Open VPN on CARP IP



  • Hi
          I have a Open VPN setup in pfsense. The Open VPN has been configured in such a way that it is working only when the primary firewall is active.So to avail the high availability options i have planned to add the interface IP as VIP instead of firewall's WAN interface ip under Open VPN.

    So do we need to reissue the certificates to end users if we change the interface ip in the Open VPN configuration?



  • You should be able to go into the OpenVPN instance and change the interface to the CARP. No need to touch the clients.


  • LAYER 8 Netgate

    If the clients are configured to connect to the IP address of the interface and not the VIP you will need to:

    Change the server to listen on the VIP
    Probably generate a new server certificate containing the proper IP address as the CN
    Probably re-issue client configurations to connect to the new IP address

    If they are configured to connect to an FQDN just change the A record to the VIP and tell the OpenVPN server to listen on that instead.

    DNS FTW.



  • Many thanks for your replies.


Log in to reply