .1 and .2

Sorry about my english xD

Neismer said...

Hi,

As the error says the problem is the ip 0.3 because this ip is reserved for broadcast on the first net /30

A /30 net or .252 has two ips for host and other two ips for NET ID and Broadcast wich are the first and the last one so you´ve to assign the ips .1 and .2 to your hosts and .0 .3 must not be used.

The next usables ips will be .5 and .6 so on.

Sorry about my english xD

LordVan said...

for ips usable on windows:

C:\Program Files (x86)\OpenVPN\bin>openvpn.exe --show-valid-subnets
On Windows, point-to-point IP support (i.e. --dev tun)
is emulated by the TAP-Win32 driver. The major limitation
imposed by this approach is that the --ifconfig local and
remote endpoints must be part of the same 255.255.255.252
subnet. The following list shows examples of endpoint
pairs which satisfy this requirement. Only the final
component of the IP address pairs is at issue.

As an example, the following option would be correct:
--ifconfig 10.7.0.5 10.7.0.6 (on host A)
--ifconfig 10.7.0.6 10.7.0.5 (on host B)
because [5,6] is part of the below list.

[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

LordVan said...

Here is the output of the command it suggests in the log for the lazy:

C:\Program Files (x86)\OpenVPN\bin>openvpn.exe --show-valid-subnets
On Windows, point-to-point IP support (i.e. --dev tun)
is emulated by the TAP-Win32 driver. The major limitation
imposed by this approach is that the --ifconfig local and
remote endpoints must be part of the same 255.255.255.252
subnet. The following list shows examples of endpoint
pairs which satisfy this requirement. Only the final
component of the IP address pairs is at issue.

As an example, the following option would be correct:
--ifconfig 10.7.0.5 10.7.0.6 (on host A)
--ifconfig 10.7.0.6 10.7.0.5 (on host B)
because [5,6] is part of the below list.

[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

LordVan said...

for the lazy (or ppl without access to that command atm)

C:\Program Files (x86)\OpenVPN\bin>openvpn.exe --show-valid-subnets
On Windows, point-to-point IP support (i.e. --dev tun)
is emulated by the TAP-Win32 driver. The major limitation
imposed by this approach is that the --ifconfig local and
remote endpoints must be part of the same 255.255.255.252
subnet. The following list shows examples of endpoint
pairs which satisfy this requirement. Only the final
component of the IP address pairs is at issue.

As an example, the following option would be correct:
--ifconfig 10.7.0.5 10.7.0.6 (on host A)
--ifconfig 10.7.0.6 10.7.0.5 (on host B)
because [5,6] is part of the below list.

[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

Car Rental Lesvos said...

thank you.i had the same issue and this subnet list helped a lot