To set static IP for clients with distinct certs, we can set static IP for clients following jdmorei's answer. However, If duplicate-cn is set on the server side, so that many clients share the same cert, how can I set static IP for a specific client?
Asked
Active
Viewed 215 times
1 Answers
0
Thanks to IP Management With duplicate-cn, we can use --client-connect cmd to write different configurations to a dynamically generated temporary file for different clients. In Reference manual for OpenVPN 2.4, it says
OpenVPN's internal client IP address selection algorithm works as follows:
1 Use --client-connect script generated file for static IP (first choice).
2 Use --client-config-dir file for static IP (next choice).
3 Use --ifconfig-pool allocation for dynamic IP (last choice).
So we can overwrite the server's ifconfig-pool with this script. In my case, I distinguish different clients by their IP and set static IP for a special client. When the special IP x.x.x.x appears, a static IP 172.0.0.3 will be distributed to this client. The script for client-connect is
$ cat /etc/openvpn/client-connect.sh
#!/bin/bash
if [ $trusted_ip = "x.x.x.x" ]; then
echo "static ip triggered for" $trusted_ip
echo "ifconfig-push 172.0.0.3 255.255.255.0" >> ${@:-1}
else
echo "still random ip for" $trusted_ip
fi
exit 0
I also set the ifconfig-pool on the server side to avoid conflict with 172.0.0.3
mode server
server 172.0.0.0 255.255.255.0 'nopool'
ifconfig-pool 172.0.0.16 172.0.0.128 255.255.255.0
Youran
- 101
- 3