Clients getting wrong IP after a while

[IHaveVPNISsues]

I have a server running using certificates to authenticate and ipp.txt to set static IP addresses, the clients usually get assigned the correct IP set in the ipp.txt file based on the common name. Now after a while I have seen clients getting assigned the wrong IP for seemingly no reason.
Is this due to a faulty configuration perhaps?

View Originalserver.conf

proto udp
ifconfig-pool-persist ipp.txt 0
keepalive 300 900
user nobody
group nogroup
persist-key
persist-tun
verb 3
mute 20
port 8443
dev tun0
push "redirect-gateway def1"
cipher AES-256-CBC
auth SHA256
compress
tls-version-min 1.0
mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.9.8.1 255.255.255.0
ifconfig-pool 10.9.8.7 10.9.8.254
client-to-client
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh2048.pem

View Originalipp.txt

client1,10.9.8.201
client2,10.9.8.202
client3,10.9.8.203
client4,10.9.8.204
dv1,10.9.8.101
dv2,10.9.8.102
dv3,10.9.8.103
dv4,10.9.8.104
dv5,10.9.8.105
dv6,10.9.8.106
dv7,10.9.8.107
dv8,10.9.8.108
dv9,10.9.8.109

(actual common names differ but same format)

Example of what happens:
- dv3 makes a connection and gets assigned .203
- dv3 reconnects every now and again
- a few days later when dv3 is still doing the reconnects it gets assigned .7

Thank you for any replies!

[Pippin]

In the manual it is stated:

Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push

Remove:

Code: Select all

ifconfig-pool-persist ipp.txt 0
mode server
push "topology subnet"
ifconfig 10.9.8.1 255.255.255.0

.
Change:

Code: Select all

ifconfig-pool 10.9.8.7 10.9.8.254

to

Code: Select all

ifconfig-pool 10.9.8.7 10.9.8.253

In topology subnet, .0 - .1 - .254 - .255 should not be assigned to clients in a /24 tunnel subnet.
More accurately the first two and last two addresses of the tunnel subnet should not be assigned to clients.

Add:

Code: Select all

server 10.9.8.1 255.255.255.0 'nopool'

.
Next you need to read:
https://community.openvpn.net/openvpn/w ... sspolicies
Especially "Because we will be assigning fixed IP addresses.............."
Also read about mentioned directives in manual 2.4:
https://community.openvpn.net/openvpn/w ... n24ManPage

However, the howto is not complete as it does not give an example for topology subnet.
The ifconfig-push directive changes to

Code: Select all

ifconfig-push 10.9.8.201 255.255.255.0

for topology subnet.

[IHaveVPNISsues]

Thanks a lot, I did all the changes but now I get following error starting the server:

Code: Select all

Options error: --server directive network/netmask combination is invalid
Use --help for more information.

View Originalserver.conf

proto udp
keepalive 300 900
user nobody
group nogroup
persist-key
persist-tun
verb 3
mute 20
port 8443
dev tun0
push "redirect-gateway def1"
cipher AES-256-CBC
auth SHA256
compress
tls-version-min 1.0
tls-server
topology subnet
client-to-client

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh2048.pem

server 10.9.8.1 255.255.255.0 'nopool'

[Pippin]

Code: Select all

ifconfig-pool 10.9.8.7 10.9.8.253

is missing...

But i made a mistake (not related to the error).
It should be

Code: Select all

ifconfig-pool 10.9.8.2 10.9.8.100

so that .101 and higher can be used for static IP's.

Regarding the error, try

Code: Select all

server 10.9.8.0 255.255.255.0 'nopool'

instead.