The reason for the static IP is that I can forward public ports back to the VPN Client.
I can run the device behind my home NAT successfully with the following config. The device basically needs a port trigger it sets up a session on a specific port but the audio returns on a range of ports (Or a router that can be configured for port triggering). Thus a VPN with a public static IP that forwards all ports back to the client works as expected.
Public TCP Port 80
Public UDP Ports 2074-2093
Public TCP Ports 15425-15427
Public UDP Ports 5198-5200
Public TCP Ports 5198-5200
If I start the VPN client on the device I can reach the device from its public IP HTTP://{staic-ip}
I have set up a new CentOS v7 64 server {Not married to CentOS} via the AS 2.6.1 For CentOS 7. 64 bits RPM. And it works with Tunnelblink/OpenVPN Client as expected!
This is a redacted version of a working client config file for my Raspberry Pi OpenVPN client from my Commerical VPN Account.
remote {SERVER-IP} 443 tcp
remote {SERVER-IP} 3690 tcp
remote {SERVER-IP} 2401 tcp
remote {SERVER-IP} 8443 tcp
key-direction 1
cipher AES-256-CBC
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry
;http-proxy {SERVER-IP} 80
verb 3
reneg-sec 86400
echo vpn-ServerID account777
tun-mtu 1500
route-method exe
route-delay 2
redirect-gateway def1
comp-lzo adaptive
hand-window 30
<ca>
-----BEGIN CERTIFICATE-----
Common Name: account777
Organization: host.com
Locality: City
State: CA
Country: US
Valid From: February 28, 2018
Valid To: February 26, 2028
Issuer: account777, host.com
Serial Number: 11298481264535981185 (0x9ccc44d92212cc81)
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAM1lC+HmxsmpDO1y
ZCwyTttSSUfZtKLWADH4IeEEDVe0IAJlEwnhPL0ikdbfrZUJoeq0m66irRFf/B3k
....
05qVSRHTh83mL5ohHFK0QbC7WHe1yckWP8TPVRc7pvjNd8XZE61MJ70EmnkeZ69Y
JQBt2jTYi6geaVE=
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
Common Name: account777
Organization: host.com
Locality: City
State: CA
Country: US
Valid From: February 28, 2018
Valid To: February 26, 2028
Issuer: account777, host.com
Serial Number: 2 (0x2)
-----END CERTIFICATE-----
</cert>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
f70989f0b61dd64c39fd5b26333d7afe
90848ffd025ddb65d58f7b02bc026942
....
5eb675ffa98336bab1dbd6fc68954491
fb6fa4daa70eb3ff85ae7f5fcfe612f2
-----END OpenVPN Static key V1-----
</tls-auth>
-----------------------------------------------------------------------
This is a redacted version of a non-working config file generated by my OpenVPN Server.
# Generated on Sat Mar 16 20:51:45 2019 by vpnhost.com
# Default Cipher
cipher AES-256-CBC
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=Account44
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE={email}/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=vpnhost.com:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
# iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
#
# Common Name: Sectigo RSA Domain Validation Secure Server CA
# Organization: Sectigo Limited
# Locality: Salford
# State: Greater Manchester
# Country: GB
# Valid From: November 1, 2018
# Valid To: December 31, 2030
# Issuer: USERTrust RSA Certification Authority, The USERTRUST Network Write review of Sectigo
# Serial Number: 7d5b5126b476ba11db74160bbc530da7
#
# yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
# 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
# MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
#
# Common Name: USERTrust RSA Certification Authority
# Organization: The USERTRUST Network
# Locality: Jersey City
# State: New Jersey
# Country: US
# Valid From: May 30, 2000
# Valid To: May 30, 2020
# Issuer: AddTrust External CA Root, AddTrust AB Write review of Sectigo
# Serial Number: 13ea28705bf4eced0c36630980614336
#
# Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
# 0fKtirOMxyHNwu8=
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=0
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
remote vpnhost.com 443 tcp
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----
MIICuDCCAaCgAwIBAgIEXI3E5jANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApP
cGVuVlBOIENBMB4XDTE5MDMxMDAzNTQxNFoXDTI5MDMxNDAzNTQxNFowFTETMBEG
Common Name: OpenVPN CA
Valid From: March 9, 2019
Valid To: March 13, 2029
Serial Number: 1552794854 (0x5c8dc4e6)
g69YpY+C79OWxl96DLxzjBz3o6Atl7sPixccAH1nOypIjRX2Is3aia3xvvQnN5J8
WikzzcgJt1yJZ2czcAw90UL93+QXj/E8TORQ3A==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIICyzCCAbOgAwIBAgIBBDANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApPcGVu
VlBOIENBMB4XDTE5MDMxMDA0NTEzMVoXDTI5MDMxNDA0NTEzMVowGzEZMBcGA1UE
Common Name: Account44_AUTOLOGIN
Valid From: March 9, 2019
Valid To: March 13, 2029
Serial Number: 4 (0x4)
tcMdNdzO5zkUy77bCMlHdAfKcwYikwbegLTE6g4beUWeJi0Vr9NGxAnM4u9A4q6C
UbyJMJIQhcUaPucufvw8ngcc6ZXZR89E/fCeWynZzqy2Lu5YU3E78it01ztEhMc=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCc8Cnb64NElY1h
nQ+Ul3LJpmlKnOufl0LVXDcXy5Uuil0WqRIlytO+uH+R3CBki8cMC6GZEyjM33yG
.....
.....
.....
SdkJxegO/2sG6VZ/GpuTWzA0lNJVbx8LDOkz2BT/SDGu53Xmk1xn6f/I+0bO5Nec
VaeEbAEUNuWWrmRITEQai70=
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
6a9387e399c8009599aa9eccc219cfb1
1b6048ad7467d729407d6a2a207af5ca
.....
.....
.....
68662f52aeb49bcd3ed1e561b996e2ff
cb96dd88ef2baa15553b6e6f9e30e64e
-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## BFh7/UbfKB7xp9/7Qz82y8mAWQJteUGIK8HiAvB4maiEab+Hqv
## KyL6i8B2PPGdetWDbvgdoqiTSMt2Ev8hNU6CnEDMb9RoF5mm6o
## ln992qhbauHyBj0xd+8f3qdRytFjNWQRjlTG2fKKtGIfjvfc5w
## uNvn5wI7h0R5PkYiCqc2N0fSfpIgP1zJlqR6ZmqSk3cE0eymsx
## 8Kan3CD86lQdSusNPxtb5giKqqaWSpUWUnofkUmezeDxPlI3PE
## +FLukn2xjnGbh6FlHmK3XidTCs1TAD48GadXYBXNnJ4WbCmNaW
## c1aIZgBJNbonxMZt0VxyNTNudjeERKPDtdnRGdqK3A==
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## MIIF9DCCBNygAwIBAgIQY7ftFB/F3TbCmmrleTpa4TANBgkqhkiG9w0BAQsFADCB
## jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
##
## Common Name: vpnhost.com
## Subject Alternative Names: vpnhost.com, www.vpnhost.com
## Organization Unit: Domain Control Validated
## Valid From: March 16, 2019
## Valid To: March 16, 2020
## Issuer: Sectigo RSA Domain Validation Secure Server CA, Sectigo Limited Write review of Sectigo
## Serial Number: 63b7ed141fc5dd36c29a6ae5793a5ae1
##
## ij5r4oP8kmHKBRdGLOIc7R4yu6mUU4ehZa3fVt9mY0q/3Z3lWYhsudDxWIkmpy44
## J35JpAmAaeKZdzUvGl3io1l2GbPhBL5o23WOWp6xhx1qLFyDw+6WKw==
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
## iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
##
## Common Name: Sectigo RSA Domain Validation Secure Server CA
## Organization: Sectigo Limited
## Locality: Salford
## State: Greater Manchester
## Country: GB
## Valid From: November 1, 2018
## Valid To: December 31, 2030
## Issuer: USERTrust RSA Certification Authority, The USERTRUST Network Write review of Sectigo
## Serial Number: 7d5b5126b476ba11db74160bbc530da7
##
## yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
## 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
## MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
##
## Common Name: USERTrust RSA Certification Authority
## Organization: The USERTRUST Network
## Locality: Jersey City
## State: New Jersey
## Country: US
## Valid From: May 30, 2000
## Valid To: May 30, 2020
## Issuer: AddTrust External CA Root, AddTrust AB Write review of Sectigo
## Serial Number: 13ea28705bf4eced0c36630980614336
##
## Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
## Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
## 0fKtirOMxyHNwu8=
## -----END CERTIFICATE-----
Being that this is basically my private VPN server is there a way to configure the server/client setup that will mimic a static IP Ie. forward all or the subset of ports necessary when a specific client signs on. I will also have another client that does not need the inward port forwarding.
And what do I need to tweek in my config/server setting/web interface setting etc. etc. to get this working on my Raspberry Pi?
Greg