Orbi WiFi 7 RBE973
Reply

OpenVPN w/BR500 and Static IP

dfilip
Guide

OpenVPN w/BR500 and Static IP

I have OpenVPN working from my Cloud (AWS) server to my local LAN network through a BR500 router:

 

    [AWS Cloud Server] <--> [Public Internet] <--> [BR500] <--> [Local LAN Servers]

 

However, I would like to know whether I can get the same local (LAN) IP statically assigned to my OpenVPN connected Cloud server?  The reason is that I want to be able to access services on the Cloud server from my LAN servers, which makes it difficult if the IP address changes.

 

All of the information I have found on the 'Net talks about changing the OpenVPN from the server side -- i.e., no way to request an IP from the client -- and while my first thought was to do so via Setup => LAN Setup => Address Reservation, I'm not sure if my VPN tunnel has a MAC address?  If so, I don't see it on the client side (Linux):

 

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 192.168.2.2  netmask 255.255.255.0  destination 192.168.2.2

        inet6 fe80::88cb:771a:fe14:b5c3  prefixlen 64  scopeid 0x20<link>

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 474  bytes 61122 (59.6 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 512  bytes 60155 (58.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

and my OpenVPN server does not show up on the Dashboard page under 'Attached Devices'.

 

Anyone out there have any ideas as to whether I can always get the same IP assigned by OpenVPN on the BR500, perhaps by matching the certificate?  The alternative would be using DynDNS, but I'd like to avoid that if possible given caching delays, additional complexity to detect IP changes, etc., and I can't use DNS names in (local LAN server) firewall rules.

Model: BR500|Insight Instant VPN Router
Message 1 of 8
MrJoshW
NETGEAR Expert

Re: OpenVPN w/BR500 and Static IP

Hello,

 

You wouldn't be able to reserve an OpenVPN IP address on the BR500, as the setup on the BR500 is client to site with the OpenVPN. DynDNS would not work as well as the DynDNS would resolve to the WANIP. If your AWS setup supports IPSEC you could setup a site to site configuration from AWS to BR500 and the AWS could then access the resources on the LAN.

Message 2 of 8
schumaku
Guru

Re: OpenVPN w/BR500 and Static IP

Check  ifconfig-push

„Push virtual IP endpoints for client tunnel, overriding the –ifconfig-pool dynamic allocation.” https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

 

===

–ifconfig-push local remote-netmaskPush virtual IP endpoints for client tunnel, overriding the –ifconfig-pool dynamic allocation.The parameters local and remote-netmask are set according to the –ifconfig directive which you want to execute on the client machine to configure the remote end of the tunnel. Note that the parameters local and remote-netmask are from the perspective of the client, not the server. They may be DNS names rather than IP addresses, in which case they will be resolved on the server at the time of client connection.

 

This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using –client-config-dir or dynamically generated using a –client-connect script.

Remember also to include a –route directive in the main OpenVPN config file which encloses local, so that the kernel will know to route it to the server’s TUN/TAP interface.

OpenVPN’s internal client IP address selection algorithm works as follows:

1 — Use –client-connect script generated file for static IP (first choice).
2 — Use –client-config-dir file for static IP (next choice).
3 — Use –ifconfig-pool allocation for dynamic IP (last choice).

===

 

Message 3 of 8
dfilip
Guide

Re: OpenVPN w/BR500 and Static IP

Yes, I originally looked at this, but the problems is that it requires me dropping a file into the "CCD" (Client Configuration Directory?) directory of the OpenVPN server that matches the name or remote IP or certificate name of the OpenVPN client.  The challenge here is that the BR500 is the OpenVPN server ... and I don't know of any way to drop a client-speciifc file into the BR500's OpenVPN configuration directory???

Message 4 of 8
dfilip
Guide

Re: OpenVPN w/BR500 and Static IP

Correct in that the OpenDNS setting configured within the BR500 OpenVPN page would not help -- as that is set to the external (Internet / WAN) IP of the BR500.

 

However, it looks like on the client side of OpenVPN -- which in my case is a Linux server -- there is a '--ipchange {command}' option, which will run a named script or command, passing the IP address assigned.  I could have this update a different DynDNS name, separate from the BR500's external name, with the IP address that has been assigned by the BR500's OpenVPN server.

 

There are also 'up' (and 'down') scripts that can be referenced in the client configuration file, which run a script when an OpenVPN connection is brought up (down).  Again, these could be used to update a DynDNS name (separate from the external name of the BR500).

 

Or, perhaps a bit more daring, even run a remote script to edit the /etc/hosts file(s) of the LAN server(s) with the IP assigned to the Linux server.  This is a bit more brute force, but gets around DNS caching (although I could set the DNS TTL as low as 1 min).

 

Nonetheless, probably cleaner to do on the OpenVPN server side buy dropping a configuration file into the CCD (Client Configuration Directory?) which matches the client -- and also provides a lot more options, like specifiing a route command -- but alas, I don't know how to drop a file into the /etc/openvpn/ccd directory of the OpenVPN server running within the BR500 (although since the BR500 if running Linux, I know it is there!).

 

Message 5 of 8
schumaku
Guru

Re: OpenVPN w/BR500 and Static IP

Can't simply adjust the config pre-made for MacOS (and other systems) and change the script called using the "up" statement in the config file from DHCP to a fixed IP?

Message 6 of 8
dfilip
Guide

Re: OpenVPN w/BR500 and Static IP

Interesting ... I don't see any DHCP or IP or NETMASK, etc., parameters in the .ovpn file ... but maybe that is possible?

 

Does anyone have any expeireince with that?

 

Searching the 'Net I see an 'ifconfig' parameter, but I'm not quite sure what to put in for the local IP, and whether this parameter is applicable?

 

I am using TUN (not TAP), so a point-to-point connection, e.g.:

 

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 192.168.2.2  netmask 255.255.255.0  destination 192.168.2.2

        inet6 fe80::88cb:771a:fe14:b5c3  prefixlen 64  scopeid 0x20<link>

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 1651  bytes 179655 (175.4 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 1587  bytes 128904 (125.8 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

So if I wanted to keep this IP "static", would I specify 192.168.2.2 for both local and remote IPs?

 

I can find documentation on the 'Net for what the parameters are, but I'm not enitrely clear on their use, and haven't found -- not for lack of trying -- any concrete example for what I am trying to do from the client side (most of the examples I've found call for dropping a file into the CCD of the OpenVPN  server, which in my case is the BR500 where I don't have access to the filesystem).

 

If anyone has any examples, please let me know.  In the mean time, I'll try playing around with some of the 'ifconfig' options, to see if I can get this to work, and will post the solution if I do.

 

 

 

Message 7 of 8
dfilip
Guide

Re: OpenVPN w/BR500 and Static IP

No luck with ifconfig {local} {remote}' in the client config, e.g., this seems to do nothing:

 

    ifconfig 192.168.2.2 192168.2.3

 

other than generate a warning in the logfile (something along the lines of --client and --ifconfig are not what you want to do).  And the '--push' options are also all for the server side of things (to push ifconfig commands to the client).

 

Finally, the '--ipchange' parameter of openvpn command is a bust, as it only provides the IP of the remove server, and NOT the tunneled IP on my LAN.  Basically, what I need is the IP of the tunnel on my LAN back to the VPN'ed server.

 

So I've found about 3 different ways to do this if I could access the OpenVPN server, but not from the client side. *sigh*

 

So the closet so far is doing this on the remote VPN'd system:

 

    $ ifconfig tun0 | grep 192.168 | awk '{print $2}'

    192.168.2.2

 

which may be the way that I have to go, as I haven't found any clean soutions as of yet.

 

Unless anyone else has any ideas of what else I can do from the OpenVPN CLIENT (not server), since I don't have access to the configuration files of the OpenVPN server within the BR500?

 

Model: BR500|Insight Instant VPN Router
Message 8 of 8
Discussion stats
  • 7 replies
  • 3417 views
  • 0 kudos
  • 3 in conversation
Announcements