Open VPN binding to a VIP - cannot start Daemon

dotdash

I'm binding to a CARP VIP so I can float the instance to a secondary firewall if the primary fails. The only unusual things are the interface selection points to the CARP IP instead of the interface IP and the sync OpenVPN option is checked in the CARP settings. The clients seem to reconnect gracefully when the primary gets rebooted.

Deadringers

hmm I don't understand what i am doing wrong…

I assigned the server to the WAN interface, and soon as I do that OPT1 interface drops offline which gives me the following errors in my logs:

Oct 16 16:27:41 openvpn[53413]: Exiting due to fatal error
Oct 16 16:27:41 openvpn[53413]: TCP/UDP: Socket bind failed on local address [AF_INET]217...*:1195: Can't assign requested address
Oct 16 16:27:41 openvpn[53413]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
Oct 16 16:27:41 openvpn[53413]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 16 16:27:41 openvpn[53413]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013

IP address has been edited.

dotdash

Confused as to what the OPT interface has to do with anything. My setup is one provider on WAN, second provider on OPT. The VIP in question is setup as a CARP on the WAN interface.
WAN if 4.6.8.3/25
[Secondary fw WAN 4.6.8.4/25]
CARP VIP (WAN) 4.6.8.2/25
The carp is used as the outbound NAT IP and has OpenVPN and IPSec bound to it.

Deadringers

okay I really have no idea what I've done wrong here…

So I have my open VPN setup on a VIP (IP Alias).
But if I do this the VPN service cannot start as I put in my screenshot above.

So I tried to make the VIP into a CARP interface but then when I select this interface from the list in the openvpn server options it states:

An IPv4 protocol was selected, but the selected interface has no IPv4 address.

But the CARP interface has an ipv4 address!

Where am I going wrong?

dotdash

A CARP VIP must be within the subnet of the Actual WAN interface. Perhaps your ISP is providing a second subnet routed to the WAN. In this case, you would need to add an alias VIP in the secondary subnet, then add a CARP VIP (also on the secondary subnet).

Deadringers

@dotdash:

A CARP VIP must be within the subnet of the Actual WAN interface. Perhaps your ISP is providing a second subnet routed to the WAN. In this case, you would need to add an alias VIP in the secondary subnet, then add a CARP VIP (also on the secondary subnet).

That's exactly what I did and I received those errors?

And you are right.

My WAN interface is a random dynamic IP and BT "routes" my static IP range to me.

So I had my 5 IPs setup as IP Alias.
I then changed the one I wanted to bind to open vpn to a CARP interface.

Tried to assign this within the openvpn server page..

Then get the error "An IPv4 protocol was selected, but the selected interface has no IPv4 address."

But what I don't understand is why my openvpn server can't bind to the IP Alias?

it gives me this error:
"TCP/UDP: Socket bind failed on local address [AF_INET]..*.130:1194: Can't assign requested address"

That address is not in use for anything except openvpn server!

dotdash

Not sure what your issue is. Perhaps it's something to do with the dynamic IP on the interface, I haven't dealt that setup.
For reference, my closest config is something like-
WAN 7.8.9.10/30 gateway 7.8.9.9
Alias IP (WAN) 8.9.10.193/28
CARP IP (WAN) 8.9.10.194/28

Deadringers

@dotdash:

Not sure what your issue is. Perhaps it's something to do with the dynamic IP on the interface, I haven't dealt that setup.
For reference, my closest config is something like-
WAN 7.8.9.10/30 gateway 7.8.9.9
Alias IP (WAN) 8.9.10.193/28
CARP IP (WAN) 8.9.10.194/28

I have no idea either :(

really frustrating as it clearly states that you can bind services to the VIPs (ip Alias and CARP) but I can't!

Deadringers

Okay my work around for this:

Bind Open VPN to the LAN interface.

Port forward on the .130 WAN VIP to the LAN interface on my open VPN port.

then have the clients connect to my static IP on that port and it works.

not pretty but it works!

dotdash

I use a tun device for my OpenVPN server. Not sure if that changes anything.