VIP 1:1 with OpenVPN - It's working, but is it correct?
-
Stil playing with my OpenVPN and trying to make it work with a VIP. I now have it working and all seems fine, but am I creating a problem I have not foreseen?
So this is what I have done :-
OK, in the Virtual IP’s, pick an address and set that and the mask to /29 , and set the Interface to Localhost, not WAN, the type is IP Alias.
On NAT, create a 1:1 rule for that external IP and set the Internal IP to 127.0.0.1
On VPN, use the wizard as normal to create the VPN, then edit the resultant instance of the server and change the Interface to Localhost, save that.
Now the VPN creation wizard will have created firewall rules, In the WAN rules section, find that rule and set the destination to 127.0.0.1. save that.
Finally create a new WAN rule.
Interface WAN,
Address family IPV4 and protocol UDP.
Source is ANY
Destination is the WAN VIP address you have selected and the port should be the same one that the VPN is set to, in my case 1195.
If I disable any one of the above then it does not work.
It works, but is it the best way?
-
@marjohn56:
OK, in the Virtual IP’s, pick an address and set that and the mask to /29 , and set the Interface to Localhost, not WAN, the type is IP Alias.
If it is a public IP which should be assigned to WAN it should hook on WAN interface not on localhost.
@marjohn56:
On NAT, create a 1:1 rule for that external IP and set the Internal IP to 127.0.0.1
A NAT 1:1 to localhost? :o
Why that? You use the external address for a vpn server which is only awaiting incoming connections. It won't initiate any outgoing connection.
So a simple forward-rule will do the job.@marjohn56:
Now the VPN creation wizard will have created firewall rules, In the WAN rules section, find that rule and set the destination to 127.0.0.1. save that.
This rule will have no sense. No incoming packet on WAN will try to access the localhost.
-
The primary address is assigned using a PPPoE connection, the other addresses are a block assigned on that subnet. If I setup OpenVPN on the primary, perfect, no issues. If I try and use one of the other addresses, they are VIP's then no go, won't work.
Now, I have see other references to this issue on the forum where the solution is to use localhost, assign the VPN to that. Doing that alone still did not work, assigning the VIP to localhost AND assigning OpenVPN to that DOES work.
OK, port forward works nicely, replaced the 1:1 rule with that.
Edit: Port forward does NOT work, I obviously did not wait long enough for the rules to reload. Setting it back to 1:1 and removing the port forward it's working again.