Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Connection With Domain Name

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bond_it
      last edited by

      Hi,

      I tried to look but could not find a good page with instructions on how to configure OpenVPN connection with a domain name.
      We have 2 internet circuits in the office primary and backup. I would like to configure OpenVPN connection for users to connect using a domain name something like: connect.company.com
      instead of an ip address. So in case the primary goes down the CNAME record will point the backup connection to be connect.company.com
      I have a DNS registrar provider just need to figure out how to accomplish this setup.

      Please let me know if you need more info.

      1 Reply Last reply Reply Quote 0
      • junicastJ
        junicast
        last edited by

        What you're trying to do sounds like DNS Round Robin.
        You would need to make two A records for connect.company.com.
        This way connections are also being somehow load balanced to both lines.

        Anyway. In a situation of line failure it might take a quite long time for your client to "find" the other one since it's a bit of luck which IP the client will actually connect to. Also the client's DNS cache might make this problem even bigger.
        If that's not a problem that a reconnect during failure might take some time than it will probably work.
        You might want to experiment with the keepalive options in the client's config.

        1 Reply Last reply Reply Quote 0
        • B
          bond_it
          last edited by

          Thank you for the reply.

          Sounds like its not worth the potential disaster with this kind of setup.
          All in all the goal is to configure OpenVPN HA so i wont have to tell the users to use two different connections when they are trying to connect.
          I opened this post since in the past i worked with a company that had PaloAlto the the SSL VPN there was configured in a way that it was using a domain name and it failed over automatically once the primary went down.

          Nice feature to have i think.

          1 Reply Last reply Reply Quote 0
          • junicastJ
            junicast
            last edited by

            I don't know exactly how those Palo Alto devices work but I don't think such a smooth setup won't be possible with pfSense.
            The best setup I could think of would be to have a provider independent address space, but that would mean a lot of extra effort…

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Many dns services provide failover, if IP A goes down, then fqdn points to a backup IP.. The ttl of said fqdn is normally very short 5 or even 1 minute.. So that service goes down at ip A, it would only be the length of the TTL before clients are hitting IP B via the fqdn.

              Your openvpn client can also be set to try different fqdn or even IPs.. So that if can not connect to 1st it moves to 2nd, 3rd, etc. and just works through those until it can get a connection.. Which might be a simpler solution for what your trying to accomplish.

              Off the top of my head I do not know if the export client can be set to put in more than 1 domain name or IP - so the ovpn file you give to the clients would have to be manipulated before giving to the users.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • B
                bond_it
                last edited by

                Apologies for the really late reply.

                Everything seems to work now. What I did was to configure my DNS with AWS Route53, gave it a few minutes and the connection started working.
                The only issue is that the OpenVPN export exports the interface IP address but it's no biggy since all the users are using the same config file since I configured it in a way that it's authenticating with active directory, sending a push for 2-factor authentication via the provider mobile app and only then they are able to connect. Pretty sweet setup and definitely answering our company security requirements.

                Thank you for your support.

                1 Reply Last reply Reply Quote 0
                • dotdashD
                  dotdash
                  last edited by

                  @bond_it:

                  The only issue is that the OpenVPN export exports the interface IP address

                  On the client export page, change host name resolution to 'other', enter vpn.mycompany.com in the host name box, then click the 'save as default' button.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.