OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances
-
@mav3rick
If you bind the server to the CARP VIP or an IP alias hooking up on it, the service should not start on the node, since the IP is occupied by the master.However, if the VPN service is running on the backup or not, you should get access to it from a VPN client by adding an outbound NAT rule is described on the linked site above. Did you even add this rule?
-
This post is deleted! -
My 2 cents:
I have a (HA) setup with OpenVPN running. I configured a port forward from the WAN VIP address to localhost on port 1194 (UDP), ensuring that connections only reach the master OpenVPN daemon.To access the secondary firewall, I set up an outbound NAT rule using the SYNC interface.
From the secondary firewall's perspective, OpenVPN users will always appear to connect from the primary firewall's SYNC address -
@viragomann said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:
@mav3rick
If you bind the server to the CARP VIP or an IP alias hooking up on it, the service should not start on the node, since the IP is occupied by the master.However, if the VPN service is running on the backup or not, you should get access to it from a VPN client by adding an outbound NAT rule is described on the linked site above. Did you even add this rule?
Yes, now with the NAT rule it works, but i also had to add a rule to allow pfsense1 to ssh to pfsense2 and pfense2 ssh to pfsense1.
I will also try without NAT and binding openvpn to CARP VIP to see if also works like that.
-
@mav3rick
As far as I know, the NAT rule is necessary anyway, because the backup has no proper route to the VPN client.Binding the service to the CARP VIP should just prohibit it to start on the backup.
-
@viragomann said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:
@mav3rick
As far as I know, the NAT rule is necessary anyway, because the backup has no proper route to the VPN client.Binding the service to the CARP VIP should just prohibit it to start on the backup.
In my case works because i have another router in front of pfsense that knows the route to pfsense opnvpn network, but if it wasn't the case i guess i could setup static routes for that.
So setting openvpn to bind only to the CARP VIP works fine for me, unfortunately for Wireguard there is no such option, so i guess for now i will have to go with the NAT option.
Anyway, thank you all for the help.
-
@mav3rick said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:
So setting openvpn to bind only to the CARP VIP works fine for me
Multi-WAN with HA there?
If so, it would be a better idea to run openVPN server on localhost instead.
This would allow it to receive connections from all WANs.No need to select a VIP, just forward packets from the WANs VIPs to localhost.
You can use DNS, thus the client would connect to the WAN that is UP.
Or
You can use two remote entries in the .ovpn, with timeout lets say, 2 seconds.Then, just create the NAT rule to access the firewall-2, using the SYNC address as previously mentioned.
-
If running a pf vpn server, in multiwan,. options above do work.
But if it is a client side s2s vpn, that need to be bound to a gateway group, then there are no options. If the wrong client connects last, iroute sends s2s traffic there, resulting into no connectivity.
Restarting vpn client on master pf, obviously, restores it, but I haven't found any way to automate this without disrupting traffic.
Is there an iroute cli option to do route manipulation without restarting?Its an idea.
-
@netblues
You can force the clients traffic to a certain gateway (group) with a floating rule for direction 'out' on the wrong outbound interfaces. -
@viragomann
Can you possibly elaborate on this?
A floating rule on the client pf? both instances? (active and stby?)
