Open VPN on CARP IP
I have a Open VPN setup in pfsense. The Open VPN has been configured in such a way that it is working only when the primary firewall is active.So to avail the high availability options i have planned to add the interface IP as VIP instead of firewall's WAN interface ip under Open VPN.
So do we need to reissue the certificates to end users if we change the interface ip in the Open VPN configuration?
You should be able to go into the OpenVPN instance and change the interface to the CARP. No need to touch the clients.
If the clients are configured to connect to the IP address of the interface and not the VIP you will need to:
Change the server to listen on the VIP
Probably generate a new server certificate containing the proper IP address as the CN
Probably re-issue client configurations to connect to the new IP address
If they are configured to connect to an FQDN just change the A record to the VIP and tell the OpenVPN server to listen on that instead.
Many thanks for your replies.