How to Configure OpenVPN Server with Custom Static IP Address Outside DHCP Range


5 views

When setting up an OpenVPN server in TAP mode, administrators often need the server's virtual interface to use a specific static IP address that doesn't conflict with the DHCP-assigned client range. The standard server directive automatically assigns the first available IP (e.g., 192.168.0.1), which may not be ideal for network architecture.

The ifconfig directive in OpenVPN configuration gets overridden by the server directive during initialization. This occurs because:

  • The server directive triggers automatic IP assignment
  • TAP interfaces require manual IP configuration after initialization
  • OpenVPN 2.3+ handles TAP interfaces differently than TUN

Modify your server configuration as follows:

mode server
port 1134
proto tcp6-server
dev tap

# Certificates remain unchanged
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

# Replace 'server' directive with manual config
server-bridge 192.168.0.200 255.255.255.0 192.168.0.100 192.168.0.199
topology subnet

# Additional settings
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 32

For more control, use a post-init script:

# Main configuration remains the same until...
server 192.168.0.0 255.255.255.0
script-security 2
ifconfig-pool-persist /var/log/openvpn/ipp.txt
up "/etc/openvpn/scripts/set_ip.sh"

Create /etc/openvpn/scripts/set_ip.sh:

#!/bin/bash
/sbin/ifconfig $1 192.168.0.200 netmask 255.255.255.0
exit 0

After implementation:

  1. Restart OpenVPN: sudo systemctl restart openvpn@server
  2. Check interface: ip addr show tap0
  3. Verify routing: ip route show
  • Persist the configuration across reboots
  • Document the IP assignment scheme
  • Consider using client-config-dir for specific client IPs
  • Test failover scenarios

When configuring OpenVPN servers, many administrators encounter a situation where the ifconfig directive appears to be ignored. The server persistently assigns the first IP in the range (typically x.x.x.1) to its TUN/TAP interface despite explicit configuration attempts.

The root cause lies in the interaction between these directives in your config:

server 192.168.0.0 255.255.255.0
ifconfig 192.168.0.200 255.255.255.0

The server directive automatically:

  • Creates a DHCP-like pool (192.168.0.2-254 by default)
  • Assigns 192.168.0.1 to the server interface
  • Overrides any manual ifconfig statements

Option 1: Server-bridge Approach

mode server
port 1134
proto tcp6-server
dev tap
server-bridge 192.168.0.200 255.255.255.0 192.168.0.100 192.168.0.199

This makes 192.168.0.200 the server IP while clients get 100-199.

Option 2: Manual Network Configuration

mode server
port 1134
proto tcp6-server
dev tap

# Disable automatic network configuration
server-nolocal

# Manual interface configuration
ifconfig 192.168.0.200 255.255.255.0
ifconfig-pool 192.168.0.100 192.168.0.199 255.255.255.0

Option 3: Topology subnet Alternative

mode server
port 1134
proto tcp6-server
dev tap
topology subnet
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route-gateway 192.168.0.200"

After implementing any solution:

  1. Restart OpenVPN: sudo systemctl restart openvpn@yourconfig
  2. Check interface: ip addr show tap0
  3. Test connectivity from a client
  4. Verify routes: ip route show
  • Conflicting iptables/nftables rules blocking traffic
  • Missing route-gateway pushes to clients
  • NetworkManager interfering with tap interfaces
  • Incorrect subnet mask calculations