We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

How to Configure VPN Access via a Dynamic WAN IP Address

  • Last updated on

Services running on a virtual server can not be configured to listen on dynamic IP addresses on the box layer of the Barracuda NG Firewall. To use a VPN service on a Barracuda NG Firewall with dynamic WAN connections, configure the VPN service to listen on a localhost IP address (127.0.0.X) and then create an app redirect access rule to redirect all incoming VPN traffic to the local VPN service. For IPsec you can alternatively, configure the VPN service to create a listener on every available IP address, making the app redirect access rule unnecessary.

In this article

Configure VPN Service Listener on

Configure the virtual server and the VPN service to listen on and then use an app redirect access rule to redirect VPN traffic to the VPN service on the localhost.

Step 1. Add the Virtual Server IP Address
  1. Open the Server Properties page (Config > Full Config > Box > Virtual Servers > your virtual server). 
  2. Click Lock.
  3. In the Additional IP table, click +. The Additional IP window opens: 
    • Additional IP Enter
    • Reply to Ping – Select Yes.
  4. Click OK.
  5. Click Send Changes and Activate.

Services running on the virtual server can now use as a listening IP address.

Step 2. Configure the VPN Service IP

Configure the VPN service to use the listening IP address configured in step 1 as a Service IP address.

  1. Open the Service Properties page (Config > Full Config > Box > Virtual Server > your virtual server > Assigned Services > VPN).
  2. Click Lock.
  3. From the Service Availability drop down, select Explicit.
  4. Click + and add the IP address to the Explicit Service IPs table.
  5. Click Send Changes and Activate
Step 3. Create an App Redirect Access Rule

Create an access rule to redirect all incoming VPN traffic on the dynamic WAN interface to the VPN service:

  • Action – Select App Redirect
  • Source – Select Internet.
  • Service – Select NGF-OP-VPN.
  • Destination – Select the network object for your dynamic WAN connection. E.g., xDHCP-LocalIP1 or xDSL-LocalIP1.
  • Redirection – Enter


For more information, see How to Create an App Redirect Firewall Rule.

All incoming VPN traffic is now redirected to the VPN service listening on

IPsec VPN Service Listener on all IP Addresses

Configure the VPN service to listen on all available IP addresses including all dynamic IP addresses. No additional access rules are required.

This parameter is limited to IPsec VPN configurations.

  1. Open the VPN Settings page (Config > Full Config > Box > Virtual Servers > your virtual server > VPN). 
  2. Click Lock.
  3. Click the Click here for Server Settings link. The Server Settings window opens. 
  4. Click on the Advanced tab.
  5. In the IKE Parameter section, set Use IPSec dynamic IPs to Yes.
  6. Click OK.
  7. Click Send Changes and Activate.

Verify the Listening IP Addresses for the VPN Service

Open the CONTROL > Resources page and double click on the VPN service process (e.g., S1_ARVPN) for TINA tunnels, or the ike3 process for IPsec tunnels. In the Info Dialog window, check to see if the VPN service is listening on the IP addresses you configured above (e.g., or

VPN service:


ike3 process with Use dynamic IPs enabled:



Dynamic WAN connections may change the public IP address regularly. Configure DynDNS continuously update a DynDNS hostname to always resolve to the current public IP address used by the NG Firewall. VPN clients then use the DynDNS hostname to connect to the NG Firewall VPN service.

Last updated on