Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Client on Redundant CARP pfsense

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bobwondernut
      last edited by

      Hey all:

      I've got 2 pfsense instances that otherwise work correctly w/ CARP between them at site A.

      At a remote site, there's also 2 pfsense instances w/ CARP as well at site B.

      I've setup a site to site shared key openvpn instance, but am noticing that both of the OpenVPN client instances at site A are simultaneously connecting to site B, and appear to both be sending redundant packets:

      Jul 23 12:24:04 pf01 openvpn[2161]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21 / time = (1311449003) Sat Jul 23 12:23:23 2011 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Jul 23 12:24:05 pf01 openvpn[2161]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #22 / time = (1311449003) Sat Jul 23 12:23:23 2011 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Jul 23 12:24:06 pf01 openvpn[2161]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #23 / time = (1311449003) Sat Jul 23 12:23:23 2011 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

      Both sites have the OpenVPN client/server bound to the CARP VIP interface.

      Is there a way to only have pfsense bring up an openvpn client interface if it is currently the master for this instance?  At the moment to get this to work I have to power off one of the pf instances on the client side of the link.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        You need a devd script hacked in for that instance, to stop/start the client with the CARP status. There is a ticket open on that to address automatically in a future release, hopefully in a generic way so nothing on CARP IPs can initiate traffic unless they have master status.

        1 Reply Last reply Reply Quote 0
        • B Offline
          bobwondernut
          last edited by

          ten-four - thanks for the reply at light speed :)

          -t

          1 Reply Last reply Reply Quote 0
          • C Offline
            cmb
            last edited by

            Updating this old thread because it comes up in search results. In 2.0.2 release and newer, you just need to bind the OpenVPN client instance to a CARP IP, and the system automatically handles starting/stopping the client instance with the CARP status.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.