OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Set a static IP address on an Ubuntu 18 or newer system

These instructions are for Ubuntu 18 and newer. If you have another operating system, please consult documentation to learn how to adjust those to a static IP address.

Please note that this guide does not allow you to just arbitrarily set any public IP address on the Internet, you can’t just pick and choose an IP address on the Internet. It has to be assigned to you by your service provider and has to be available for use before you can use it. And on cloud environments, generally you are not supposed to touch the operating system network configuration at all, since attaching and assigning a public IP address is generally handled in the cloud management web portal, and not in the OS itself, in most cases. But for deployments on a local network or a private network, and you need to set a static IP for the operating system that runs the Access Server software, this guide will be useful.

We also assume that you do not use the Ubuntu program NetworkManager. If you do, and you have a GUI on your server, you may want to instead do it via the GUI. But if you have a headless server running on a physical server, or on HyperV, ESXi, and so on, you can use this guide to set a static IP address. The process is relatively straightforward, there is a text file that contains the configuration for your network interfaces. Adjust it to look like the sample below and adjust the addresses to match your network and your desired static IP. We assume an IPv4 address because at the moment this documentation section was written the Access Server only supported incoming OpenVPN tunnel connections on IPv4.

Changing the network interface settings could mean you lose network access to this system if you make a mistake. So be aware of this and either beforehand make a backup of your Access Server settings or make a snapshot if possible in your hypervisor or cloud environment, or see if can get access to the (virtual) console to make corrections afterwards.

It is also important to note that if you have a DHCP server in your network you can also choose to use the DHCP reservation option there (if present) to always assign the same DHCP IP address to this server. But not all DHCP servers have this option. In such a case you can still do the static IP address assignment in the Linux server operating system itself with the instructions below, but please then do not configure the static IP to one inside of the DHCP range, but outside of it. Otherwise the DHCP server may consider the IP address you have chosen for your server suitable for assignment to a DHCP client, and that can cause an IP address conflict. Some networks have no DHCP server at all, and in that case you can pick any free IP you want with the instructions below.

Open the file /etc/netplan/01-netcfg.yaml in the nano text editor:

nano /etc/netplan/01-netcfg.yaml

Please note that if you do not have this file, it may be named differently. Please look around in that directory. If you do not even have the /etc/netplan directory at all, then your system may be configured to use ifupdown instead. If that is the case, consult our guide on how to use the older method instead:

If you do have /etc/netplan/01-netcfg.yaml open now, use the example file below to adjust it for static IP addressing:

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
     dhcp4: no
     addresses: [192.168.70.2/24]
     gateway4: 192.168.70.254
     nameservers:
       addresses: [192.168.70.254]

Press ctrl+x, then press y, and then press enter, to save and exit the file.

To apply the setting, run this command:

netplan apply

In the example above, the IP address is set to 192.168.70.2 and it is in the 192.168.70.0/24 network with an Internet gateway and DNS server at 192.168.70.254. In some situations if the DNS server needs to be changed and you have things set statically you’ll need to edit /etc/resolv.conf and update it to have the correct DNS server. Without a working DNS server you’ll be able to ping IP addresses like 8.8.8.8 on the Internet, but not be able to resolve and ping addresses like www.openvpn.net. In the resolv.conf file you can fix that. Another important thing to note here is that in our situation shown above we have only one network interface and it is called eth0. If it is called something else in your system, obviously make allowances for this and adjust things as necessary.

If you have successfully changed the IP address, and you can gain access via SSH to the server, but the Access Server web services are not responding, it is possible you had your Access Server configured to listen to a very specific IP address, and if you have changed this, then the Access Server web services won’t start. We have a guide to reset the web services and daemon ports here to resolve that issue.

Share