OpenVPN and Dynamic IP
-
We are running pfsense in two offices now. Those offices are interconnected with Site-to-Site OpenVPN. The main office uses Static IP (server) the second one uses DHCP to get it's public IP.
Question: do we absolutely have to use Static IP at the Main office (OpenVPN server side) ?
Is it possible to type the DDNS-assigned FQDN instead of IP into "server" setting at the Client ?
-
Yes, as long as the host name is consistent. I do that with my home network. My IPv4 address is DHCP, though changes rarely. The host name, based on modem & firewall MAC addresses, changes only if I change hardware. So, I have OpenVPN configured to use the host name. Works well.
-
Thank you JKnott
I was thinking - what if I setup a free DDNS provider and then use DDNS name instead of ISP-assigned name ? This should do the same thing ?
-
@strannik said in OpenVPN and Dynamic IP:
Thank you JKnott
I was thinking - what if I setup a free DDNS provider and then use DDNS name instead of ISP-assigned name ? This should do the same thing ?
As long as the name points to the IP address, it will work. You can have as many names as you want, all resolving to the same IP.. In fact, I do that too. I mentioned the MAC based host name. That name is fairly long, so I set up a DNS alias, on my own domain, that points to that long host name, which points to the IPv4 address.
-
Thanks again JKnott.
So I will use DNS name instead of numeric IP address to "aim" OpenVPN client to the server.
Question: what happens when the ISP changes my server-side IP ? Do I have to restore the VPN connection manually or it will reconnect automatically (by resolving DDNS or MAC-based name) ?
Question : how do I setup a DNS alias ? I've used a lot of Firewall Allias... is that the same thing ?
-
I don't know at what point OpenVPN realizes the original address is no longer valid and tries again. How often does the address change? The DDNS should track the IP address when it changes. With DHCP, normal operation is for a device to retain the same address so long as it keeps renewing the lease. My IPv4 address changes so seldom, it's virtually static.
-
The host name should be re-resolved by default on any new connection attempt to pick up any changes to the DNS record.
-
@derelict said in OpenVPN and Dynamic IP:
The host name should be re-resolved by default on any new connection attempt to pick up any changes to the DNS record.
I think the question here is what happens if the address changes when OpenVPN is already connected. Since OpenVPN uses UDP, it's very tolerant of address changes. In fact, years ago I tried an experiment where I connected to one WiFi AP and then switched to another, on a different network. This was transparent to OpenVPN. However, I have no idea what would have happened if the server IP address changed. No doubt, it OpenVPN would assume the original address was valid, until it failed. When it fails, how long does it take to make a new DNS request to get the new address? Does it happen automatically? Or does it just give an error until the user reconnects the VPN?
-
@jknott said in OpenVPN and Dynamic IP:
@derelict said in OpenVPN and Dynamic IP:
The host name should be re-resolved by default on any new connection attempt to pick up any changes to the DNS record.
I think the question here is what happens if the address changes when OpenVPN is already connected. Since OpenVPN uses UDP, it's very tolerant of address changes. In fact, years ago I tried an experiment where I connected to one WiFi AP and then switched to another, on a different network. This was transparent to OpenVPN. However, I have no idea what would have happened if the server IP address changed. No doubt, it OpenVPN would assume the original address was valid, until it failed. When it fails, how long does it take to make a new DNS request to get the new address? Does it happen automatically? Or does it just give an error until the user reconnects the VPN?
It would time out after 60 seconds of failing to reach the old server IP address and then make a new connection. It would resolve it again when attempting to make that new connection. Shouldn't take any intervention from the user in most cases unless the auth fails or needs special handling (e.g. Multi-factor auth with an OTP or similar)
-
Thank a lot for replies
Is there a way to make it shorter than 60-sec ?
Any setting to adjust ?