OpenVPN Connection With Domain Name



  • Hi,

    I tried to look but could not find a good page with instructions on how to configure OpenVPN connection with a domain name.
    We have 2 internet circuits in the office primary and backup. I would like to configure OpenVPN connection for users to connect using a domain name something like: connect.company.com
    instead of an ip address. So in case the primary goes down the CNAME record will point the backup connection to be connect.company.com
    I have a DNS registrar provider just need to figure out how to accomplish this setup.

    Please let me know if you need more info.



  • What you're trying to do sounds like DNS Round Robin.
    You would need to make two A records for connect.company.com.
    This way connections are also being somehow load balanced to both lines.

    Anyway. In a situation of line failure it might take a quite long time for your client to "find" the other one since it's a bit of luck which IP the client will actually connect to. Also the client's DNS cache might make this problem even bigger.
    If that's not a problem that a reconnect during failure might take some time than it will probably work.
    You might want to experiment with the keepalive options in the client's config.



  • Thank you for the reply.

    Sounds like its not worth the potential disaster with this kind of setup.
    All in all the goal is to configure OpenVPN HA so i wont have to tell the users to use two different connections when they are trying to connect.
    I opened this post since in the past i worked with a company that had PaloAlto the the SSL VPN there was configured in a way that it was using a domain name and it failed over automatically once the primary went down.

    Nice feature to have i think.



  • I don't know exactly how those Palo Alto devices work but I don't think such a smooth setup won't be possible with pfSense.
    The best setup I could think of would be to have a provider independent address space, but that would mean a lot of extra effort…


  • LAYER 8 Global Moderator

    Many dns services provide failover, if IP A goes down, then fqdn points to a backup IP.. The ttl of said fqdn is normally very short 5 or even 1 minute.. So that service goes down at ip A, it would only be the length of the TTL before clients are hitting IP B via the fqdn.

    Your openvpn client can also be set to try different fqdn or even IPs.. So that if can not connect to 1st it moves to 2nd, 3rd, etc. and just works through those until it can get a connection.. Which might be a simpler solution for what your trying to accomplish.

    Off the top of my head I do not know if the export client can be set to put in more than 1 domain name or IP - so the ovpn file you give to the clients would have to be manipulated before giving to the users.



  • Apologies for the really late reply.

    Everything seems to work now. What I did was to configure my DNS with AWS Route53, gave it a few minutes and the connection started working.
    The only issue is that the OpenVPN export exports the interface IP address but it's no biggy since all the users are using the same config file since I configured it in a way that it's authenticating with active directory, sending a push for 2-factor authentication via the provider mobile app and only then they are able to connect. Pretty sweet setup and definitely answering our company security requirements.

    Thank you for your support.



  • @bond_it:

    The only issue is that the OpenVPN export exports the interface IP address

    On the client export page, change host name resolution to 'other', enter vpn.mycompany.com in the host name box, then click the 'save as default' button.


Log in to reply