Assign a Static IP to a Specific OpenVPN User on ASUS Merlin

When you run an OpenVPN server on an ASUS router with Merlin firmware, it is often useful to make sure that a specific remote user always receives the same VPN IP address. This is especially helpful for remote administration, firewall rules, access control, device identification, logging, and services that depend on a predictable client address.

This guide explains, at a beginner-friendly level, how static VPN IP assignment works on ASUS Merlin, what information is required, and how to configure it safely.

Why assign the same VPN IP to a user

By default, OpenVPN usually assigns client IP addresses dynamically from a VPN address pool. That works well for general access, but it can create problems when you want consistency.

A fixed VPN IP can help with:

  • allowing a specific remote laptop or user to access internal services
  • creating firewall rules for one VPN client only
  • simplifying logs and monitoring
  • making port forwarding or routing rules easier to manage
  • identifying devices more clearly inside the VPN network

For example, if one employee always connects from a company laptop, you may want that client to always receive 10.8.0.25 instead of a random address from the VPN pool.

How static IP assignment works in OpenVPN

OpenVPN can assign a dedicated IP address to a client by matching that client’s identity and then pushing a specific IP configuration when the client connects.

In most cases, this identity is based on the Common Name (CN) from the client certificate. When the VPN server sees a connection from that known client identity, it applies a special rule and assigns the predefined IP address.

This is usually done through one of these methods:

  • a built-in graphical interface in the router firmware
  • client-specific rules
  • a client configuration directory, often called ccd

On ASUS Merlin, the easiest approach is typically to use the router interface if it exposes client-specific OpenVPN options.

Using the ASUS Merlin interface

On many ASUS Merlin builds, the OpenVPN server page includes a section for client-specific settings. The exact name can vary slightly depending on firmware version, but it usually appears under the VPN server settings.

A typical flow looks like this:

  1. Open the router admin panel.
  2. Go to VPN.
  3. Open OpenVPN Server.
  4. Enable the VPN server if it is not already active.
  5. Find the section for client-specific rules or options.
  6. Add a rule for the target client.
  7. Match that rule to the client identity, usually the certificate Common Name.
  8. Assign the desired static VPN IP.

For example, if the VPN subnet is 10.8.0.0/24, you might reserve 10.8.0.25 for one specific user.

Choosing the correct IP address

The fixed IP must belong to the VPN subnet used by your OpenVPN server.

If your VPN network is:

10.8.0.0/24

then a valid client IP might be:

10.8.0.25

However, you should avoid:

  • the server’s own VPN IP
  • network or broadcast addresses
  • addresses already assigned to other static clients
  • addresses that overlap badly with your dynamic pool design

A clean approach is to separate static and dynamic assignments. For example:

  • static clients: 10.8.0.10 to 10.8.0.50
  • dynamic clients: 10.8.0.100 to 10.8.0.200

This makes the VPN environment easier to maintain and reduces the chance of conflicts.

Identifying the correct client

The most important part of static IP assignment is matching the right client identity.

In OpenVPN, this is commonly the client certificate’s Common Name. If you assign the rule to the wrong name, the client will not receive the expected IP.

You can usually identify the correct client name by checking:

  • the certificate name used during client generation
  • the OpenVPN logs on the router
  • exported client profiles
  • connection logs that display the client identity

In logs, the client identifier often appears alongside connection details. That value is usually the one you must reference in the static mapping rule.

Manual configuration with client-specific files

In standard OpenVPN setups, static assignment is often configured with a client configuration directory. This method may also be relevant on Merlin depending on your setup and how much manual customization you want.

The OpenVPN server configuration may include something like:

client-config-dir /jffs/openvpn/ccd

Then, inside that directory, you create a file named exactly after the client’s Common Name.

For example, if the client Common Name is:

office_laptop

you create a file like:

/jffs/openvpn/ccd/office_laptop

and place this line inside:

ifconfig-push 10.8.0.25 255.255.255.0

This tells OpenVPN to assign that exact IP to that exact client.

Even if Merlin offers a graphical method, understanding the manual structure helps when troubleshooting advanced configurations.

Example scenario

Assume the VPN network is:

10.8.0.0/24

You want the client identified as:

daria_laptop

to always receive:

10.8.0.25

The logic behind the configuration is equivalent to:

ifconfig-push 10.8.0.25 255.255.255.0

After the rule is saved and the client reconnects, that user should consistently receive the same VPN address.

Common problems and how to avoid them

Wrong client name

If the rule is based on the wrong Common Name, the static assignment will not work. Always verify the exact identity used by the VPN server.

IP conflicts

If the same static IP is assigned to multiple clients, or if it overlaps carelessly with other assignments, clients may fail to connect properly or behave unpredictably.

Using the wrong subnet

The fixed address must belong to the VPN subnet, not your router LAN subnet. A VPN client IP and a local LAN IP are not the same thing.

One shared certificate for many users

If multiple users connect with the same certificate identity, static assignment becomes unreliable because the server cannot distinguish them properly. Unique client certificates are the safer design.

Rule not applied until reconnect

Sometimes the client must disconnect and reconnect after the change. In some cases, restarting the OpenVPN server on the router can also help.

Best practices for stable OpenVPN client IP assignment

A good long-term setup usually includes:

  • a dedicated certificate for each user or device
  • a documented list of reserved VPN IP addresses
  • clear separation between static and dynamic ranges
  • meaningful client names such as office_laptop, admin_phone, or home_pc
  • regular review of old or unused client mappings

This makes future maintenance much easier, especially if the VPN environment grows over time.

When static VPN IP assignment is useful

This feature is especially useful in environments such as:

  • remote office access
  • home lab management
  • small business routers
  • access to NAS devices
  • internal web dashboards
  • SSH or RDP access over VPN
  • per-user firewall rules

For example, if only one remote admin should access a particular internal server, assigning a fixed VPN IP makes security rules more predictable and easier to audit.

Final thoughts

Assigning the same IP address to a specific OpenVPN user on ASUS Merlin is a practical and reliable way to make remote access easier to control. The key idea is simple: identify the client correctly, reserve a valid IP inside the VPN subnet, and create a client-specific rule so that the same address is always assigned.

For most home and small business use cases, the router interface is the simplest method. For more advanced scenarios, manual client-specific configuration provides additional control.

A well-planned static IP structure can make VPN administration cleaner, safer, and much easier to troubleshoot.

 

This article is inspired by real-world challenges we tackle in our projects. If you're looking for expert solutions or need a team to bring your idea to life,

Let's talk!

    Please fill your details, and we will contact you back

    Related Posts

    In:

    How to Add a Circular Gradient to an Android Vector Drawable: A UI Design Guide

    In:

    How to Fix the “’capacitor-google-map’ Is Not a Known Element” Error in Angular

    In:

    Restricting Android App Access to Phones Only (Excluding Tablets)

      Please fill your details, and we will contact you back