Static leases for same device using both LAN and VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Wed Aug 24, 2022 16:06    Post subject: Static leases for same device using both LAN and VPN Reply with quote
My backup software requires using static addresses.
However, my laptop can be connected to my local network either directly via LAN (192.168.1.x) or via VPN (10.10.10.y)

I currently use static leases to assign my laptop to a fixed IP address (say 192.168.1.213) on my LAN.
When the laptop is instead on the VPN, I would like a static lease to be assigned to a fixed IP address on that network (say 10.10.10.50).

Then my backup software could check both addresses when it runs...

Is this possible?
Can I just duplicate the static lease entries -- i.e., same MAC address but different IP address (and/or name)?
Is there another method that works?

Thanks!
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Aug 25, 2022 0:01    Post subject: Reply with quote
If you want to have static IP assignments w/ OpenVPN, there's a specific set of steps that are required.

Each client, uniquely identified by its CN (Common Name) on its client cert, has to have a file by that same name in the CCD directory which contains the following directive.

Code:
ifconfig-push <ip> <netmask>


The CCD is a directive in OpenVPN that tells it where to look for client-specific configuration files. By default, the OpenVPN server on DD-WRT always adds the following to the config file for these purposes.

Code:
client-config-dir /jffs/etc/openvpn/ccd


Of course, you could override this with your own preferred CCD directory, but in most cases JFFS works well.

Now place your client-specific files in that directory. When the client gets connected, the OpenVPN server will apply those directives to that client.

Much of this is explained in the following OpenVPN document, although in that case, the topology is assumed to be PTP (point-to-point), so the ifconfig-push directives are illustrated as PTP pairs (local and remote) rather than a subnet topology (ip + subnet mask). So adjust things to match your preferred topology.

https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/

Beware! Unlike DHCP and static leases, OpenVPN will ***NOT*** reserve these IP assignments! IOW, if a client comes along that's NOT configured w/ one of these static IP assignments, it gets assigned the next available IP, whether or NOT some other client has that same IP configured in its CCD file! For this reason, I strongly suggest that you assign static IPs from the *end* of the tunnel's IP network and work backwards (e.g., 10.8.0.254, 10.8.0.253, etc.). An alternative technique is to bind a secondary IP network to the tunnel and use it exclusively for these static IP assignments. That's what the author of the prior link does by adding 10.8.1.0/24 (sysadmins) and 10.8.2.0/24 (contractors), albeit using a PTP topology.

Yeah, a bit complicated, but that's simply how OpenVPN has chosen to do it.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Thu Aug 25, 2022 17:33    Post subject: Reply with quote
Thanks eibgrad!!! Very comprehensive.
It's a shame that there is not a more streamlined and powerful approach that would essentially mimic and extend the dhcp-host= directive for other subnets. It would seem so easy and logical Smile

Seems to work though. But a couple of follow-on questions:


    What value should be used for the netmask?
    The article you referenced talks about "Server IP Endpoints" and "successive /30 subnets".
    Typically, I would set the netmask to 255.255.255.0 to allow access to the entire /24 subnet.
    Is that a good/safe general-purpose value?

    I assume if the reference is by CN, then I cannot use the same client certificate on multiple devices. Right?
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Thu Aug 25, 2022 17:45    Post subject: Reply with quote
eibgrad wrote:

Beware! Unlike DHCP and static leases, OpenVPN will ***NOT*** reserve these IP assignments! IOW, if a client comes along that's NOT configured w/ one of these static IP assignments, it gets assigned the next available IP, whether or NOT some other client has that same IP configured in its CCD file! For this reason, I strongly suggest that you assign static IPs from the *end* of the tunnel's IP network and work backwards (e.g., 10.8.0.254, 10.8.0.253, etc.). An alternative technique is to bind a secondary IP network to the tunnel and use it exclusively for these static IP assignments. That's what the author of the prior link does by adding 10.8.1.0/24 (sysadmins) and 10.8.2.0/24 (contractors), albeit using a PTP topology.


I may be misreading the documentation, but it seems like you can avoid collisions between static and dynamically assigned addresses by using the 'ifconfig-pool' directive in the server conf file.

Specifically, it seems that instead of using the default server directive:
Code:
server 10.10.10.0 255.255.255.0


One substitutes something like the following to get a dynamic pool from 10.10.10.4 to 10.10.10.100 and then you can use static assignments via the ccd file from 10.10.10.101 to 10.10.10.255 (for example)
Code:

mode server
tls-server

ifconfig 10.10.10.1 10.10.10.2
ifconfig-pool 10.10.10.4 10.10.10.255
route 10.10.10.0 255.255.255.0
push "route 10.10.10.1"


Now I'm not sure if this is right and I don't know how you would remove the default server line from the configuration.
Also, I don't understand why the pool starts at 10.10.10.4 given that in the default case I get addresses starting at 10.10.10.2

Any pointers on how to get a restricted pool to work and coexist with a static pool?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Aug 25, 2022 18:31    Post subject: Reply with quote
puterboy2 wrote:
What value should be used for the netmask?


Whatever you've chose for the subnet mask on the OpenVPN server.

Quote:
The article you referenced talks about "Server IP Endpoints" and "successive /30 subnets".
Typically, I would set the netmask to 255.255.255.0 to allow access to the entire /24 subnet.
Is that a good/safe general-purpose value?


As I said previously, that article *assumes* a p2p topology is in use (i.e., you one of the following two directives specified in the OpenVPN server config file).

Code:
topology net30


or

Code:
topology p2p


Note: the latter is NOT compatible w/ Windows clients.

As it happens, the DD-WRT OpenVPN server *assumes* a subnet topology.

Code:
topology subnet


I've never tries to override it, so I don't know if it's possible. But the point is, in a subnet topology, each client IP assignment has to use an ifconfig-push of the form <ip> <netmask>, with the netmask matching that which you defined on the OpenVPN server.

Quote:
I assume if the reference is by CN, then I cannot use the same client certificate on multiple devices. Right?


Correct. That's an implicit requirement because the CN on the client's cert is being used to uniquely identify it. But there are two other options.

1) Share a client cert, but provide users w/ usernames/passwords as well, then add the following to the Additional Config field.

Code:
username-as-common-name


IOW, you're telling OpenVPN server to disambiguate users on the basis of their usernames rather than the CN on the client cert.

2) Don't use a client cert at all. Just rely on usernames/passwords.

Code:
verify-client-cert none
username-as-common-name


Obviously this is less secure, but since you are sharing the client cert, that's inherently less secure anyway. Esp. if it's being distributed to users other than just yourself.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Aug 25, 2022 18:35    Post subject: Reply with quote
puterboy2 wrote:
eibgrad wrote:

Beware! Unlike DHCP and static leases, OpenVPN will ***NOT*** reserve these IP assignments! IOW, if a client comes along that's NOT configured w/ one of these static IP assignments, it gets assigned the next available IP, whether or NOT some other client has that same IP configured in its CCD file! For this reason, I strongly suggest that you assign static IPs from the *end* of the tunnel's IP network and work backwards (e.g., 10.8.0.254, 10.8.0.253, etc.). An alternative technique is to bind a secondary IP network to the tunnel and use it exclusively for these static IP assignments. That's what the author of the prior link does by adding 10.8.1.0/24 (sysadmins) and 10.8.2.0/24 (contractors), albeit using a PTP topology.


I may be misreading the documentation, but it seems like you can avoid collisions between static and dynamically assigned addresses by using the 'ifconfig-pool' directive in the server conf file.

Specifically, it seems that instead of using the default server directive:
Code:
server 10.10.10.0 255.255.255.0


One substitutes something like the following to get a dynamic pool from 10.10.10.4 to 10.10.10.100 and then you can use static assignments via the ccd file from 10.10.10.101 to 10.10.10.255 (for example)
Code:

mode server
tls-server

ifconfig 10.10.10.1 10.10.10.2
ifconfig-pool 10.10.10.4 10.10.10.255
route 10.10.10.0 255.255.255.0
push "route 10.10.10.1"


Now I'm not sure if this is right and I don't know how you would remove the default server line from the configuration.
Also, I don't understand why the pool starts at 10.10.10.4 given that in the default case I get addresses starting at 10.10.10.2

Any pointers on how to get a restricted pool to work and coexist with a static pool?


I've never tried anything but the ways I've described above. For all I know, it may work. But I can't provide sound advice on things I haven't tried personally. And given that *OpenVPN* article doesn't suggest this as an alternative, I'll stick w/ my previous recommendations. You're on your own if you want to proceed otherwise.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Thu Aug 25, 2022 19:58    Post subject: Reply with quote
Well, it seems like adding the following two lines works:
Code:
server 10.10.10.0 255.255.255.0 nopool
ifconfig-pool 10.10.10.50 10.10.10.75


The first line supersedes the default line (and corresponding dynamic pool range from 0-253) in /tmp/openvpn/openvpn.conf
Code:
server 10.10.10.0 255.255.255.0

and the second line defines the default dynamic IP pool.

This *should* prevent collisions so long as you keep your dynamic and static ranges separate.

Pretty cool it seems!

See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ for some details.

Another cool thing (IMO) is that changing the entries in /jffs/etc/openvpn/ccd does not require a restart of openvpn (let alone a reboot).
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Aug 25, 2022 20:20    Post subject: Reply with quote
puterboy2 wrote:
Well, it seems like adding the following two lines works:
Code:
server 10.10.10.0 255.255.255.0 nopool
ifconfig-pool 10.10.10.50 10.10.10.75


The first line supersedes the default line (and corresponding dynamic pool range from 0-253) in /tmp/openvpn/openvpn.conf
Code:
server 10.10.10.0 255.255.255.0

and the second line defines the default dynamic IP pool.

This *should* prevent collisions so long as you keep your dynamic and static ranges separate.

Pretty cool it seems!

See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ for some details.

Another cool thing (IMO) is that changing the entries in /jffs/etc/openvpn/ccd does not require a restart of openvpn (let alone a reboot).


AFAIK, ifconfig-pool (at least according to the documentation) seems to assume a net30 topology. Also, having a *pool* is NOT the same as assigning static IPs to specific clients, the latter being what I though you wanted. Unless the server directive is where you plan to assign your static IPs.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Fri Aug 26, 2022 0:58    Post subject: Reply with quote
eibgrad wrote:

AFAIK, ifconfig-pool (at least according to the documentation) seems to assume a net30 topology. Also, having a *pool* is NOT the same as assigning static IPs to specific clients, the latter being what I though you wanted. Unless the server directive is where you plan to assign your static IPs.


Actually, I wanted to *add* static IPs, not necessarily have exclusive static IPs Smile
So, by limiting the space for dynamic addresses, I can safely keep my static IPs outside the dynamic pool.

Regarding net30, the following openvpn reference manual ( https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4 ) clearly uses ifconfig-pool in multiple topologies, including 'subnet' (as well as net30 and p2p) -- in fact the 'server' directive that the existing openvpn.config uses is really a shortcut to a script that includes 'ifconfig-pool' to set up the dynamic addressing on the default /24 network.

Anyway, seems like a safer way to do it versus the kludgy and potentially dangerous initial suggestion of starting static ip's from the high end and "hoping" they don't collide with the dynamic pool that expands from the low end.

Thank you so much for getting me started on the right path and I hope that my refinements help others who are interested in having a safe mix of dynamic and static IPs. Really appreciate that you are always "lurking" here to help me and others as we learn more about dd-wrt and the intricacies of router-based networking!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum