First, love the tutorial, thank you very much.
I’d like to always assign the same IP to specific clients, is this possible?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

So, following up on previous comments and reading the Strongswan docs on Responder Configuration in a bit more detail, it sounds you can configure clients with static IPs using this setting on the server:

rightsourceip=%config

Along with this setting on the client based on the Initiator Configuration option that I mentioned previously:

leftsourceip=<your desired static ip here>

The commentary on the responder section states that:

Alternatively, the responder may define the following to let the client choose an address. This is not recommended if the client is not completely trusted.

Since it sounds like you trust all your clients, try specifying a static IP in the client’s leftsourceip setting. The rightsourceip=%config should ensure that Strongswan will accept the client’s request.

Do note that you’ll need to keep track of which client has which static IP, since Strongswan won’t be keeping track of which is assigned or duplicated.

  • sounds like that should do the trick… 🤔 (of course, after reading the documentation myself as well 🙈)

    will try out, but probably not before monday, will report back

    thanks a lot (again) 🍺

Hello,

In general, the moment you create a Droplet, you will be assigned an Static IPv4 address automatically. Similarly, when you destroy the Droplet, the IP address will be disassociated and will join the IP pool table. There is no way you can have one more Static IP address to the Droplet or assign/retain the same Static IP on our platform. Really sorry for the inconvenience!

However, you can use the provision of Floating IP on our platform. This allows you to assign one more IPv4 address and can also be moved between Droplets in same account. Refer to below links, which provides some insights on Floating IP:

https://www.digitalocean.com/docs/networking/floating-ips/
https://www.digitalocean.com/docs/networking/floating-ips/how-to/

You can also start using IPv6, request you to refer to below links:

https://www.digitalocean.com/docs/networking/ipv6/
https://www.digitalocean.com/docs/networking/ipv6/how-to/

Hope this helps!

Regards,
Sri Charan

  • Of course, I know static IPs are assigned to individual droplets by default, I have been IPv6 on my servers for quite some years now, have full IPv6 at home, …

    What I’m asking about is assigning the same private IP from the “10.10.10.0/24” pool of addresses to a specific VPN client that connects to the VPN server.
    It’s a followup question to the tutorial I’m posting under, it has nothing to do with the droplets networking as such.

    • Although I haven’t done it myself, what you’re after is possible with the eap-radius plugin. Again, the mechanics of implementing it are beyond my experience, but these two right side directives will be the place to start:

       rightsourceip=%radius
       rightauth=eap-radius
      

      You’ll need a Radius server of some sort, which will then hand out a static IP to a client, like in this example: https://www.strongswan.org/uml/testresults/ikev2/rw-eap-framed-ip-radius/alice.clients.conf

      From reading the Strongswan docs, it sounds like it is possible for a client to just assign itself an IP and essentially hope for the best:

      https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp#Initiator-Configuration

      But note the caveat there that the responder (the server) may not honour the request.

      So for the most reliable and scalable static IP assignment, the eap-radius approach is the one to use.

      Hope this helps?

      • Not the answer I was hoping for 😅 but yes, it does, thank you very much 🍺

        Will give it a go, and see how many times I’ll have to restore my droplet 😉
        Really don’t feel like setting up a radius server 🙈

        Still, thanks. A shame you answered as a reply to my comment, as I can’t mark the answer as the accepted one 🤷‍♂️

Submit an Answer