Assigning a static VPN client IP address to a user

Address assignment

By default OpenVPN Access Server works with Layer 3 routing mode. In this mode a private subnet is configured for the VPN client subnet. This private subnet must be different from other subnets used in your networks, and clients automatically get IP addresses assigned from this subnet when they log on. This is automated. Usually it goes in a sequential order until it reaches the end of the portion of the subnet available to the OpenVPN daemon you get connected to, and then it starts reusing older addresses. This acts a little bit like DHCP but technically we don't run a DHCP server in Access Server, just a sort of rough emulation to assign addresses automatically. The subnet that users get addresses from automatically is found in the Admin UI under VPN Settings, Dynamic IP Address Network.

Static IP addressing (without group subnets)

You can set up a second private subnet, a different one, in the VPN Settings page in the Admin UI, in the section titled Static IP Address Network (optional). Set up a unique subnet there and the Access Server will then have a subnet it can use for static IP address assignment. See the picture below to see what this looks like:

Static IP addressing

Next go to User Permissions and select a user you want to assign a static IP address. Click show to reveal more options for this particular user, and then set Select IP addressing to use static. Now a field is revealed where you can enter an IP address that falls within the static IP address network that you specified in the VPN Settings page. Now save settings and update running servers.

access server user permissions

That's It! Your user will now be assigned the specified static address by OpenVPN Access Server.

Notes about subnets

The first and last IP address of each subnet in Access Server for VPN clients is always taken by Access Server itself. So if you specify the subnet like in the example pictures shown above, then you should avoid assigning and to VPN clients.

We do not support public IP subnets for VPN client IP address assignment. We never have. OpenVPN Access Server is a virtual private network solution, meaning its VPN clients operate in a private network. If you know what you're doing and you set up routing in specific ways, then yes, you can indeed force public IP addresses into the Access Server's configuration, but that is a solution not supported by us.

Notes about groups

It is also possible to use group subnets instead. If you create a group, and assign it a subnet, by default that subnet is for static IP address assignment. Any users in a group that has a group subnet configured that you want to set a static IP address for, must get an IP address assigned from that group subnet. So if for example your group has a subnet then users assigned to that group can get static IP addresses in that range. Note that the first and last IP address are reserved ( and by Access Server itself and so should not be assigned to VPN users.

If you want dynamic address assignment, then assuming the example just discussed, you can take a portion (or all) of the and set a dynamic range for it in the group's properties. To do this use the second field in the group to specify a range for dynamic addressing. This could be defined as This way you can use a single subnet but have a portion use automatic assignment, and a portion for static IP address. You could also define it as so all of it is used for dynamic assignment.

Regarding Layer 2 bridging

Static IP address assignment in Layer 2 mode is done by setting the IP address on the virtual network adapter of the client system.