Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fixed IP Client

    Scheduled Pinned Locked Moved OpenVPN
    20 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sasa1
      last edited by

      Hi,
      I need the openvpn client to be always assigned the same IP address and I made the following configuration in "Client Specific Overrides -> Client Setting -> Advanced":
      ifconfig-push 10.0.2.1 10.0.2.2;

      but sometimes the vpn client has 10.0.2.2 IP address and other times he gets 10.0.2.3
      am i wrong?
      Thanks.

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by Rico

        Use the CSO IPv4 Tunnel Network box instead of Advanced.
        E.g. you OpenVPN RAS tunnel network is 10.0.2.0/24 put in the CSO IPv4 Tunnel Network 10.0.2.11/24
        And make sure the CSO Common Name matches the User Certificate Name exactly.

        -Rico

        1 Reply Last reply Reply Quote 1
        • S
          sasa1
          last edited by

          Hi,
          I made the requested change but now I have an error when I try the client connection:

          Mon Feb 17 08:35:21 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
          Mon Feb 17 08:35:21 2020 TLS Error: TLS handshake failed
          Mon Feb 17 08:35:21 2020 SIGUSR1[soft,tls-error] received, process restarting
          Mon Feb 17 08:35:26 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]167.x.x.x:1194

          and in VPN Status I have this:
          [error] Unable to contact daemon Service not running?

          Thanks.

          1 Reply Last reply Reply Quote 0
          • S
            sasa1
            last edited by

            I configured the tunnel again as:
            10.0.2.0/24
            and the link is now up.

            1 Reply Last reply Reply Quote 0
            • S
              sasa1
              last edited by

              I made a mistake because I had made the change in the general configuration and not in CSO.

              1 Reply Last reply Reply Quote 0
              • RicoR
                Rico LAYER 8 Rebel Alliance
                last edited by

                So everything is working now for you?

                -Rico

                S 1 Reply Last reply Reply Quote 0
                • S
                  sasa1
                  last edited by

                  yes

                  1 Reply Last reply Reply Quote 0
                  • S
                    sasa1 @Rico
                    last edited by

                    @Rico unfortunately after three days in which the IP address has not changed this morning it happened again, the client was assigned the address 10.0.2.3 !
                    do I have to change any other parameters?
                    Thanks.

                    1 Reply Last reply Reply Quote 0
                    • S
                      sasa1
                      last edited by

                      Hi,
                      what can I check to solve the problem?
                      Thanks.

                      1 Reply Last reply Reply Quote 0
                      • RicoR
                        Rico LAYER 8 Rebel Alliance
                        last edited by

                        Is your CSO present in the filesystem? Check /var/etc/openvpn-csc/<server>/<user>
                        It should contain your Client IP like this ifconfig-push 10.20.30.40 255.255.255.0
                        Crank up your OpenVPN RAS Verbosity level and see whats happening there. Working CSO logs:

                        user/1.2.3.4:1194 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/<server>/<user>
                        user/1.2.3.4:1194 MULTI: Learn: 10.20.30.40 -> user/1.2.3.4:1194
                        user/1.2.3.4:1194 MULTI: primary virtual IP for user/1.2.3.4:1194: 10.20.30.40 
                        

                        1.2.3.4 = external IP
                        10.20.30.40 = user CSO (fixed IP)

                        -Rico

                        1 Reply Last reply Reply Quote 0
                        • S
                          sasa1
                          last edited by

                          Hi,
                          I have checked in the directory indicated and I find these files (attached image),
                          sorry I have not understood how I can carry out the required verification.server.PNG

                          In addition I also tried the parameter "IPv4 Tunnel Network" with:
                          10.0.2.2/30

                          but after two / three days the problem still present.
                          Thanks.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Not sure what your doing exactly... This is pretty straight forward..

                            /30 is really too small to be honest for a tunnel network..

                            Set your tunnel network to be something /24 that does not overlap your local or remote network (should be something uncommon)..

                            You need to highlight which vpn server instance.
                            Then set your clients common name - so this gets applied to the client you want.
                            Then set the ifconfig-push for the IP you want to assign. Prob best to use an IP higher up in the tunnel so unlikely to have an overlap with other clients that might be connected.

                            CSO.jpg

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            S 1 Reply Last reply Reply Quote 0
                            • S
                              sasa1
                              last edited by

                              therefore in:
                              tunnel settings -> IPv4 Tunnel Network
                              I don't have to enter any value?
                              must the field be left blank?
                              Thanks.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                Your tunnel network should be setup on your actual vpn instance. There would be no reason to enter it here, unless your trying to use a different specific tunnel for this specific client.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • RicoR
                                  Rico LAYER 8 Rebel Alliance
                                  last edited by Rico

                                  I always use the IPv4 Tunnel Network box for my CSOs, like jimp told me to do in one of his hangouts. ☺
                                  My Advanced box is empty.
                                  Never had any problems.

                                  -Rico

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    Well depends if you want to use a specific tunnel for your client.. Or have them share the 1 tunnel network..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • RicoR
                                      Rico LAYER 8 Rebel Alliance
                                      last edited by Rico

                                      Huh?
                                      My tunnel network is 10.1.10.0/24
                                      First CSO (via IPv4 Tunnel Network box) 10.1.10.11/24, second 10.1.10.12/24 and so on.

                                      -Rico

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Yeah that can work too... I just think its simpler to call it out specific via push ;)

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • RicoR
                                          Rico LAYER 8 Rebel Alliance
                                          last edited by

                                          Well the box does the very same I think. ☺

                                          -Rico

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            sasa1 @johnpoz
                                            last edited by

                                            @johnpoz I followed the instructions but after a couple of days the problem is present again, the vpn client has been assigned the IP address:
                                            10.0.2.3

                                            how is it possible ? where am i wrong?
                                            thanks.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.