Eu configurei uma rede OpenVPN em funcionamento (com roteamento) ... tudo funciona, mas a reserva de IP. Eu tenho um certificado de cliente "especial" associado a uma reserva de IP no meu servidor. Fiz todas as configurações: criei a pasta ccd com o CN do arquivo cliente e editei o arquivo ipp. Ainda assim, quando tento me conectar à minha VPN, meu servidor sempre fornece IPs diferentes ao meu cliente. Como isso é possível? Muito obrigado!
Configuração do servidor:
# Which local IP address should OpenVPN
# listen on? (optional)
local 192.168.1.2
# Port listening on:
port 1194
# TCP or UDP server?
proto udp
dev tun
# Certs:
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
# Diffie hellman parameters.
dh /etc/openvpn/dh2048.pem
# VPN Subnet:
server 10.2.1.0 255.255.255.0
# Static IPs:
ifconfig-pool-persist ipp.txt
# Client Custom Config Dir:
client-config-dir /etc/openvpn/ccd
# Tunneling traffic through VPN:
push "redirect-gateway"
# Push (Windows-Specific) DNS:
push "dhcp-option DNS 8.8.8.8"
# Clients will be able to contact each other:
client-to-client
# The Server will accept clients with the same certificate:
duplicate-cn
# Pings every 300 seconds and wait 900 seconds for a response (to keep alive the connection):
keepalive 300 900
# Compression:
comp-lzo
# Privilege downgrade: (Linux Specific)
user nobody
group nobody
persist-key
persist-tun
# Quick Log:
status openvpn-status.log
# Logs:
log openvpn.log
log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Pushing Routes:
route 10.2.1.0 255.255.255.0
push "route 10.2.2.0 255.255.255.0"
Configuração do cliente:
# Configuration Type:
client
# Device Type:
dev tun
# Protocol:
proto udp
# VPN Server IP:
remote X 1194
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings
# Certs:
ca ca.crt
cert crt.crt
key key.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".
ns-cert-type server
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
A edição do arquivo especificado por ifconfig-pool-persist não é a maneira correta de definir um endereço estático permanente para um host.
Se você quiser emitir um endereço permanentemente, uma solução melhor é usar a diretiva ifconfig-push local remote no arquivo de configuração do cliente para esse host.