How can I ensure openVPN clients persistently take the same VPN IP address?

[LukeAI]

How can I ensure openVPN clients persistently take the same VPN IP address?

I have added client-config-dir ccd to openvpn.conf and created files in /etc/openvpn/ccd/ with the names of the clients eg. "/etc/openvpn/ccd/CLIENTNAME" simply contains 192.168.255.20 but this IP address is not assigned to a client connecting with CLIENTNAME.ovpn

For context, the point of the VPN is to allow several remote clients to access each other from arbitrary locations, but they should use the default local routing for everything else: www PoE cameras etc.

So client certificate/ovpns were generated with: docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

client is OpenVPN 2.4.7 on Ubuntu 16.04

my local .ovpn config

client
nobind
dev tun
remote-cert-tls server

remote 157.245.203.172 1194 udp

# only route the subnet
route-nopull
route 192.168.255.0 255.255.255.0

# various certificates / keys

My server openvpn.conf

# client specific configurations
client-config-dir ccd

# allow clients to reach other
client-to-client

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/XXX.XXX.XXX.XXX.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/XXX.XXX.XXX.XXX.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

[albertoZurini]

Hello! I've just managed to find a way for a client to get a static IP address. Basing on these guides (https://www.itsfullofstars.de/2018/09/openvpn-assign-static-ip-to-client/, http://dnaeon.github.io/static-ip-addresses-in-openvpn/), to achieve this you have just to CD into $OVPN_DATA directory, in my case /var/lib/docker/volumes/ovpn-data-example/_data. In there you will find a directory called ccd, vim a file into this directory with the same name as your client (eg. for boofoo.vpn create a boofoo file) and put this content into it ifconfig-push 192.168.255.11 192.168.255.1, where the first address is the IP of your client and the second is the IP of your vpn. You can get your VPN IP address by running docker exec -it CONTAINER_ID /bin/bash and then running ifconfig. To find CONTAINER_ID run docker container ls. I had no need to edit openvpn.conf file, even if the ccd property is not set.

[cagnulein]

@albertoZurini i think you have to add this step too:

One last thing that you need to do is to reserve this IP address, so that you don’t end up with duplicate client addresses in your OpenVPN subnet.

This is done by adding an entry in the persistent IP pool file, which is usually called ipp.txt and defined by the ifconfig-pool-persist option.

what do you think?

[hppyworld]

Here is official guide for this. https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/