Using Static IP Addressing Under Layer 2 Ethernet Bridging Mode

Introduction

Normally, OpenVPN Access Server requires a functioning DHCP server on the remote network for its Microsoft Windows clients when it is operating in Layer 2 Ethernet Bridging mode. However, this may not be feasible when your remote network does/can not have a DHCP server due to security concerns. In addition, Linux and Mac clients will only function when Access Server is configured using static IP addressing under the Layer 2 operating mode.

Prerequisites

In order for you to configure OpenVPN Access Server to use static IP addressing mode, all of these requirements must be met:

  • Your Access Server software is running on a platform that supports Ethernet Bridging. (As such, Access Server hosted on platforms such as OpenVZ and Hyper-V will not work.)
  • Your OpenVPN client supports the TAP Ethernet Bridging functionality.
  • Your server must be in Layer 2 Ethernet Bridging Mode (under VPN Mode -> Layer 2 (ethernet bridging))
  • Your server must not be running Multi-Daemon mode. (under Server Network Settings -> Protocol) The UDP protocol is strongly preferred over the TCP protocol in VPN setups.
  • The remote network IPs you are planning to assign to your VPN users must be in a contiguous (i.e. non-breaking) range.

Configuration

To configure Access Server in static IP addressing mode, go to the Advanced VPN section of the Web Admin UI.
Under Additional OpenVPN Config Directives (Advanced) and inside the Server Config Directives box, enter the follow lines using the syntax below:

server-bridge <gw ip> <subnet mask> <start IP range> <end IP range>
push dhcp-option DOMAIN <DNS search suffix> - optional
push dhcp-option DNS <dns srv 1> - optional, only if you want to use remote DNS servers.
push dhcp-option DNS <dns srv 2> - optional, only if you want to use remote DNS servers.
push dhcp-option DNS <dns srv ...> - optional, only if you want to use remote DNS servers.

Note: DNS options are only recognized in Windows and Mac (Access Server specific) clients. Linux support for DNS options are not implemented at this time.

For example, if you have a remote network with the following characteristics:
Reserved VPN IP Range: 192.168.1.100 - 192.168.1.130
Subnet Mask: 255.255.255.0
Gateway IP Address: 192.168.1.1
DNS search suffix: somecompany.com
DNS Server 1: 4.2.2.1
DNS Server 2: 4.2.2.2
DNS Server 3: 4.2.2.3

You would enter the following in the aforementioned text box:

server-bridge 192.168.1.1 255.255.255.0 192.168.1.100 192.168.1.130
push dhcp-option DOMAIN somecompany.com
push dhcp-option DNS 4.2.2.1
push dhcp-option DNS 4.2.2.2
push dhcp-option DNS 4.2.2.3

Afterwards, click Save Settings and Update Running Server to apply your changes.