Posted: Wed Aug 24, 2022 16:06 Post subject: Static leases for same device using both LAN and VPN
My backup software requires using static addresses.
However, my laptop can be connected to my local network either directly via LAN (192.168.1.x) or via VPN (10.10.10.y)
I currently use static leases to assign my laptop to a fixed IP address (say 192.168.1.213) on my LAN.
When the laptop is instead on the VPN, I would like a static lease to be assigned to a fixed IP address on that network (say 10.10.10.50).
Then my backup software could check both addresses when it runs...
Is this possible?
Can I just duplicate the static lease entries -- i.e., same MAC address but different IP address (and/or name)?
Is there another method that works?
If you want to have static IP assignments w/ OpenVPN, there's a specific set of steps that are required.
Each client, uniquely identified by its CN (Common Name) on its client cert, has to have a file by that same name in the CCD directory which contains the following directive.
Code:
ifconfig-push <ip> <netmask>
The CCD is a directive in OpenVPN that tells it where to look for client-specific configuration files. By default, the OpenVPN server on DD-WRT always adds the following to the config file for these purposes.
Code:
client-config-dir /jffs/etc/openvpn/ccd
Of course, you could override this with your own preferred CCD directory, but in most cases JFFS works well.
Now place your client-specific files in that directory. When the client gets connected, the OpenVPN server will apply those directives to that client.
Much of this is explained in the following OpenVPN document, although in that case, the topology is assumed to be PTP (point-to-point), so the ifconfig-push directives are illustrated as PTP pairs (local and remote) rather than a subnet topology (ip + subnet mask). So adjust things to match your preferred topology.
Beware! Unlike DHCP and static leases, OpenVPN will ***NOT*** reserve these IP assignments! IOW, if a client comes along that's NOT configured w/ one of these static IP assignments, it gets assigned the next available IP, whether or NOT some other client has that same IP configured in its CCD file! For this reason, I strongly suggest that you assign static IPs from the *end* of the tunnel's IP network and work backwards (e.g., 10.8.0.254, 10.8.0.253, etc.). An alternative technique is to bind a secondary IP network to the tunnel and use it exclusively for these static IP assignments. That's what the author of the prior link does by adding 10.8.1.0/24 (sysadmins) and 10.8.2.0/24 (contractors), albeit using a PTP topology.
Thanks eibgrad!!! Very comprehensive.
It's a shame that there is not a more streamlined and powerful approach that would essentially mimic and extend the dhcp-host= directive for other subnets. It would seem so easy and logical
Seems to work though. But a couple of follow-on questions:
What value should be used for the netmask?
The article you referenced talks about "Server IP Endpoints" and "successive /30 subnets".
Typically, I would set the netmask to 255.255.255.0 to allow access to the entire /24 subnet.
Is that a good/safe general-purpose value?
I assume if the reference is by CN, then I cannot use the same client certificate on multiple devices. Right?
Beware! Unlike DHCP and static leases, OpenVPN will ***NOT*** reserve these IP assignments! IOW, if a client comes along that's NOT configured w/ one of these static IP assignments, it gets assigned the next available IP, whether or NOT some other client has that same IP configured in its CCD file! For this reason, I strongly suggest that you assign static IPs from the *end* of the tunnel's IP network and work backwards (e.g., 10.8.0.254, 10.8.0.253, etc.). An alternative technique is to bind a secondary IP network to the tunnel and use it exclusively for these static IP assignments. That's what the author of the prior link does by adding 10.8.1.0/24 (sysadmins) and 10.8.2.0/24 (contractors), albeit using a PTP topology.
I may be misreading the documentation, but it seems like you can avoid collisions between static and dynamically assigned addresses by using the 'ifconfig-pool' directive in the server conf file.
Specifically, it seems that instead of using the default server directive:
Code:
server 10.10.10.0 255.255.255.0
One substitutes something like the following to get a dynamic pool from 10.10.10.4 to 10.10.10.100 and then you can use static assignments via the ccd file from 10.10.10.101 to 10.10.10.255 (for example)
Now I'm not sure if this is right and I don't know how you would remove the default server line from the configuration.
Also, I don't understand why the pool starts at 10.10.10.4 given that in the default case I get addresses starting at 10.10.10.2
Any pointers on how to get a restricted pool to work and coexist with a static pool?
Whatever you've chose for the subnet mask on the OpenVPN server.
Quote:
The article you referenced talks about "Server IP Endpoints" and "successive /30 subnets".
Typically, I would set the netmask to 255.255.255.0 to allow access to the entire /24 subnet.
Is that a good/safe general-purpose value?
As I said previously, that article *assumes* a p2p topology is in use (i.e., you one of the following two directives specified in the OpenVPN server config file).
Code:
topology net30
or
Code:
topology p2p
Note: the latter is NOT compatible w/ Windows clients.
As it happens, the DD-WRT OpenVPN server *assumes* a subnet topology.
Code:
topology subnet
I've never tries to override it, so I don't know if it's possible. But the point is, in a subnet topology, each client IP assignment has to use an ifconfig-push of the form <ip> <netmask>, with the netmask matching that which you defined on the OpenVPN server.
Quote:
I assume if the reference is by CN, then I cannot use the same client certificate on multiple devices. Right?
Correct. That's an implicit requirement because the CN on the client's cert is being used to uniquely identify it. But there are two other options.
1) Share a client cert, but provide users w/ usernames/passwords as well, then add the following to the Additional Config field.
Code:
username-as-common-name
IOW, you're telling OpenVPN server to disambiguate users on the basis of their usernames rather than the CN on the client cert.
2) Don't use a client cert at all. Just rely on usernames/passwords.
Beware! Unlike DHCP and static leases, OpenVPN will ***NOT*** reserve these IP assignments! IOW, if a client comes along that's NOT configured w/ one of these static IP assignments, it gets assigned the next available IP, whether or NOT some other client has that same IP configured in its CCD file! For this reason, I strongly suggest that you assign static IPs from the *end* of the tunnel's IP network and work backwards (e.g., 10.8.0.254, 10.8.0.253, etc.). An alternative technique is to bind a secondary IP network to the tunnel and use it exclusively for these static IP assignments. That's what the author of the prior link does by adding 10.8.1.0/24 (sysadmins) and 10.8.2.0/24 (contractors), albeit using a PTP topology.
I may be misreading the documentation, but it seems like you can avoid collisions between static and dynamically assigned addresses by using the 'ifconfig-pool' directive in the server conf file.
Specifically, it seems that instead of using the default server directive:
Code:
server 10.10.10.0 255.255.255.0
One substitutes something like the following to get a dynamic pool from 10.10.10.4 to 10.10.10.100 and then you can use static assignments via the ccd file from 10.10.10.101 to 10.10.10.255 (for example)
Now I'm not sure if this is right and I don't know how you would remove the default server line from the configuration.
Also, I don't understand why the pool starts at 10.10.10.4 given that in the default case I get addresses starting at 10.10.10.2
Any pointers on how to get a restricted pool to work and coexist with a static pool?
AFAIK, ifconfig-pool (at least according to the documentation) seems to assume a net30 topology. Also, having a *pool* is NOT the same as assigning static IPs to specific clients, the latter being what I though you wanted. Unless the server directive is where you plan to assign your static IPs.
Actually, I wanted to *add* static IPs, not necessarily have exclusive static IPs
So, by limiting the space for dynamic addresses, I can safely keep my static IPs outside the dynamic pool.
Regarding net30, the following openvpn reference manual ( https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4 ) clearly uses ifconfig-pool in multiple topologies, including 'subnet' (as well as net30 and p2p) -- in fact the 'server' directive that the existing openvpn.config uses is really a shortcut to a script that includes 'ifconfig-pool' to set up the dynamic addressing on the default /24 network.
Anyway, seems like a safer way to do it versus the kludgy and potentially dangerous initial suggestion of starting static ip's from the high end and "hoping" they don't collide with the dynamic pool that expands from the low end.
Thank you so much for getting me started on the right path and I hope that my refinements help others who are interested in having a safe mix of dynamic and static IPs. Really appreciate that you are always "lurking" here to help me and others as we learn more about dd-wrt and the intricacies of router-based networking!