Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to find a client behind one of two OpenVPN gateways

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 601 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bpmartin20
      last edited by

      I think I just need someone to point me to the right acronym to search.  I need to be able to have a fixed IP address for a client, regardless of which PFSense/OpenVPN connection they use.

      Here's more detail…

      1. We started out with a single PFSense firewall, WAN connection, and OpenVPN installation.  This is also the default gateway.
      2. Later, we added a second PFSense firewall, WAN connection, and OpenVPN installation, for fallback purposes
      3. Clients have two "remote" statements in their OpenVPN client configuration, so the client OpenVPN software will try the primary firewall, and if that's unavailable will fall back to the secondary.
      4. The primary server assigns IP addresses in the 172.18.22.0/24 address range to it's OpenVPN clients.
      5. The secondary server assigns IP addresses in the 172.18.23.0/24 address range.
      6. The internal machines have static routes to direct network traffic to 172.18.22.0/24 to the primary firewall, and 172.18.23.0/24 to the secondary.
      7. This all works well.

      Now I've added a server in a remote location.  It uses OpenVPN like every other client.  When it connects, it receives a fixed address of either 172.18.22.178 or 172.18.23.178 depending on whether it connected to the primary firewall or the secondary.  My problem is that it has some services people on the internal network need to access, but it doesn't have a fixed IP address.

      Some ideas I've toyed with are:

      1. I can create an IP alias for the remote server, and tell its OpenVPN server to route traffic for that fixed IP alias to it.  This gives it a fixed IP address to refer to, and one firewall knows to send traffic to it.  Internal workstations don't know that, however, so they'll always go to the default gateway/primary firewall even if the remote server connected to the secondary.
      2. Perhaps I could arrange some sort of DNS update on connection, so that internal workstations could connect to a fixed name, and DNS would resolve it to 172.18.22.178 or 172.18.23.178 as appropriate, but that DNS would need to change if the VPN connection breaks and gets re-established on the other firewall.

      I suspect there's a solution already in place for this kind of problem, possibly hidden behind an acronym I don't know to search for.  Could someone point me in the right direction?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.