• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN and Dynamic IP

Scheduled Pinned Locked Moved OpenVPN
10 Posts 4 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    strannik
    last edited by Aug 13, 2018, 8:20 AM

    We are running pfsense in two offices now. Those offices are interconnected with Site-to-Site OpenVPN. The main office uses Static IP (server) the second one uses DHCP to get it's public IP.

    Question: do we absolutely have to use Static IP at the Main office (OpenVPN server side) ?

    Is it possible to type the DDNS-assigned FQDN instead of IP into "server" setting at the Client ?

    1 Reply Last reply Reply Quote 0
    • J
      JKnott
      last edited by Aug 13, 2018, 11:04 AM

      Yes, as long as the host name is consistent. I do that with my home network. My IPv4 address is DHCP, though changes rarely. The host name, based on modem & firewall MAC addresses, changes only if I change hardware. So, I have OpenVPN configured to use the host name. Works well.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • S
        strannik
        last edited by Aug 15, 2018, 2:18 AM

        Thank you JKnott

        I was thinking - what if I setup a free DDNS provider and then use DDNS name instead of ISP-assigned name ? This should do the same thing ?

        J 1 Reply Last reply Aug 15, 2018, 3:07 AM Reply Quote 0
        • J
          JKnott @strannik
          last edited by Aug 15, 2018, 3:07 AM

          @strannik said in OpenVPN and Dynamic IP:

          Thank you JKnott

          I was thinking - what if I setup a free DDNS provider and then use DDNS name instead of ISP-assigned name ? This should do the same thing ?

          As long as the name points to the IP address, it will work. You can have as many names as you want, all resolving to the same IP.. In fact, I do that too. I mentioned the MAC based host name. That name is fairly long, so I set up a DNS alias, on my own domain, that points to that long host name, which points to the IPv4 address.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • S
            strannik
            last edited by Aug 15, 2018, 12:20 PM

            Thanks again JKnott.

            So I will use DNS name instead of numeric IP address to "aim" OpenVPN client to the server.

            Question: what happens when the ISP changes my server-side IP ? Do I have to restore the VPN connection manually or it will reconnect automatically (by resolving DDNS or MAC-based name) ?

            Question : how do I setup a DNS alias ? I've used a lot of Firewall Allias... is that the same thing ?

            1 Reply Last reply Reply Quote 0
            • J
              JKnott
              last edited by Aug 15, 2018, 5:11 PM

              I don't know at what point OpenVPN realizes the original address is no longer valid and tries again. How often does the address change? The DDNS should track the IP address when it changes. With DHCP, normal operation is for a device to retain the same address so long as it keeps renewing the lease. My IPv4 address changes so seldom, it's virtually static.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Aug 16, 2018, 8:34 AM

                The host name should be re-resolved by default on any new connection attempt to pick up any changes to the DNS record.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                J 1 Reply Last reply Aug 16, 2018, 12:52 PM Reply Quote 0
                • J
                  JKnott @Derelict
                  last edited by Aug 16, 2018, 12:52 PM

                  @derelict said in OpenVPN and Dynamic IP:

                  The host name should be re-resolved by default on any new connection attempt to pick up any changes to the DNS record.

                  I think the question here is what happens if the address changes when OpenVPN is already connected. Since OpenVPN uses UDP, it's very tolerant of address changes. In fact, years ago I tried an experiment where I connected to one WiFi AP and then switched to another, on a different network. This was transparent to OpenVPN. However, I have no idea what would have happened if the server IP address changed. No doubt, it OpenVPN would assume the original address was valid, until it failed. When it fails, how long does it take to make a new DNS request to get the new address? Does it happen automatically? Or does it just give an error until the user reconnects the VPN?

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  J 1 Reply Last reply Aug 16, 2018, 12:58 PM Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate @JKnott
                    last edited by Aug 16, 2018, 12:58 PM

                    @jknott said in OpenVPN and Dynamic IP:

                    @derelict said in OpenVPN and Dynamic IP:

                    The host name should be re-resolved by default on any new connection attempt to pick up any changes to the DNS record.

                    I think the question here is what happens if the address changes when OpenVPN is already connected. Since OpenVPN uses UDP, it's very tolerant of address changes. In fact, years ago I tried an experiment where I connected to one WiFi AP and then switched to another, on a different network. This was transparent to OpenVPN. However, I have no idea what would have happened if the server IP address changed. No doubt, it OpenVPN would assume the original address was valid, until it failed. When it fails, how long does it take to make a new DNS request to get the new address? Does it happen automatically? Or does it just give an error until the user reconnects the VPN?

                    It would time out after 60 seconds of failing to reach the old server IP address and then make a new connection. It would resolve it again when attempting to make that new connection. Shouldn't take any intervention from the user in most cases unless the auth fails or needs special handling (e.g. Multi-factor auth with an OTP or similar)

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • S
                      strannik
                      last edited by Aug 16, 2018, 5:57 PM

                      Thank a lot for replies

                      Is there a way to make it shorter than 60-sec ?
                      Any setting to adjust ?

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received