OpenVPN on Failover GW and master/slave config fails
-
I don't believe the the code to handle OpenVPN with gateway groups is in place yet. We had a brief discussion about something similar here: http://forum.pfsense.org/index.php/topic,65105.msg353585.html#msg353585. Haven't gotten around to log it as a bug yet.
One option is to bind your OpenVPN client to the localhost interface and have an outbound NAT rule to handle OpenVPN traffic. That way your client will failover from the main WAN link to the backup one when main link goes down.
On the server side you just create one server each on CARP IPs on both WANs. Or you can bind the server to the localhost as well and have an inbound NAT rule <- I have not tried this yet. The client being bound to localhost I have tried and that is working fine.
With this setup I have noticed that sometimes both primary and backup firewalls in the cluster wind up establishing a VPN to the server FW. That happens when the primary WAN connection on the primary firewall flaps for some reason. I have not seen any loss of connectivity with that though.
-
Using gateway groups in OpenVPN client is working now.
-
-
Not sure what changed. I just happened to test it last night and found it to be working on the client side.
-
Not sure what changed. I just happened to test it last night and found it to be working on the client side.
Are you using a master/slave configuration?
-
Both my firewalls in the CARP cluster establish simultaneous OpenVPN tunnels to the other side. That is just how I have configured them.
I am talking about gateway groups for an OpenVPN client on a single firewall which didn't seem to be working earlier in the month when I tested it.
-
Ah, ok, but that's not my challenge.
The issue is that when using gateway groups, BOTH pfSense servers try to establish the OpenVPN connection. Only the server running as master should try to do that.
-
I think there is a difference in how we are using some of the terms here.
To me OpenVPN servers do not initiate or make a VPN connection. They just sit there and wait for clients to connect to them. OpenVPN servers configured on a CARP IP shared between two firewalls work just fine as far as I have tested. When the primary node fails, the clients just re-establish the connection to the backup node as long as the OpenVPN server was bound to a CARP IP.
OpenVPN clients are what initiate a VPN session. In pfSense when you setup an OpenVPN client, that client is not clustering aware. Or that is my understanding - someone please correct me if I am wrong. I do not see any code in the CARP clustering that tries to communicate between the OpenVPN Clients on the two pfSense firewalls to figure out which one should establish the connection.
So if you have two OpenVPN firewalls, both with a mirrored client configuration - even if the client is bound to a CARP IP then both firewalls will attempt to make a connection to the server at the same time because they are essentially two clients. And though the outbound packets from both clients may make it to the server, the return packets will only get picked up by the firewall that is the master for that CARP IP that OpenVPN clients are bound to.
Or at least so I believe how this works. Someone please correct me if I am wrong.
-
So if you have two OpenVPN firewalls, both with a mirrored client configuration - even if the client is bound to a CARP IP then both firewalls will attempt to make a connection to the server at the same time because they are essentially two clients.
When a OpenVPN client on pfSense is bound to a CARP IP then only the master server is running the associated service. The slave does not try to establish the connection. But binding it to a CARP IP does not help when the WAN of that CARP IP goes down. I have two WAN connections, I'd like to use them in a really redundant OpenVPN client setup.
-
-
This should help you get started with simple GitHub online edits: http://forum.pfsense.org/index.php/topic,47676.msg251034.html#msg251034
-
Thx. That post is a big help. I am using Notepad++ as well.