Skip to content

How to assign a fixed ip-address to an openvpn user / lan-to-lan connection?

Taking into account you have already a working Openvpn server, follow the steps bellow to configure static ip address to Openvpn users:

1. Create a folder called ccd inside /etc/openvpn/.

#mkdir /etc/openvpn/ccd

2. Add the following line to the openvpn server configuration file:

client-config-dir ccd

3. In /etc/openvpn/ccd/ you will create one file for each user you want to have a fixed ip address. You must name the file exactly as the “common name” of the user certificate file. If you don’t know what is in his “common name” just run the following command to find it. It is right on the top, look for CN=user.

# root@srv-openvpn:~/openvpn/keys# openssl x509 -in user.crt -text |grep -i 'CN='|grep -i "Subject"

PS: in case the CN name has white spaces the file name will have to be created using “_”. eg. CN=Leo B the file name will be Leo_B.
4. Once created open the file and add the following line:


Use your own network of course. You can add ordinary Openvpn parameters into this file if you want. For example you can push another gateway for this specific user.

5. Restart Openvpn server and check whether the user has acquired the specified ip address.
And there we go!

Good luck!
Leonardo Borda

Posted in Knowledge Base.

Tagged with .

2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Morten André Steinsland says


    Thanks, now i finally have static IP’s on clients! I was trying to set the clients to – 10, not knowing they had to be .5 .9 and so on.

    But now i’m unable to ping the server at it’s usual vpn ip ( from a client, or connect in any way. Any idea what i’m doing wrong?

  2. Evgeny says

    Check the firewall, 99% cases it is blocking traffic.
    iptables -A INPUT -i tun+ -j ACCEPT – gives you access to the host,
    iptables -A FORWARD -i tun+ -j ACCEPT – lan behind the vpn server access rule. See FAQ on openvpn, it’s useful.


Some HTML is OK

or, reply to this post via trackback.