Configure a static IP so that you will always be assigned the same VPN IP address based on your username
SSH into Router
Open your router at
192.168.0.1(or whichever gateway you're using)Administration > System > Enable SSH > LAN only
Open SSH client of choice
Windows - Use Windows Powershell
Mac - Use Terminal-
SSH into router by typing the following command (change your username to whichever you use when logging in, and IP address to your default gateway)
ssh admin@192.168.0.1
Enter your password when prompted
Create Script
-
Create a scripts folder in '/jffs/scripts'
cd ../../../jffs; mkdir scripts; cd scripts;
-
Create new file 'clientconnect.sh'
cat > clientconnect.sh
-
Enter this script: (explanation later)
#!/bin/bash if [ "$username" = "test" ]; then echo "ifconfig-push 10.8.0.18 10.8.0.17" >>$1 elif [ "$username" = "test2" ]; then echo "ifconfig-push 10.8.0.22 10.8.0.21" >>$1 fi Save by pressing Enter, then Ctrl-D
-
Verify that the script has been saved. You should see the full code.
cat clientconnect.sh
-
Grant execution permissions
chmod +x clientconnect.sh
Execute script on connect
VPN > OpenVPN > VPN Details > Advanced Settings
-
Enter this code under "Custom Configurations"
script-security 2 --client-connect /jffs/scripts/clientconnect.sh Apply
Connect to OpenVPN
Create two OpenVPN users
User 1: test
User 2: test2Connect to OpenVPN with both accounts using your OpenVPN client of choice
You should be connected to 10.8.0.18 with test, and 10.8.0.22 with test2
Modifying the script
If you wish to add more users, simply copy the "elif then echo" block and change the IP address and username.
#!/bin/bash
if [ "$username" = "test" ];
then
echo "ifconfig-push 10.8.0.18 10.8.0.17" >>$1
elif [ "$username" = "test2" ];
then
echo "ifconfig-push 10.8.0.22 10.8.0.21" >>$1
elif [ "$username" = "test3" ];
then
echo "ifconfig-push 10.8.0.26 10.8.0.25" >>$1
elif [ "$username" = "test4" ];
then
echo "ifconfig-push 10.8.0.30 10.8.0.29" >>$1
fi
The first IP can only be in multiples of 4 + 2 (18,22,26,30...), while the second IP must be one number lower than the first (17,21,25,29...)
I suggest not to use lower IPs to avoid collisions as OpenVPN will assign lower numbers first. (OpenVPN starts from 10.8.0.6)
If you wish to change the username, simply replace 'test' or 'test2' with the username of your choice.
Top comments (6)
Hi i follow your steps but, if i activate in the router the script
script-security 2
--client-connect /jffs/scripts/clientconnect.sh
i cant conecct in clients, always say user authentication failed, and if quit the srcript conect fine, what happen? can yuou helpme please?
Perhaps the error is that the router does not have bash. Try replacing #!/bin/bash with #!/bin/sh
On my RT-AC58U it did the trick.
Hi, I followed instructions and I think I am basically there but I run into an issue where I can't connect after I enable. Note that everything works fine (server is running etc.) if I don't use the script (i.e. I can connect multiple clients, no issues, with dynamic VPN addresses 10.8.0.2 etc.)
I used the script exactly as shown with the same custom config as above:
script-security 2
--client-connect /jffs/scripts/clientconnect.sh
I am using the script with /sh and not /bash. Running latest Merlin on Asus Router AX88U.
I get an ECONREFUSED error... the rest seems fine I think (though I am intermediary at this stuff at best).
Here is my log (I modified by public IP and login ID):
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 TLS: Initial packet from [AF_INET]80.45.135.65:62920 (via [AF_INET]91.133.25.56%eth0), sid=12971714 0ee6aadb
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U, emailAddress=me@asusrouter.lan
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_VER=3.git::58b92569
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_PLAT=ios
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_NCP=2
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_TCPNL=1
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_PROTO=2
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_SSO=openurl
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 peer info: IV_BS64DL=1
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 TLS: Username/Password authentication succeeded for username 'bobbarker'
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1541'
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
Apr 3 11:35:14 ovpn-server1[6149]: 80.45.135.65:62920 [client] Peer Connection Initiated with [AF_INET]80.45.135.65:62920 (via [AF_INET]91.133.25.56%eth0)
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_7a70e4845c391ec1.tmp
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI: Learn: 10.8.0.22 -> client/80.45.135.65:62920
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 MULTI: primary virtual IP for client/80.45.135.65:62920: 10.8.0.22
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Data Channel: using negotiated cipher 'AES-256-GCM'
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 PUSH: Received control message: 'PUSH_REQUEST'
Apr 3 11:35:14 ovpn-server1[6149]: client/80.45.135.65:62920 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.50.0 255.255.255.0 vpn_gateway 500,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.22 10.8.0.21,peer-id 1,cipher AES-256-GCM' (status=1)
Apr 3 11:35:14 ovpn-server1[6149]: read UDPv4 [CMSG=8|ECONNREFUSED]: Connection refused (code=111)
Any help would be greatly appreciated...
Tks.
I found my answer... no idea why but I have to use 10.8.0.18 255.255.255.0 in the script instead of 10.8.0.18 10.8.0.19 in the push command.
I tried IP ends with [100,99] and it was not working in Windows. But [102,101] works.
openvpn.net/community-resources/co...
Refer to the openvpn manual, the last octet in the IP address of each endpoint pair must be taken from the following sets:
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]
it worked perfectly