OpenVPN with two WANs
-
I have a dual-WAN setup and I want to have OpenVPN listening on the same port on both interfaces.
In the configuration options I can set interface to "any", but the openvpn documentation suggests that this is not expected to work. I find that the daemon listens on one interface but not the other.
On pfsense-1.3 I ran two OpenVPN instances, one for each interface, but the web interface won't let me do that on v2.0 – it claims that the port (1194) is already in use (which I suppose it is, but not on this interface). Commenting out the relevant line in /usr/local/www/vpn_openvpn_server.php is sufficient to get this configuration working, though a better solution would be to make openvpn_port_used take into account the interface in /etc/inc/openvpn.inc
Dan.
-
I believe this is relevant http://redmine.pfsense.org/issues/1507
-
I think that's unrelated – I don't want failover, I want to listen on both interfaces.
If I understand the documentation correctly, openvpn server would not be expected to work properly on multiple interfaces (i.e., without a local line in the configuration) because multihome is not available. From the man page:
–multihome
Configure a multi-homed UDP server. This option can be used when OpenVPN has been configured
to listen on all interfaces, and will attempt to bind client sessions to the interface on which
packets are being received, so that outgoing packets will be sent out of the same interface.
Note that this option is only relevant for UDP servers and currently is only implemented on
Linux. -
To do that I just run the server on the LAN interface and do a port forward from WAN/WAN2 to 1194 on the LAN IP. Then pf's reply-to mojo makes sure it goes back out the way it came in.
Though when I pick 'any' it does bind to all interfaces on the same port, I wouldn't expect that to work properly with UDP, but it appears that the multihome option may work around that, you could always try that in the advanced options and see if it helps.
EDIT: I didn't have a quick way to test if it worked, but it didn't complain when I added the option. If someone could test that and provide some feedback I can commit a change to the code that will add the multihome parameter if we are bound to 'any' and using UDP. (TCP should work normally as-is). According to the man page, multihome is only implemented on Linux, but it's possible they just haven't updated the man page there since 2.1 and pfSense 2.0 is using OpenVPN 2.2 now.
-
I tried adding multihome to the end of my advanced options and complains for me.
Jun 8 11:54:01 fw openvpn[33516]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/server2.conf:38: multihome (testing-cee388313521) Jun 8 11:54:01 fw openvpn[33516]: Use --help for more information.
-
I tried adding multihome to the end of my advanced options and complains for me.
Jun 8 11:54:01 fw openvpn[33516]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/server2.conf:38: multihome (testing-cee388313521) Jun 8 11:54:01 fw openvpn[33516]: Use --help for more information.
Are you on a current snapshot?
-
The running on the LAN interface and setting up NAT rules seems to work like a charm… at least after I remembered to remove multihome from my adv config.