Return to Level1Techs.com

Best way to have static IPs on OpenVPN

#1

I am having trouble trying to work out the best way to set static IPs on clients connecting to an OpenVPN server.

The theoretical plan is to deploy linux servers that serve various linuxy things to multiple sites. Then have them connect to HQ where they can be accessed via ssh to be managed.

Each site would benefit from a static IP address being assigned.

I have pfsense setup with an OpenVPN server on layer 3 in my lab. I am able to connect to this from my VirtualBox Ubuntu server using the cli openvpn client. However, guides online tell you to update the server.conf to force an IP change. This conf file is not in the /etc/openvpn folder that the guide mentions.

So I’m not sure those guides are accurate.

My VirtualBox Ubuntu server is currently being assigned the IP address of 192.168.101.3 , but I would like to change it to 192.168.101.100 for concepts sake.

Will I have to create multiple OpenVPN servers in pfsense, forcing them to only issue 1 IP address? - I’m not even sure that is a viable option.

If anyone has previous of this, and could point me in the right direction I would be very grateful.

0 Likes

#2

I can’t help you with you with OVPN but with this specific scenario i always figured i would use SSH.

“HQ” has a domain, a port is forwarded.
The clients ssh to it with the use of keys to a non priviliged account, perhaps even inside a container? or chroot?

You reverse tunnel a local port as an example: port 2222 at HQ to local port 22

ssh -R 2222:localhost:22 -N [email protected]

and then when you need to connect to that remote client you just do:

ssh -p 2222 localhost

ssh is also encrypted, easily secured by fail2ban, requires very little overhead and does not require access to tun.
The connection can be initiated by crontab starting a script that wont run if it is already running.
And like with OVPN it wont require any port forwarding on the client side.

0 Likes

#3

I administer several sites via openvpn site-to-site tunnels connected to a central site in a spoke configuration. This has worked well for me. I am looking at migrating the tunnels to WireGuard though.

0 Likes

#4

The theory was to get a 4 block public IP block and route the OpenVPN traffic through a firewall safe port (by that I mean never blocked), like 81 or 443. So the connection would be initiated by the client on site. To the public IP 10.10.10.10 over the port 443. Then on the HQ end just have the 10.10.10.10 listening to 443 OpenVPN connections.

I have found out why I cannot find the server.conf on the client side of OpenVPN. This is because this has to be set on the server side :sweat_smile: It was late at night for me.

WireGuard looks amazing! - looks like it is not on a stable build yet though.

1 Like

#5

Technically yes but it’s starting to be used in a lot of places and appears to be fine. Cloudflare is releasing a consumer VPN service soon that uses it so it has/will have a lot of weight behind it.

0 Likes

#6

I’ve used wireguard for a year now. OpenVPN is garbage, use WG.

1 Like

#7

How so? Can you elaborate please?

0 Likes

#8

To briefly summarize as we’ve discussed it before at lengths on the forums, WG is faster and reconnects nearly instantaneously.

Only real gotcha used to be the lack of a windows client, but that is no longer the case.

1 Like

#9

OK. I’m going to stop with OpenVPN and deploy WG in the lab and start testing with that. It looks a lot easier to configure. I just went for ovpn because it is said to be more secure than IPsec, and is available on pfSense (which I am currently using)

0 Likes

#10

I don’t believe it’s supported on pfsense yet, unfortunately. If you’re stuck on pfsense I would probably go with IKEv2.

0 Likes

#11

Might need to rethink that wireguard.

Looks like it don’t have tcp fallback options…

0 Likes

#12

Whole point of WG is to avoid options, to make it as simple as possible. If you want to tunnel over TCP with something like udptunnel, that would work.

0 Likes