How to give openvpn clients static IP?

Rami

Hello everyone,
Can any one help me on How to give openvpn clients static IP I tried many things and nothing work for me

I use @Nyr project and it work good for me

But now I have a problem with static IPs because I use this accounts on dd-wrt routers that will connect multiple branches

Maounique

It is better to use IPSec for that. That will simply bridge the networks over the internet so no problems, all computers on both networks will keep their internal IPs oblivious regarding the way they are bridged over the internet.

Rami

@Maounique actually OpenVPN working great on it I solved all the problems and I have the full line speed on it

And I didn't tried IPSec on dd-wrt before but I may give it a try

P.S. I need static IPs for routers not PCes

ska

Edit the server.conf, insert
client-config-dir /etc/openvpn/ip/.
Create that ip-directory and create a file for every client with the client-cert-name (eg client1) with the content
ifconfig-push IP NETMASK.
After that restart OpenVPN. Now your client gets the IP you specified. See more here.

Rami

@ska tried it many times before and after making the Discussion and it is not working for me

Maounique

@Rami said:
Maounique actually OpenVPN working great on it I solved all the problems and I have the full line speed on it

And I didn't tried IPSec on dd-wrt before but I may give it a try

P.S. I need static IPs for routers not PCes

My mistake, I thought i read clients some place and thought of computers behind the routers. I still believe IPSec is a more robust approach, the only caveat is to give all LANs different nets, like 10.0.0.0/24 main branch, 10.0.1.0/24 location 1, etc. I did this with openwrt at first, then with dd-wrt recently, it works great at wire speed, but if OpenVPN works just as good...

afterSt0rm

@Rami said:
ska tried it many times before and after making the Discussion and it is not working for me

This works for me. But sometimes, when restartig the client and not the server, the client take a different IP. I'ts strange and I need to restart the server and the client. After that all goes ok.

Rami

@Maounique I did not used it on dd-wrt before (do even know how )

what is the referent between both?

Maounique

Well, they are very different. IPSec is very old and established, implementations are mature and very resilient. It has support in hardware for major vendors, especially Cisco.
OpenVPN is newer, but very promising, I will have to look again at it since my first impression years ago was not favourable, but time passed and things changed as I see.
For lan to lan (site-to-site) IPSec is better IMO as well as when you have users that cannot be bothered to install an openvpn client (IPSec is already included in most close source OSes), for road-warriors if the security is not too important, PPTP will also work for the same reason, if it is likely that someone can do an attack on it, OpenVPN is better, it has no known vulnerabilities, same as IPSec.
I say site-to-site is better due to the stability of links and recovery when the link is lost as well as the routing between the sites.

Rami

@EkaatyLinux Still can not get it to work

@Maounique I tried PPTP before but was not what I need speed was not that good (was OK but not the same as openvpn) you already knew this from my other Discussions

but when I used OpenVPN I was "Impressed" from the speed and all other things and do not forget the powerful encryption you should try it

P.S. I tried it with OpenVPN AS but its license now not lifetime it is per year

afterSt0rm

@Rami said:
EkaatyLinux Still can not get it to work

Maounique I tried PPTP before but was not what I need speed was not that good (was OK but not the same as openvpn) you already knew this from my other Discussions

but when I used OpenVPN I was "Impressed" from the speed and all other things and do not forget the powerful encryption you should try it

P.S. I tried it with OpenVPN AS but its license now not lifetime it is per year

If you want, I can pass my config to you test

Rami

@EkaatyLinux said:
If you want, I can pass my config to you test

that will be great

Maounique

For a road-warrior that can install own client, OpenVPN is great. For one that cannot be bothered, IPSec will work, but it is better to use PPTP due to ubiquity on most mobile devices unless the probability of an attack is serious, but in reality that is very unlikely. If an attack is possible, then IPSec will do.
For hobbists and people that can install and troubleshoot a client, OpenVPN is perfect, especially in restrictive firewall conditions when ports used are very important.

bobby

In addition to client-config-dir, add ifconfig-pool-persist option, ie:

ifconfig-pool-persist option 0

with content:

client1,ip-of-client1
client2,ip-of-client2

Also note that the "ifconfig-push" with client-config-dir is different when using tun and tap. See manual, lots of examples. Good luck

Rami

@bobby I changed it in ipp.txt if that what you mean and still nothing

give me on the PC client Obtaining configuration and nothing more

on dd-wrt router give nothing in status>openvpn

afterSt0rm

The client> @Rami said:

that will be great

The client.conf looks like this:

client #set configuration type port 1194 #set port to use when communicating with the server dev tap #set the tunnel type proto udp #set the protocol type remote server.domain port #set server/port resolv-retry infinite #set the retry times to infinite nobind #don't bind to any interface user nobody #fall to user nobody group nobody #fall to group nobody keepalive 10 60 #keep the connection alive persist-key #persist auth persist-tun #persist tunnel ca xx.crt #ca file cert xxxxxx.crt #cert file key xxxxxx.key #key file tls-auth xx.key 1 #tls file comp-lzo #enable compression link-mtu 1648 #change mtu log-append /var/log/openvpn.log #log file

The server.conf looks like this:

local xx.xx.xx.xx # Server IP address through which you connect, replace this with yours port xxx # Port the server runs on proto udp # Protocol to use dev tap #Tunnel type ca xx.crt # Root certificate cert xxxxxx.crt # Server certificate key xxxxxx.key # Server key file dh xxxxxx.pem # DH file server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt # File that keeps track of IP leases duplicate-cn keepalive 10 60 #keep the connection alive tls-auth xx.key 1 comp-lzo # Enable compression user nobody # Run as user nobody group nobody # Run as group nobody persist-key # Avoid trying to access unavailable resources after a restart persist-tun # Avoid trying to access unavailable resources after a restart status openvpn-status.log # Status log for active connections log-append /var/log/openvpn.log # File to append the OpenVPN log verb 3 # Log verbosity level mute 20 # Limit the number of repeating messages script-security 2 # Set the security level for the usage of external programs and scripts link-mtu 1648 #set mtu client-config-dir /etc/openvpn/clients #enable per user configuration

Rami

@EkaatyLinux Got it

from your config and http://lowendbox.com/blog/getting-started-with-openvpn-server/ I knew what was wrong

I was using tun not tap when I changed to tap it is work

Edit: worked on PC client still try to get it work on dd-wrt router

Thanks for you all for help