assign static IP to client while in Cluster mode

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
ladinfo
OpenVpn Newbie
Posts: 1
Joined: Tue May 17, 2022 2:20 pm

assign static IP to client while in Cluster mode

Post by ladinfo » Tue May 17, 2022 2:27 pm

Hello everyone,
I'm building a cluster of 2 Access Servers in AWS. So far so good with the configuration and the integration with AWS RDS MySQL.

However i've just realised that in the Cluster mode, it's no longer possible to assign static IP to users.

Can you guys confirm this ? and do we have any solution to achieve this ?
We really want to assign static IP to each user because we want to use a separated Firewall to control the access to internal resources.

Thank you for your inputs.
Kind regards.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: assign static IP to client while in Cluster mode

Post by openvpn_inc » Mon Jun 06, 2022 5:01 pm

ladinfo wrote:
Tue May 17, 2022 2:27 pm
I'm building a cluster of 2 Access Servers in AWS. So far so good with the configuration and the integration with AWS RDS MySQL.

However i've just realised that in the Cluster mode, it's no longer possible to assign static IP to users.

Can you guys confirm this ? and do we have any solution to achieve this ?
Hi ladinfo,

Confirmed. Sorry.
ladinfo wrote:
Tue May 17, 2022 2:27 pm
We really want to assign static IP to each user because we want to use a separated Firewall to control the access to internal resources.
I'd first carefully consider whether or not you really do need a cluster. How many connections? What are these clients doing through the VPN? AWS instances can scale up and down as you need. You might be better off staying with a single node.

That said, Access Server itself provides a lot of access control features, and it can indeed control what any given user is allowed to reach through the VPN. Furthermore, Access Server might not play nicely with your external firewall. It's especially problematic when you're talking about an additional firewall on the AS node's OS. Access Server needs exclusive control of the OS firewall rules.

Yes, a single Access Server node is potentially a Single Point of Failure. In some deployments (not AWS, sadly) you can use UCARP/VRRP failover mode to provide a hot spare. But of course AWS is generally a 5-nines service, and if your AS node is only running Access Server, it too should be very unlikely to fail.

hth, regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply