Menu
What's new
By:
Filters Better Search

VPN client with fixed IP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Matteo Guglielmi

Matteo Guglielmi

Regular Contributor
Hello everyone,

Is it possible to configure the OpenVPN server of a RTAC3200 so that a specific client (unique username) connecting to the router gets assigned a static IP?

I also would like to make sure that the assigned IP is removed from the pool of available IPs, or better, is it possible to reduce the range of available IPs so that I can freely assign static IPs from those left out of the range?
 
I think you can add a pool like this:

ifconfig 192.168.113.10 255.255.255.0
ifconfig-pool 192.168.113.100 192.168.113.200 255.255.255.0

and then just do a static ip on the client outside the range.

EDIT: icm wrong. server is already specifie.
 
Last edited:
Indeed, in the 'OpenVPN Servers' tab I have:

VPN Subnet / Netmask = 10.101.0.0 255.255.255.0

which defines the entire pool of addresses from 10.101.0.2 to 10.101.0.254 (10.101.0.1 is kept for the vpn server).

This configuration is equivalent to use the 'server' keyword (example: server 10.101.0.0 255.255.255.0) in a vpn
sever configuration.

I need to supersede this default behaviour with something like:

...
mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.101.0.1 255.255.255.0
push "route-gateway 10.101.0.1"
ifconfig-pool 10.101.0.101 10.101.0.200 255.255.255.0 <<<==== restricted range of addresses
client-config-dir /etc/openvpn/ccd-dir
...

where:

cat /etc/openvpn/ccd-dir/hostname1

ifconfig-push 10.101.0.201 255.255.255.0 <<<=== fixed IP for hostname1

This is how I usually configure an openvpn server on a linux box.... but how to achieve this on an asus router?

Where do I put all that stuff?

Is it actually possible or not?

Should I use JFFS for the 'ccd-dir' folder?

These are only some of the questions I have... does anybody have experience with this kind of setup?
 
You can override the settings using a user script. Like this:

/jffs/scripts/openvpnserver1.postconf (and openvpnserver2.postconf)

You can do any sed/awk or whatever in that script to remove the lines you don't want and add the ones you do.

Upon bringing up the server, those scripts get executed after the config files are generated by the router but before openvpn is started. You should be able to do what you need in there.

REF:
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files
 
So something like this then:
/jffs/scripts/openvpnserver1.postconf:
Code: 
#!/bin/sh
CONFIG=$1
sed  -i -e 's~^server.*~mode server\nifconfig 10.101.0.1 255.255.255.0\nifconfig-pool 10.101.0.101 10.101.0.200 255.255.255.0~'  $CONFIG
echo "ifconfig-push 10.101.0.201 255.255.255.0" > /etc/openvpn/ccd-dir/hostname1
 
How can I see the configuration file generated by the firmware?

When I ssh into the router, can I do something like this:

cat /place/where/I/can/find/vpnserver.conf

?

... otherwise is gonna be difficult to apply any change to $1 if I cannot see its content.
 
Last edited:
The system generated config is in

/etc/openvpn/server1/config.ovpn or (server2 for the second instance)
 
All right then!

I'm working on it!

Will post a solution to 'VPN client with fixed IP' for asus routers as soon as I get it working on mine.
 
Try selecting "Manage client-specific options". That will open a new section where you can configure special settings based on a client's Common Name, such as its IP.
 
I'm nearly there! (will post my solution to the problem soon)

Now, what I need is to create new client certificates, using the current CA of the router (default keys in /jffs/openvpn/, I don't want to build a new CA as described here https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA), with different Common Names.

I need this to associate different fixed IPs to some (special) clients.

I noticed that the (default/only) client certificate generated by the firmware has its CN set to 'client'... and that 'duplicate-cn' is also added to '/etc/openvpn/server1/config.ovpn'.

This works for most situations but in my case I think I need client certificates with unique CNs.

How can I do that?


Then I have a totally different question about routing.

In my clients.ovpn files I cannot use "redirect-gateway def1"... so,

how can I instruct the client to send back through the vpn tunnel (and not through the default gateway) all the SMP, HTTP and HTTPS traffic?

In other words, when the client receives SMP, HTTP and/or HTTPS traffic from the tunnel, it has to send it back through the tunnel!

Thanks!!!
 
Last edited:
Matteo Guglielmi said:
Now, what I need is to create new client certificates, using the current CA of the router (default keys in /jffs/openvpn/), with different Common Names.

I need this to associate different fixed IPs to some (special) clients.

I noticed that the (default/only) client certificate generated by the firmware has its CN set to 'client'... and that 'duplicate-cn' is also added to '/etc/openvpn/server1/config.ovpn'.

This works for most situations but in my case I think I need client certificates with unique CNs.

How can I do that?
Click to expand...

https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA
 
I don't want to build a new CA, I want to use the router's CA using the keys in /jffs/openvpn to generate new client certificates.

Is this possible?
 
Ok, new certificates with unique CN are working just fine!

Now the routing issue (if possible, otherwise I will look for that on a more appropriate forum).

Let's recap:

I've tried to add 'route 0.0.0.0 0.0.0.0 vpn_gateway' to the client.ovpn file but that did not solve the problem.

I have a linuxbox hosting a mail and http/https server which is NOT on the LAN behind the router.

It is on a totally different network on the internet over which I have no control.

The mail/web server connects to the vpn and gets assigned (finally! :)) a static IP.

The router forwards all incoming SMTP (tcp 25), HTTP (tcp 80) and HTTPS (tcp 443) traffic to the statically assigned vpn IP of the mail/web server.

The web/mail server cannot use 'redirect-gateway def1' in its openvpn configuration file.

If I put it there, everything works! In fact, I can access my secure website and mail server... but I cannot use that macro!

If I do not put it there, the browser hangs.

Note that I have to reach the mail/web server via the public IP of the vpn router because it has associated with it a public domain protected via a Comodo SSL Certificate installed on the mail/web server... an I cannot move the domain over the IP address of the mail/web sever because all ports are not accessible from the internet.

Only the public ip of the vpn router is fully accessible from the web and also between the router and the mail/web server there is no firewall.

Therefore, how can I tell the web/mail server (vpn client) to respond to all 25, 80 and 443 traffic coming from the vpn tunnel 'back' into the tunnel?
 
Last edited:
BTW, I'd also like to post how I solved the routing problem of tcp ports 25, 80 and 443 "back to the router" (vpn server) without using the 'redirect-gateway def1' macro on the vpn client.

So, on the router itself just forward those ports to the fixed VPN address of the web/mail server.

Then, on the web/mail server (vpn client) I've added these lines to the openvpn configuration file:

Code: 
script-security 2
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
down-pre


where the two scripts are:

Code: 
#==============================================================================#
                                      up.sh
#==============================================================================#

TUNDEV=$1
OVPNGW=${4%.*}.1
RUNMOD=$6

RTTABLES='/etc/iproute2/rt_tables'

case $RUNMOD in
  init|restart)
    grep -qP '^1\s+vpn\s*$' $RTTABLES || echo '1 vpn' >> $RTTABLES

    iptables -C OUTPUT -t mangle -p tcp -m multiport --sport 25,80,443 -j MARK --set-mark 1 &> /dev/null ||
      iptables -A OUTPUT -t mangle -p tcp -m multiport --sport 25,80,443 -j MARK --set-mark 1

    ip route show table vpn | grep -qP "default\s+via\s+$OVPNGW\s+dev\s+$TUNDEV" ||
      ip route add default via $OVPNGW dev $TUNDEV table vpn

    ip rule show | grep -qP "from\s+all\s+fwmark\s+0x1\s+lookup\s+vpn" ||
      ip rule add from all fwmark 1 table vpn
  ;;
esac

Code: 
#==============================================================================#
                                    down.sh
#==============================================================================#

TUNDEV=$1
OVPNGW=${4%.*}.1
RUNMOD=$6

RTTABLES='/etc/iproute2/rt_tables'

case $RUNMOD in
  init|restart)
    ip rule show | grep -qP "from\s+all\s+fwmark\s+0x1\s+lookup\s+vpn" &&
      ip rule del from all fwmark 1 table vpn

    ip route show table vpn | grep -qP "default\s+via\s+$OVPNGW\s+dev\s+$TUNDEV" &&
      ip route del default via $OVPNGW dev $TUNDEV table vpn

    iptables -C OUTPUT -t mangle -p tcp -m multiport --sport 25,80,443 -j MARK --set-mark 1 &> /dev/null &&
      iptables -D OUTPUT -t mangle -p tcp -m multiport --sport 25,80,443 -j MARK --set-mark 1
  ;;
esac


Yes, they may be doing too many checks but they work great in all cases: start, stop and restart of the openvpn client deamon.
 
You must log in or register to reply here.

Similar threads

M
OpenVPN / site to site with special security/routing constraints
Replies
7
Views
328
elorimer
E
J
Manually assigning Main Network IP address to Device connected to Guest Network?
Replies
4
Views
777
jksmurf
J
O
Assigned IP address to the WAN interface via VPN director: no internet connection - why?
Replies
1
Views
176
OB1
O
C
Need some help with a DHCP problem
Replies
9
Views
325
ComputerSteve
C
S
Automatic Static IP
Replies
5
Views
537
bbunge
bbunge
Similar threads
Thread starter Title Forum Replies Date
C How can I do this.. Router VPN Client to Server 2 Asuswrt-Merlin 3
G VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN Asuswrt-Merlin 4
johndoe85 VPN site to site with additional VPN client to hide IP Asuswrt-Merlin 14
C VPN Client KillSwitch/Automatic Start at Boot Failures Asuswrt-Merlin 3
D How to restrict VPN network access to certain IP Range or Hosts for specific VPN client Asuswrt-Merlin 8
G [Help] Routing VPN server through VPN client (external VPN Provider) Asuswrt-Merlin 14
Quan Wireguard performance on ASUS XT8 running VPN client Asuswrt-Merlin 1
H WireGuard VPN PreUp Option to Run Command Before Client Connects? Asuswrt-Merlin 3
B VPN Client Problem Asuswrt-Merlin 4
S Multicast routing SSDP to Wireguard VPN client(s) Asuswrt-Merlin 5

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 798 (members: 13, guests: 785)
Top