What is the purpose of a VIP in OpenVPN?



  • I am trying to re-work an OpenVPN configuration created by someone else. The old configuration employed a Virtual IP address with a comment that it was "needed for OpenVPN". However, as I read the documentation, it seems that a VIP is needed only when the CARP/active redundancy feature is employed.

    Is that correct? Do I need a Virtual IP to run a remote access OpenVPN server?

    Other potentially relevant background: My pfsense fw is connected to my ISP's cable modem, which is (by necessity) configured to operate in "bridge mode".  It obtains an IP address from the ISP's DHCP server. I am currently using the DynamicDNS service in pfsense to update the IP address.


  • Rebel Alliance Global Moderator

    You would only need a vip if you didn't want to listen on pubic IP pfsense is using for other things for you vpn connection.  For example if you were forwarding say 443 on your IP to server behind pfsense for serve up https stuff, and you also wanted to run openvpn on 443.  This would mean you could use a VIP for one of those connections.

    I run openvpn on both 1194 and 443 (this is almost always OPEN and since its tcp vs udp makes it easy to bounce off a proxy for say at work) and I sure don't have any vip setup and only have the 1 IP from my isp.



  • Is it even an option to have a VIP in my environment (using a WAN IP assigned by my ISP)? By that I mean, does the virtual IP need to exist and be routable from my WAN IP?

    Just asking so that I understand my options.


  • Rebel Alliance Global Moderator

    If your ISP only gives you 1 IP then no how would you have another IP..  If your ISP gave you say a /29 or /30 then sure you could listen on pfsense wan on any of IPs your ISP allowing you to use.  But if your only getting 1 IP address from your ISP – then no just grabbing another one out of thin air is most likely some other guys IP your stepping on and aint going to work..



  • I didn't think so, but just wanted to make sure - thanks!