Openvpn site-to-site, multiple site-to-sites, fixed/static openvpn client ip address

Ciao!

I have a openvpn site-to-site, but it seems, i will have multiple site-to-site connections.
how can i configure to set the openvpn client ip address to be static/fixed?

thanks.

It's the same method you have configured the first client.
Just generate a key and certificate for each client using a different name.
Then create a config in the client config directory with the name you specified above.

i got this:

client
dev tun
proto udp
remote home.router.patrikx3.com 1194
resolv-retry infinite
nobind
mute-replay-warnings
#
# maybe only in Windows?
# if not working, use this
# ns-cert-type
remote-cert-tls server
key-direction 1
verb 1
mute 20
comp-lzo
askpass /etc/openvpn/secret.key
pull-filter ignore redirect-gateway
cipher AES-256-CBC
# uncomment for Windows 7 clients
#route-method exe
#route-delay 2

It is the first line that says client, that is the name of the openvpn client?
how can i specify the static openvpn client ip address?

is it this?

root@home:~# cat /etc/openvpn/ccd/digi-client
ifconfig-push 192.168.17.2 255.255.255.0
iroute 192.168.70.0 255.255.255.0

The ifconfig-push specifies the openvpn client ip address?

1 Like

ok it works, but how can i name it in the /etc/openvpn/ccd? how do i know the next site-to-site will be name, like the first is called digi-client, what is the name of the 2nd site-to-site connection, can i specify like /etc/openvpn/ccd/digi-client2, how can i name that?

is that the first line, that says client? as above? first line is that the name of the connection via /etc/openvpn/cdd/digi-${client-name}

The file names in the ccd directory are the CNs of the client certificates. Thus you need separate certificates for each client if you want separate client configurations on the server.

I think it would also work with user names with user-pass authentication, but user-pass authentication is not very secure.

1 Like

It is the name you use to generate a keypair for a new client and later listed as Common Name in the Subject field of the client certificate.

yes thanks, the problem i built the configs on lede and those programs are missing, so i guess just have to use the new easyrsa, and there i understand i can clieant multiple clients. thanks very much.
maybe do you know where i can create client-android.ovpn and client-hawk.ovpn clients? there is no info how to translate the clients to ovpn format.
or i have to do it by hand?

1 Like

We have the OpenVPN server how-to that configures virtually everything automatically, you just need to carefully copy-paste the code.

There's also a section which generates client profiles and the template is quite simple:

verb 3
dev ${VPN_DEV%%[0-9]*}
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>

You can generally use the same configuration on all the clients, except have different certificates on them.

I've been using xca to generate certificates. This is a GUI program available for Linux or Windows.

thanks so much easyrsa is much easier before with LEDE. it automatically generates everything, i only had to create the ovpn files, which i know which i had to use.
thanks again!
piece of cake.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.