Single WAN PPPOE Carp HA OpenVPN - remote LAN issue
-
My PPPOE single WAN Carp based setup is shown in the picture.
Top path: pfSense VM on ESXi on Supermicro.
Bottom path: pfSense VM on Qnap Virtualization Station.
The top path is used in everyday normal operation, the bottom path is used only when the Supermicro is under maintenance.This HA setup works for me as intended.
Issue symtom: since I transited to this HA setup, openVPN remote clients can only ping 192.168.1.1 but nothing else on the LAN network 192.168.1.0.
I am stuck despite googling a lot of posts relating to openVPN and CARP.Can you please advise with the troubleshooting / fixing steps?
Basis for the openVPN setup was this guide. I applied it before HA was configured. Since then I was tinkering with the settings trying to fix it, without success.
Basis for the pppoe based HA setup was this guide
Remote side symtoms:
Content of pfSense-UDP4-1194-tarvpn-config.ovpn:
dev tun
persist-tun
persist-key
ncp-disable
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 192.168.77.1 1194 udp4
verify-x509-name "VPNServer_Cert" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify<ca>
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth> -
C crl referenced this topic on
-
C crl referenced this topic on
-
Interface of the OpenVPN Server should be the PPOE interface (so WAN), not 192.168.77.1
-
@crl said in Single WAN PPPOE Carp HA OpenVPN - remote LAN issue:
Issue symtom: since I transited to this HA setup, openVPN remote clients can only ping 192.168.1.1 but nothing else on the LAN network 192.168.1.0.
I am stuck despite googling a lot of posts relating to openVPN and CARP.I don't think on any relation with the CARP setup.
Rather I guess, your LAN devices might block access from the remote site. You may have to configure the devices firewall properly to allow it.How you get access to the secondary node from remote network over VPN is described in the docs: https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html
-
@gabri-91 Thanks for your response. I have changed it to WAN, still the issue remains.
-
@viragomann Thanks for your response. Before the HA setup was introduced, openVPN LAN was visible from remote and devices such as 192.168.1.5 were accessible. So I don't think this is the case. Problem exists with Master pfSense, I have not yet tested the Backup pfSense instance. So it's either OpenVPN or CARP - maybe some sort of routing issue?
result ipconfig /all
I oserved that the openVPN client tray icon is grey (inactive)
. It should be green inside when ready, but for me it is grey.I have seen dual WAN descriptions with appropriate tricky ruling, but I could not adapt them for my case:
Link -
@crl
This is so far the result of my brainstorming for the possible root causes. Please help to develop futher categories and prioritize them to track it down finally. -
@crl said in Single WAN PPPOE Carp HA OpenVPN - remote LAN issue:
I oserved that the openVPN client tray icon is grey (inactive)
So it might not have connected properly.
Above you stated, the client connect and you can access pfSense.
If the client doesn't connect, you should start troubleshooting here.
-
Any ideas how to narrow this down / troubleeshot?
Can this be a pfSense bug? If so, which component? -
@crl
Check the OpenVPN logs on client and server. The whole connection establishment is logged with default settings. -
@crl was this resolved? I'm having some issues myself.
Hoping you found your solution. :)
