Or will changing FQDN in the OpenVPN Settings page suffice? I feel like that would be too easy, that there are aspects of the certificates that are tied to the old ISP. This change for our company will be happening in a few weeks. I’m just planning ahead.
IS you FQDN going to change?
I would think moving to a different provider should not be a problem.
Your IPfire should update you FQDN to you new IP. (if your using that feature)
long as you are not going to have a provider behind CGNAT.
It should change. Currently it’s in the format of
wsip-xx-xxx-xxx-xxx.aa.bb.isp.net
where the x’s are our static public IP. We will have a new static IP from the new ISP. I assumed when the certs were originally generated for OpenVPN, this was part of the hash. Maybe I’m wrong. I guess we’ll find out when we make the switch and I will be prepared to rebuild the firewall from scratch, or at least re-do OpenVPN certs if necessary.
Who generated the certs?
My cert does not list my public IP. Just my FQDN.
I Have IPfire keep it up to date if my IP changes. I do not have a static IP.
I / IPFire generated the certs.
So maybe I won’t have to touch OpenVPN. Thanks for the help.
If you have used a DDNS FQDN in the OpenVPN WUI page then the remote entry in your client configs will have the same FQDN and it will be resolved irrespective of your ISP and whether they give you a dynamic IP or a static IP.
If you have a static IP from your ISP and they have given you a FQDN and you have used that in your config then when you change ISP you would need to re-do the connections because that FQDN would only resolve to that ISP’s IP.
Key thing is what you put in the FQDN section of the OpenVPN WUI.
This is the case. Current IP is static and the new one from the new ISP will be static. I did see in the Host Cert that CN=the FQDN (which is the same as the Hostname on IPFIre’s Main Page). So what exactly would I have to do? Just recreate all the clients?
If the FQDN in the Host certificate is tied to the ISP then you will need to re-0create the X509 root/host certificate set which will then also need all clients to be re-created.
You might want to consider taking the static IP you get from the ISP and assign it to a DDNS FQDN, which you are then in charge of and can continue being used if you have to change ISP again.
Depending on the DDNS provider you might need to manually do an update of the DDNS as some require an update check/communication on a certain frequency.
Others are quite happy to have an IP that never changes associated with a DDNS entry.