By default OpenVPN Access Server works with Layer 3 routing mode. In this mode a private subnet is configured for the VPN client subnet. This private subnet must be different from other subnets used in your networks, and clients automatically get IP addresses assigned from this subnet when they log on. This is automated. Usually it goes in a sequential order until it reaches the end of the portion of the subnet available to the OpenVPN daemon you get connected to, and then it starts reusing older addresses. This acts a little bit like DHCP but technically we don’t run a DHCP server in Access Server, just a sort of rough emulation to assign addresses automatically. The subnet that users get addresses from automatically is found in the Admin UI under VPN Settings, Dynamic IP Address Network.
Static IP addressing (without group subnets)
You can set up a second private subnet, a different one, in the VPN Settings page in the Admin UI, in the section titled Static IP Address Network (optional). Set up a unique subnet there and the Access Server will then have a subnet it can use for static IP address assignment. See the picture below to see what this looks like:
Next go to User Permissions and select a user you want to assign a static IP address. Click show to reveal more options for this particular user, and then set Select IP addressing to use static. Now a field is revealed where you can enter an IP address that falls within the static IP address network that you specified in the VPN Settings page. Now save settings and update running servers.
That’s It! Your user will now be assigned the specified static address by OpenVPN Access Server.
Notes about subnets
The first and last IP address of each subnet in Access Server for VPN clients is always taken by Access Server itself. So if you specify the subnet 10.1.100.0/24 like in the example pictures shown above, then you should avoid assigning 10.1.100.1 and 10.1.100.253 to VPN clients.
We do not support public IP subnets for VPN client IP address assignment. We never have. OpenVPN Access Server is a virtual private network solution, meaning its VPN clients operate in a private network. If you know what you’re doing and you set up routing in specific ways, then yes, you can indeed force public IP addresses into the Access Server’s configuration, but that is a solution not supported by us.
Notes about groups
It is also possible to use group subnets instead. If you create a group, and assign it a subnet, by default that subnet is for static IP address assignment. Any users in a group that has a group subnet configured that you want to set a static IP address for, must get an IP address assigned from that group subnet. So if for example your group has a subnet 192.168.44.0/24 then users assigned to that group can get static IP addresses in that range. Note that the first and last IP address are reserved (192.168.44.1 and 192.168.44.253) by Access Server itself and so should not be assigned to VPN users.
If you want dynamic address assignment, then assuming the example just discussed, you can take a portion (or all) of the 192.168.44.0/24 and set a dynamic range for it in the group’s properties. To do this use the second field in the group to specify a range for dynamic addressing. This could be defined as 192.168.44.1-192.168.44.150 or 192.168.44.1-192.168.44.253. This way you can use a single subnet but have a portion use automatic assignment, and a portion for static IP address -- or all of it for dynamic assignment.
Regarding Layer 2 bridging
Static IP address assignment in Layer 2 mode is done by setting the IP address on the virtual network adapter of the client system.