Why does this allocation of client static IP in OpenVPN fail?
This problem is created because openvpn is trying to parse your ifconfig options as an ip followed by an subnet mask.
According to the man page:
--topology mode
...
subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode allocates a single IP address per connecting client and works on Windows as well. Only available when server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topology directive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a remote endpoint IP address.
This option exists in OpenVPN 2.1 or higher.
Note: Using --topology subnet changes the interpretation of the arguments of --ifconfig to mean "address netmask", no longer "local remote".
--ifconfig l rn
Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices in point-to-point mode, rn is the IP address of the remote VPN endpoint. For TAP devices, or TUN devices used with --topology subnet, rn is the subnet mask of the virtual network segment which is being created or connected to. For TUN devices, which facilitate virtual point-to-point IP connections (when used in --topology net30 or p2p mode), the proper usage of --ifconfig is to use two private IP addresses which are not a member of any existing subnet which is in use. The IP addresses may be consecutive and should have their order reversed on the remote peer. After the VPN is established, by pinging rn, you will be pinging across the VPN.
For TAP devices, which provide the....
Inside you server code, you set your topology to subnet
, and then push it to the client using the server
statement.
According to the above documentation, instead of pushing your ifconfig using "local", "remote" address, you need to add the following to "/etc/openvpn/ccd/W7LocalVM":
ifconfig-push 10.5.24.210 255.255.255.252
push route 10.5.24.210 255.255.255.252
# ifconfig 10.5.24.209 255.255.255.252
The last line is probably not needed, but is left as an example what ifconfig-push "should" do on the server side to make the connection work.
Magnus
Updated on September 18, 2022Comments
-
Magnus over 1 year
I am running an OpenVPN server, and I want to assign a specific client a static IP.
This is my server.conf. I think this configures the pool of virtual IPs to span from 10.5.24.209 to 10.5.24.223.
port 443 proto tcp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.5.24.208 255.255.255.240 #This netmask should span IPs .208-.223. ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 168.xx.xx.xx" keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem client-to-client client-config-dir ccd
This is the contents of
/etc/openvpn/ccd/W7LocalVM
, where W7LocalVM is the Common Name of my client. I don't quite understand what this directive does, but I think the first IP should be the desired static IP of my client, and the second IP should be the IP of my server.ifconfig-push 10.5.24.210 10.5.24.209
However, when I try to connect my client with this server configuration, I get the following error:
Mon Aug 07 14:07:34 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.5.24.208/10.5.24.210/10.5.24.209 [SUCCEEDED] Mon Aug 07 14:07:34 2017 MANAGEMENT: Client disconnected Mon Aug 07 14:07:34 2017 ERROR: --ip-win32 dynamic [offset] : offset is outside of --ifconfig subnet Mon Aug 07 14:07:34 2017 Exiting due to fatal error
I thought the IP 10.5.24.210 would be within the subnet defined on the server side, and I don't understand why I'm getting this error. Could anyone help me out on this?
-
EJoshuaS - Stand with Ukraine almost 7 yearsI'd suggest asking this on Server Fault instead, could get more helpful of feedback since that site is dedicated to server administration issues.
-
Magnus almost 7 yearsOk. Thank you. Didn't know about that community. Should I repost, or is there some feature that lets me migrate the post?
-
EJoshuaS - Stand with Ukraine almost 7 yearsYou can flag for moderator intervention and ask them to migrate. (For a few sites, like Super User, the community can vote to migrate, but migration to that site has to be done by moderators).
-
-
Magnus over 6 yearsI wrote a comment here asking why you suggested allocating four IPs per client, but I was industrious enough to find the answer for that in the FAQ. Thank you for solving the riddle!
-
Akito about 2 years@Magnus Which FAQ are you referring to? This one? community.openvpn.net/openvpn/wiki/…? Or another one?
-
Magnus about 2 yearsIt's been a while @Akito, and I've forgotten which FAQ it was. I should have had the foresight to link it for future readers. However, I remember that each of the four IPs was required by OpenVPN in some fashion.
-
Akito about 2 years@Magnus I see. It's alright. That already helps. Thank you!