Page 1 of 1
assign static IP to client while in Cluster mode
Posted: Tue May 17, 2022 2:27 pm
by ladinfo
Hello everyone,
I'm building a cluster of 2 Access Servers in AWS. So far so good with the configuration and the integration with AWS RDS MySQL.
However i've just realised that in the Cluster mode, it's no longer possible to assign static IP to users.
Can you guys confirm this ? and do we have any solution to achieve this ?
We really want to assign static IP to each user because we want to use a separated Firewall to control the access to internal resources.
Thank you for your inputs.
Kind regards.
Re: assign static IP to client while in Cluster mode
Posted: Mon Jun 06, 2022 5:01 pm
by openvpn_inc
ladinfo wrote: ↑Tue May 17, 2022 2:27 pm
I'm building a cluster of 2 Access Servers in AWS. So far so good with the configuration and the integration with AWS RDS MySQL.
However i've just realised that in the Cluster mode, it's no longer possible to assign static IP to users.
Can you guys confirm this ? and do we have any solution to achieve this ?
Hi ladinfo,
Confirmed. Sorry.
ladinfo wrote: ↑Tue May 17, 2022 2:27 pm
We really want to assign static IP to each user because we want to use a separated Firewall to control the access to internal resources.
I'd first carefully consider whether or not you really do need a cluster. How many connections? What are these clients doing through the VPN? AWS instances can scale up and down as you need. You might be better off staying with a single node.
That said, Access Server itself provides a lot of access control features, and it can indeed control what any given user is allowed to reach through the VPN. Furthermore, Access Server might not play nicely with your external firewall. It's especially problematic when you're talking about an additional firewall on the AS node's OS. Access Server needs exclusive control of the OS firewall rules.
Yes, a single Access Server node is potentially a Single Point of Failure. In some deployments (not AWS, sadly) you can use UCARP/VRRP failover mode to provide a hot spare. But of course AWS is generally a 5-nines service, and if your AS node is only running Access Server, it too should be very unlikely to fail.
hth, regards, rob0