DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

lynn
lynn

Posted on • Updated on

Assigning Static IP for OpenVPN on Asus Routers

Configure a static IP so that you will always be assigned the same VPN IP address based on your username


SSH intoΒ Router

  1. Open your router at 192.168.0.1 (or whichever gateway you're using)

  2. Administration > System > Enable SSH > LAN only

  3. Open SSH client of choice
    Windows - Use Windows Powershell
    Mac - Use Terminal

  4. SSH into router by typing the following command (change your username to whichever you use when logging in, and IP address to your default gateway)

    ssh admin@192.168.0.1

  5. Enter your password when prompted

Reference


Create Script

  1. Create a scripts folder in '/jffs/scripts'

    cd ../../../jffs; mkdir scripts; cd scripts;

  2. Create new file 'clientconnect.sh'

    cat > clientconnect.sh

  3. Enter this script: (explanation later)

    #!/bin/bash
    if [ "$username" = "test" ];
    then
        echo "ifconfig-push 10.8.0.18 10.8.0.17" >>$1
    elif [ "$username" = "test2" ];
    then
        echo "ifconfig-push 10.8.0.22 10.8.0.21" >>$1
    fi
    
  4. Save by pressing Enter, then Ctrl-D

  5. Verify that the script has been saved. You should see the full code.

    cat clientconnect.sh

  6. Grant execution permissions

    chmod +x clientconnect.sh

Reference


Execute script onΒ connect

  1. VPN > OpenVPN > VPN Details > Advanced Settings

  2. Enter this code under "Custom Configurations"

    script-security 2
    --client-connect /jffs/scripts/clientconnect.sh
    
  3. Apply

Reference #1
Reference #2


Connect toΒ OpenVPN

  1. Create two OpenVPN users
    User 1: test
    User 2: test2

  2. Connect to OpenVPN with both accounts using your OpenVPN client of choice

  3. You should be connected to 10.8.0.18 with test, and 10.8.0.22 with test2

Reference


Modifying theΒ script

If you wish to add more users, simply copy the "elif then echo" block and change the IP address and username.

#!/bin/bash
if [ "$username" = "test" ];
then
    echo "ifconfig-push 10.8.0.18 10.8.0.17" >>$1
elif [ "$username" = "test2" ];
then
    echo "ifconfig-push 10.8.0.22 10.8.0.21" >>$1
elif [ "$username" = "test3" ];
then
    echo "ifconfig-push 10.8.0.26 10.8.0.25" >>$1
elif [ "$username" = "test4" ];
then
    echo "ifconfig-push 10.8.0.30 10.8.0.29" >>$1
fi
Enter fullscreen mode Exit fullscreen mode

The first IP can only be in multiples of 4 + 2 (18,22,26,30...), while the second IP must be one number lower than the first (17,21,25,29...)

I suggest not to use lower IPs to avoid collisions as OpenVPN will assign lower numbers first. (OpenVPN starts from 10.8.0.6)

If you wish to change the username, simply replace 'test' or 'test2' with the username of your choice.

Top comments (6)

Collapse
lechonsin profile image
Lechonsin

Hi i follow your steps but, if i activate in the router the script
script-security 2
--client-connect /jffs/scripts/clientconnect.sh

i cant conecct in clients, always say user authentication failed, and if quit the srcript conect fine, what happen? can yuou helpme please?

Collapse
seri0us007 profile image
Andrii Lavrenko

Perhaps the error is that the router does not have bash. Try replacing #!/bin/bash with #!/bin/sh
On my RT-AC58U it did the trick.

Collapse
affnaff profile image
AffnAff • Edited on

Hi, I followed instructions and I think I am basically there but I run into an issue where I can't connect after I enable. Note that everything works fine (server is running etc.) if I don't use the script (i.e. I can connect multiple clients, no issues, with dynamic VPN addresses 10.8.0.2 etc.)

I used the script exactly as shown with the same custom config as above:

script-security 2
--client-connect /jffs/scripts/clientconnect.sh

I am using the script with /sh and not /bash. Running latest Merlin on Asus Router AX88U.

I get an ECONREFUSED error... the rest seems fine I think (though I am intermediary at this stuff at best).

Here is my log (I modified by public IP and login ID):

Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 TLS: Initial packet from [AF_INET]80.45.135.65:62920 (via [AF_INET]91.133.25.56%eth0), sid=12971714 0ee6aadb
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U, emailAddress=me@asusrouter.lan
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_VER=3.git::58b92569
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_PLAT=ios
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_NCP=2
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_TCPNL=1
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_PROTO=2
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_SSO=openurl
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_BS64DL=1
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 TLS: Username/Password authentication succeeded for username 'bobbarker'
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1541'
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 [client] Peer Connection Initiated with [AF_INET]80.45.135.65:62920 (via [AF_INET]91.133.25.56%eth0)
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_7a70e4845c391ec1.tmp
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI: Learn: 10.8.0.22 -> client/80.45.135.65:62920
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI: primary virtual IP for client/80.45.135.65:62920: 10.8.0.22
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Data Channel: using negotiated cipher 'AES-256-GCM'
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 PUSH: Received control message: 'PUSH_REQUEST'
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.50.0 255.255.255.0 vpn_gateway 500,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.22 10.8.0.21,peer-id 1,cipher AES-256-GCM' (status=1)
Apr 3 11:35:14 ovpn-server1[6149]: read UDPv4 [CMSG=8|ECONNREFUSED]: Connection refused (code=111)

Any help would be greatly appreciated...

Tks.

Collapse
affnaff profile image
AffnAff

I found my answer... no idea why but I have to use 10.8.0.18 255.255.255.0 in the script instead of 10.8.0.18 10.8.0.19 in the push command.

Collapse
carlchan1994 profile image
carlchan1994 • Edited on

I tried IP ends with [100,99] and it was not working in Windows. But [102,101] works.

openvpn.net/community-resources/co...
Refer to the openvpn manual, the last octet in the IP address of each endpoint pair must be taken from the following sets:

[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

Collapse
clonagen profile image
Rodolfo Nascimento

it worked perfectly

🌚 Browsing with dark mode makes you a better developer.

It's a scientific fact.