openvpn and static ip

I've installed openvpn on Centos 7 server. My client can connect but I need use a static ip. I 've search many solutions on web but I've not fix the problem.
Beneath you can view my configuration files

Thanks a lot for any suggestions

server.conf

Quote:

proto udp dev tun ca /usr/share/easy-rsa/3.0.7/pki/ca.crt cert /usr/share/easy-rsa/3.0.7/issued/server1.crt key /usr/share/easy-rsa/3.0.7/pki/private/server1.key dh /usr/share/easy-rsa/3.0.7/pki/dh.pem ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" topology subnet remote-cert-eku "TLS Web Client Authentication" tls-auth /usr/share/easy-rsa/3.0.7/pki/private/server1.key 0 keepalive 10 120 cipher AES-256-CBC persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log verb 3 explicit-exit-notify 1

client configuration

Quote:

client dev tun proto udp remote xxx.xxx.xxx.xxx 1193 nobind persist-key persist-tun ca ca.crt cert client01.crt key client01.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lzo nobind persist-key persist-tun mute-replay-warnings verb 3

ipp.txt

Quote:

clientIP10,10.8.0.10 clientIP11,10.8.0.11 clientIP12,10.8.0.12 clientIP13,10.8.0.13 clientIP14,10.8.0.14 clientIP15,10.8.0.15 clientIP16,10.8.0.16 clientIP17,10.8.0.17 clientIP18,10.8.0.18 clientIP19,10.8.0.19 clientIP20,10.8.0.20

The file clientIP10 for static ip contain

Quote:

ifconfig-push 10.8.0.10 10.8.0.1

Just a couple of observations:

You haven't included the "server" directive in your server config.

It probably isn't wise to use your PKI key for tls-auth as well. The documentation recommends generating the tls-auth key with openvpn itself, like this:

Code:

$ openvpn --genkey --secret ta.key

Try these tweaks to your configs: (I've commented out a few lines, because I don't think they're necessary. Additions in bold)

server.conf

Code:

port 1193 #you're using a non-standard port, so I think you have to specify it here
proto udp
dev tun
ca /usr/share/easy-rsa/3.0.7/pki/ca.crt
cert /usr/share/easy-rsa/3.0.7/issued/server1.crt
key /usr/share/easy-rsa/3.0.7/pki/private/server1.key
dh /usr/share/easy-rsa/3.0.7/pki/dh.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.x.0 255.255.255.0" #use subnet to access at server end
comp-lzo #you need this at both ends if you want to use compression
ifconfig-pool-persist ipp.txt
#push "redirect-gateway def1 bypass-dhcp" 
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#topology subnet
#remote-cert-eku "TLS Web Client Authentication"
tls-auth /usr/share/easy-rsa/3.0.7/pki/private/server1.key 0 #copy the tls key to the clients
user nobody
group nobody
daemon #Use this and the 2 lines above if running on Linux
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
explicit-exit-notify 1

client.conf

Code:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1193
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
remote-cert-tls server
tls-auth /path/to/tls-auth.key 1 #copy tls-auth key from server to client machine
cipher AES-256-CBC
#auth SHA512
#auth-nocache
#tls-version-min 1.2
#tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
comp-lzo
user nobody
group nobody #Again, only use this line and the one above if client is running on Linux
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

You can rename or move ipp.txt. It'll be automatically generated.

I hope this helps.

Unfortunatly your suggestions don't fix my problem
I think my openvpn work with ipv6 , I need only ipv4

In log I can see

Code:

Fri May 29 15:29:13 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
Fri May 29 15:29:13 2020 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Fri May 29 15:29:13 2020 Diffie-Hellman initialized with 2048 bit key
Fri May 29 15:29:13 2020 CRL: loaded 1 CRLs from file /etc/openvpn/server/crl.pem
Fri May 29 15:29:13 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 29 15:29:13 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 29 15:29:13 2020 TUN/TAP device tun-ipv4 opened
Fri May 29 15:29:13 2020 TUN/TAP TX queue length set to 100
Fri May 29 15:29:13 2020 /sbin/ip link set dev tun-ipv4 up mtu 1500
Fri May 29 15:29:13 2020 /sbin/ip addr add dev tun-ipv4 10.8.0.1/24 broadcast 10.8.0.255
Fri May 29 15:29:13 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri May 29 15:29:13 2020 UDPv4 link local (bound): [AF_INET][undef]:1193
Fri May 29 15:29:13 2020 UDPv4 link remote: [AF_UNSPEC]
Fri May 29 15:29:13 2020 GID set to nobody
Fri May 29 15:29:13 2020 UID set to nobody
Fri May 29 15:29:13 2020 MULTI: multi_init called, r=256 v=256
Fri May 29 15:29:13 2020 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP10,10.8.0.10', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP11,10.8.0.11', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP12,10.8.0.12', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP13,10.8.0.13', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP14,10.8.0.14', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP15,10.8.0.15', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP16,10.8.0.16', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP17,10.8.0.17', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP18,10.8.0.18', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP19,10.8.0.19', TODO: IPv6
Fri May 29 15:29:13 2020 succeeded -> ifconfig_pool_set()
Fri May 29 15:29:13 2020 ifconfig_pool_read(), in='clientIP20,10.8.0.20', TODO: IPv6

That looks like it's working and ready to accept connections.

If you want to stop the message about ipv6 you can change

Code:

proto udp

to

Code:

proto udp4

.

Quote:

Originally Posted by aLinux14 I've installed openvpn on Centos 7 server. My client can connect but I need use a static ip. The file clientIP10 for static ip contain Code: ifconfig-push 10.8.0.10 10.8.0.1

I note your ifconfig-push command contains the static IP and what looks like the server address? Is this only for PTP connectivity?

More about addressing using ifconfig-push here...
https://community.openvpn.net/openvp...pts-Addressing

FWIW, I have an OpenVPN server (ubiquiti ER) with multiple clients attached (PTMP), and each has a ccd file with something like

Code:

# OpenVPN Client address
ifconfig-push 10.8.0.14 255.255.255.0

Quote:

Originally Posted by sahrenity After configuring the overall OpenVPN client and server infrastructure, you can connect to a VPN. While the server gets normally always the same IP assigned, the client IP address is assigned dynamically from a pool of IP addresses. Meaning: there is no guarantee that the client always gets the same IP address.[<spamlinkg>. OpenVPN allows to assign a static IP to a client.

Spam. Reported.

My clients are assigned static ips. It's possible:

On your openvpn server, you need to have /etc/openvpn/ccd populated with files named after your static hosts; here's an example file, /etc/openvpn/ccd/ns1:

Code:

ifconfig-push 10.10.0.53 255.255.255.0
comp-lzo yes
push "comp-lzo yes"

Also in the /etc/openvpn/ccd directory is the ipp.txt file, which has one-line entries for each host, with hostname, a comma, and then static ip; so in my ipp.txt file, I have this line:

Code:

ns1,10.10.0.53

Be sure that these files are owned by same user that is running openvpn.