Published:
10 November 2024
Operating Systems tested on:
Ubuntu 22.04 ("Jammy Jellyfish")
Software Version:
OpenVPN 2.5.11
|
|
|
Description
OpenVPN assigns IP addresses utilizing DHCP.
If you want to have static IP addresses for clients you need to do that manually.
|
|
|
Dependency Check
Verify you have all the appropriate dependancies required for the commands
Requirements: openvpn, openssl
|
|
|
Starting Assumptions
Assuming we have a fully functional VPN Server and multiple user certificates.
We are using a chroot-jail, but this can be avoided if chroot is not being used.
|
|
|
Step 1 - Identify your certificate Common Names
Export your "cert" from your client OpenVPN configuration into a standalone text file.
Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- to help openssl identify the file.
We will call this file "cert_in_question".
|
|
|
### Checking our cert file ###
cat cert_in_question
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIRAOUyzKjmuZ5Z+isYfTisDTQwDQYJKoZIhvcNAQELBQAw
{shortened}
DvIrOYOFeP5XninTXvTm/HTs3nMEJy2gbhXANxB0Z4lwj4vQJQ8V6T609ErzY55K
ge5ZYEwfbsRWOFvMBAONkPw6dFGVXmVyPsSVnPb5wt1AYU+a4Q==
-----END CERTIFICATE-----
### Request the Common Name with OpenSSL ###
openssl x509 -noout -subject -in cert_in_question
subject=CN = mwr_client_4
# Our common name is "mwr_client_4" #
|
|
|
Step 2 - Edit your OpenVPN Server Configuration File
Edit your vpn server.conf file to check your IP Subnet, then add our new config line.
For my example, the configuration file is at /etc/openvpn/mwr_server.conf
|
|
|
### Edit your configuration file ###
cat /etc/openvpn/mwr_server.conf
log mwr_server.log
topology subnet
dev-type tun
dev vpn
port 443
# Our Subnet is a full 256 IPs starting with 172.25.0.0
server 172.25.0.0 255.255.255.0
ncp-ciphers AES-256-GCM:AES-256-CBC
cipher AES-256-GCM
auth SHA256
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
verify-x509-name mwr_client name-prefix
remote-cert-tls client
tls-version-min 1.3 or-highest
# We are using a chroot jail in this configuration
# This jail lives at /etc/openvpn/mwr-jail
# All files need to live in that folder
chroot mwr-jail
# Adding our IP Configuration File inside the mwr-jail folder
# If you are not using a chroot jail, remove "mwr-jail/"
ifconfig-pool-persist mwr-jail/ovpn-user-ipp.txt
user nobody
group nogroup
persist-key
persist-tun
verb 4
mute 20
keepalive 10 60
fast-io
mssfix 1450
dh none
push "block-outside-dns"
push "redirect-gateway def1"
push "dhcp-option DNS 1.1.1.1"
tls-server
|
|
|
Step 3 - Create the IPP configuration file
This file needs to be created with the same name you used in the server configuration file
For my example, I am putting this file in /etc/openvpn/mwr-jail/ovpn-user-ipp.txt
If you are not using the chroot jail use /etc/openvpn/ folder instead
|
|
|
### Edit your IPP File ###
# Using the certificate common name we found earlier "mwr_client_4" #
cat /etc/openvpn/mwr-jail/ovpn-user-ipp.txt
# Add lines [Certificate Common Name,StaticIP,] #
mwr_client_4,172.25.0.100,
|
|
|
Step 4 - Restarting the OpenVPN Server
Now that we have modified our configuration file and created our IPP file, we need to restart OpenVPN
For my example, my configuration is mwr_server.conf /etc/openvpn/mwr_server.conf
|
|
|
### Restart your OpenVPN Server ###
# I am purposely stopping then starting instead of using the restart command #
systemctl stop openvpn@mwr_server
systemctl start openvpn@mwr_server
|
|
|
Step 5 - Confirm your Client pulled the proper IP
Connect mwr_client_4 OpenVPN configuration file to the VPN Server
|
|
|
### FROM THE CLIENT COMPUTER ###
# Check for your VPN Configuration file #
ls -l
-rw-rw-r-- 1 user01 user01 5456 Nov 10 15:48 mwr_client_4.ovpn
# Connect the VPN Configuration file #
sudo openvpn --config mwr_client_4.ovpn
# Check your IP Address #
ip -br a
tun0 UNKNOWN 172.25.0.100/24
|
|
