Hello everyone,
I'm building a cluster of 2 Access Servers in AWS. So far so good with the configuration and the integration with AWS RDS MySQL.
However i've just realised that in the Cluster mode, it's no longer possible to assign static IP to users.
Can you guys confirm this ? and do we have any solution to achieve this ?
We really want to assign static IP to each user because we want to use a separated Firewall to control the access to internal resources.
Thank you for your inputs.
Kind regards.
assign static IP to client while in Cluster mode
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue May 17, 2022 2:20 pm
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: assign static IP to client while in Cluster mode
Hi ladinfo,ladinfo wrote: ↑Tue May 17, 2022 2:27 pmI'm building a cluster of 2 Access Servers in AWS. So far so good with the configuration and the integration with AWS RDS MySQL.
However i've just realised that in the Cluster mode, it's no longer possible to assign static IP to users.
Can you guys confirm this ? and do we have any solution to achieve this ?
Confirmed. Sorry.
I'd first carefully consider whether or not you really do need a cluster. How many connections? What are these clients doing through the VPN? AWS instances can scale up and down as you need. You might be better off staying with a single node.
That said, Access Server itself provides a lot of access control features, and it can indeed control what any given user is allowed to reach through the VPN. Furthermore, Access Server might not play nicely with your external firewall. It's especially problematic when you're talking about an additional firewall on the AS node's OS. Access Server needs exclusive control of the OS firewall rules.
Yes, a single Access Server node is potentially a Single Point of Failure. In some deployments (not AWS, sadly) you can use UCARP/VRRP failover mode to provide a hot spare. But of course AWS is generally a 5-nines service, and if your AS node is only running Access Server, it too should be very unlikely to fail.
hth, regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support