After enabling OpenVPN in my Brocade Vyatta, it was identified the requirement to set static IP addresses for some clients. This is quite simple to be achieved regardless the OS/device, however, this article will cover only the steps for Brocade Vyatta 5400.
Firstly, let me share the version of the products being used:
– Vyatta version: VSE6.7R10 – Brocade vRouter 5415 6.7 R
– OpenVPN 2.3.4
So, let’s get started. Initially, we need to find out where Vyatta stores its configuration files. To accomplish this task, ps
command may be helpful:
ps -ef | grep -i openvpn;
You should get something like:
/usr/sbin/openvpn –daemon openvpn-vtun0 –verb 3 –writepid /var/run/openvpn-vtun0.pid –status /opt/vyatta/etc/openvpn/status/vtun0.status 30 –dev-type tun –dev vtun0 –script-security 2 –up /opt/vyatta/sbin/vyatta-ovpn-up.pl –mode server –tls-server –topology subnet –keepalive 10 60 –lport 1194 –proto tcp-server –cipher aes-256-cbc –ca /config/auth/ca.crt –cert /config/auth/my-server.crt –key /config/auth/my-server.key –dh /config/auth/dh2048.pem –management /tmp/openvpn-mgmt-vtun0 unix –push dhcp-option DNS XXX.XXX.XXX.XXX –push route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX –server XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX –client-config-dir /opt/vyatta/etc/openvpn/ccd/vtun0
In the end of this big string, you can find out the value of the param. –client-config-dir. “/opt/vyatta/etc/openvpn/ccd/vtun0” in this case. This is our target. Change to this directory:
cd /opt/vyatta/etc/openvpn/ccd/vtun0;
This is the directory where you should place your rules. Basically, for each client that you need a specific IP address, you have to create a file. The filename must match the CN (common name) of the X509 client certificate.
— If you don’t recall its CN, I would suggest you to decode the client certificate. The following command may be useful to extract it from your cert. file:
openssl x509 -in YOUR_CERT.crt -noout -subject | sed -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/
Create the file using you preferred method (don’t forget to match the Common Name) and append the following content into. Take a look at this example:
touch commonNameFile;
echo 'ifconfig-push 10.134.247.10 255.255.255.192' > commonNameFile;
This is the point where you should take over and fill the file out with an IP address and Netmask of your choice. Make sure to avoid addresses already being assigned automatically by the OpenVPN.
Essentially, it doesn’t require to restart the service but this is a not a bad idea if needed.
It should make it.