OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances

mav3rick

Hi,

I have 2 pfsense (2.8.0) instances in HA, and i configured openvpn.

All seemed to work fine, but then i noticed as the service is running on both master/backup if i try to ssh to the backup pfsense from the openvpn connection it will fail because of the route to the openvpn network that is created on the backup pfsense because of the service being running.

Shouldn't openvpn service run only on master pfsense? And when there is a switchover it should start on the new master (former backup)?

Thank you.

SteveITS

@mav3rick Is it running, or connected, on the backup? (site to site or remote workers?) With IPSec on HA it runs on the backup but no one's connected to it yet.

Check out: https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

mav3rick

@SteveITS

Its running, not connected.

remote workers.

I also noticed the same thing for Wireguard.

In my opinion it should not be running on the backup pfsense because it creates a route to the vpn network which makes it impossible for anyone connected via vpn on the master pfsense to open a ssh or web connection the backup pfsense.

If need to check some config or logs on the backup pfsense instance i can't.

SteveITS

@mav3rick But then if you're remote there's no way to connect in to start it. In pfSense the IPs move over but everything else is always running. Except DHCP I guess but that has the HA part built in.

Hence the link above to deal with that via Outbound NAT rules.

mav3rick

@SteveITS

I see, i understand.

I thought about NAT to fix this, but was wondering if vpn service running on both nodes was supposed to be like that or was some bug.

I still think Netgate developers should consider running the vpn services on the master node only to avoid having to do NAT for this.

viragomann

@mav3rick
If you bind the server to the CARP VIP or an IP alias hooking up on it, the service should not start on the node, since the IP is occupied by the master.

However, if the VPN service is running on the backup or not, you should get access to it from a VPN client by adding an outbound NAT rule is described on the linked site above. Did you even add this rule?

mcury

This post is deleted!

mcury

My 2 cents:
I have a (HA) setup with OpenVPN running. I configured a port forward from the WAN VIP address to localhost on port 1194 (UDP), ensuring that connections only reach the master OpenVPN daemon.

To access the secondary firewall, I set up an outbound NAT rule using the SYNC interface.
From the secondary firewall's perspective, OpenVPN users will always appear to connect from the primary firewall's SYNC address

mav3rick

@viragomann said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:

@mav3rick
If you bind the server to the CARP VIP or an IP alias hooking up on it, the service should not start on the node, since the IP is occupied by the master.

However, if the VPN service is running on the backup or not, you should get access to it from a VPN client by adding an outbound NAT rule is described on the linked site above. Did you even add this rule?

Yes, now with the NAT rule it works, but i also had to add a rule to allow pfsense1 to ssh to pfsense2 and pfense2 ssh to pfsense1.

I will also try without NAT and binding openvpn to CARP VIP to see if also works like that.

viragomann

@mav3rick
As far as I know, the NAT rule is necessary anyway, because the backup has no proper route to the VPN client.

Binding the service to the CARP VIP should just prohibit it to start on the backup.

mav3rick

@viragomann said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:

@mav3rick
As far as I know, the NAT rule is necessary anyway, because the backup has no proper route to the VPN client.

Binding the service to the CARP VIP should just prohibit it to start on the backup.

In my case works because i have another router in front of pfsense that knows the route to pfsense opnvpn network, but if it wasn't the case i guess i could setup static routes for that.

So setting openvpn to bind only to the CARP VIP works fine for me, unfortunately for Wireguard there is no such option, so i guess for now i will have to go with the NAT option.

Anyway, thank you all for the help.

mcury

@mav3rick said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:

So setting openvpn to bind only to the CARP VIP works fine for me

Multi-WAN with HA there?
If so, it would be a better idea to run openVPN server on localhost instead.
This would allow it to receive connections from all WANs.

No need to select a VIP, just forward packets from the WANs VIPs to localhost.
You can use DNS, thus the client would connect to the WAN that is UP.
Or
You can use two remote entries in the .ovpn, with timeout lets say, 2 seconds.

Then, just create the NAT rule to access the firewall-2, using the SYNC address as previously mentioned.