How to find a client behind one of two OpenVPN gateways



  • I think I just need someone to point me to the right acronym to search.  I need to be able to have a fixed IP address for a client, regardless of which PFSense/OpenVPN connection they use.

    Here's more detail…

    1. We started out with a single PFSense firewall, WAN connection, and OpenVPN installation.  This is also the default gateway.
    2. Later, we added a second PFSense firewall, WAN connection, and OpenVPN installation, for fallback purposes
    3. Clients have two "remote" statements in their OpenVPN client configuration, so the client OpenVPN software will try the primary firewall, and if that's unavailable will fall back to the secondary.
    4. The primary server assigns IP addresses in the 172.18.22.0/24 address range to it's OpenVPN clients.
    5. The secondary server assigns IP addresses in the 172.18.23.0/24 address range.
    6. The internal machines have static routes to direct network traffic to 172.18.22.0/24 to the primary firewall, and 172.18.23.0/24 to the secondary.
    7. This all works well.

    Now I've added a server in a remote location.  It uses OpenVPN like every other client.  When it connects, it receives a fixed address of either 172.18.22.178 or 172.18.23.178 depending on whether it connected to the primary firewall or the secondary.  My problem is that it has some services people on the internal network need to access, but it doesn't have a fixed IP address.

    Some ideas I've toyed with are:

    1. I can create an IP alias for the remote server, and tell its OpenVPN server to route traffic for that fixed IP alias to it.  This gives it a fixed IP address to refer to, and one firewall knows to send traffic to it.  Internal workstations don't know that, however, so they'll always go to the default gateway/primary firewall even if the remote server connected to the secondary.
    2. Perhaps I could arrange some sort of DNS update on connection, so that internal workstations could connect to a fixed name, and DNS would resolve it to 172.18.22.178 or 172.18.23.178 as appropriate, but that DNS would need to change if the VPN connection breaks and gets re-established on the other firewall.

    I suspect there's a solution already in place for this kind of problem, possibly hidden behind an acronym I don't know to search for.  Could someone point me in the right direction?