CARP & OpenVPN

jmbo · Jan 26, 2008, 10:13 AM

Hi all,

is there a way to configure OpenVPN server with à CARP VIP failover solution ?

I'm using pfsense 1.2RC4

Best regards

JMB

jmbo · Jan 28, 2008, 10:54 AM

Up ??? ???

jmbo · Feb 8, 2008, 8:45 PM

nobody ??? :'( :'(

sullrich · Feb 8, 2008, 8:49 PM

No. OpenVPN state would not be sync'd to the other CARP members.

jmbo · Feb 9, 2008, 9:27 AM

OK, thanks for that

so using the remote-random option on the client side will do the job for the moment

Regards

dhipo · Feb 9, 2008, 2:50 PM

hi jmbo,

I m setting one solution with carp and openvpn .

some intersting thing happen .

im my setup

PFsense A - wan is 199.a.b.52 it's master CARP
PFsense B - wan is 199.a.b.53
VIP wan is 199.a.b.2

i am using port 1194 TCP on openVPN

and an road-warrior client calling address 199.a.b.2 connect with success
calling address 199.a.b.52 connect with success
calling address 199.a.b.53 no connection
and client log show this :

Sat Feb 09 12:47:02 2008 us=265000 TCPv4_CLIENT READ [22] from 199.a.b.53:1194: P_ACK_V1 kid=0 [ 30 ]

pid=32 DATA len=90

Sat Feb 09 12:47:02 2008 us=468000 AUTH: Received AUTH_FAILED control message
Sat Feb 09 12:47:02 2008 us=468000 TCP/UDP: Closing socket
Sat Feb 09 12:47:02 2008 us=468000 SIGTERM[soft,auth-failure] received, process exiting

Any ideia ?

we can test our configs to found an solution ?

dhipo · Mar 31, 2008, 10:36 PM

All working…..

i Have two boxes configured with CARP ... all is working ....
the problems with OpenVPN stops when .. i Deleted all related OpenVPN on Master .
look , may master (first box ) was configured with openVPN when i decided to have an Carp solution (second box)

step by step i did:

Backup all data on OpenVPN config page (Ca.crt, server.key, server.crt, server.dh) and clean all fields.
deleted server config on OpenVPN.. when all was clen in both boxes . reboot.
with master box off i did all OpenVPN config on the slave box, then started master box and did config too. The config are exactly same.
in my Road-warriors clients i did a connection to 1194 TCP on the VIP address of WAN .
now my clients can connect in master or slave box, when master goes down connection are dropped and in seconds restablished. When master returns again, connections are dropped and reconnected .
No more errors connecting on the slave when master was off.