[SOLVED] OpenVPN + Cluster of PfSense

DessaiImrane

Hi,

I followed this procedure to connect multiple sites together :

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_ (SSL)

It works.

But there's still a problem. On each site, I have a cluster of pfsense.

So throwing a ping through the tunnel, it works for 60sec then it does not work for 60sec and so on

Here is an interesting message log :

May 16 15:38:39 	openvpn[63442]: SIGUSR1[soft,ping-restart] received, process restarting
May 16 15:38:39 	openvpn[63442]: [DC4-FW-F] Inactivity timeout (--ping-restart), restarting

After some research, it means that TWO clients connect to the server with the same commonName.

Bingo, every member of my cluster connects to the server, each in turn
But I do not want this behavior.
Only the master pfsense should connect to server.

I try the conf "keepalive n m" but it does not work.

I do not know how to tell the cluster to initiate the VPN connection from the master only.

Do you have a solution please?

Thank you in advance for your comments / suggestions / answers.

phil.davis

Can you tell us which pfSense version you are using?
I have a feeling that this issue has been talked about before and perhaps resolved in 2.1-BETA (and in 2.0.? maybe). Someone who remembers better than me, or who can find old posts might help out.

DessaiImrane

Ah ! I forgot this info : we are using 2.0.2 and planning to upgrade to 2.0.3

We are in production envrionnement, so we can't use Beta

cmb

make sure the client and server are bound to CARP IPs, and that you're running 2.0.3.

keysers0ze

• If you use peer-to-peer connection -> it means 2 routers connected via vpn(not 1 server and 3 clients).

• Make one peer-to-peer connection on every router (u have multiple peer-to-peer instances on server router = use different ports).

• Use ospf to supply routing information between routers.

• ospf makes possible to have loop protection also..

• If you use "Remote access TSL / SSL" it means one server + multiple clients (it suitable on multiple client pc connection via vpn = not routers)

• If you use same certificate on every client -> select "Duplicate Connections" on openvpn server settings. I suggest to use different certificate on every user… its easier to disable if needed (use pfsense usermanager to make users / certs)...

br.
.k

@DessaiImrane:

Hi,

I followed this procedure to connect multiple sites together :

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_ (SSL)

It works.

But there's still a problem. On each site, I have a cluster of pfsense.

So throwing a ping through the tunnel, it works for 60sec then it does not work for 60sec and so on

Here is an interesting message log :

May 16 15:38:39 	openvpn[63442]: SIGUSR1[soft,ping-restart] received, process restarting
May 16 15:38:39 	openvpn[63442]: [DC4-FW-F] Inactivity timeout (--ping-restart), restarting

After some research, it means that TWO clients connect to the server with the same commonName.

Bingo, every member of my cluster connects to the server, each in turn
But I do not want this behavior.
Only the master pfsense should connect to server.

I try the conf "keepalive n m" but it does not work.

I do not know how to tell the cluster to initiate the VPN connection from the master only.

Do you have a solution please?

Thank you in advance for your comments / suggestions / answers.

DessaiImrane

make sure the client and server are bound to CARP IPs, and that you're running 2.0.3.

I'll try to check what IPs are used and try to upgrade and test again

• If you use peer-to-peer connection -> it means 2 routers connected via vpn(not 1 server and 3 clients).

• Make one peer-to-peer connection on every router (u have multiple peer-to-peer instances on server router = use different ports).

• Use ospf to supply routing information between routers.

• ospf makes possible to have loop protection also..

• If you use "Remote access TSL / SSL" it means one server + multiple clients (it suitable on multiple client pc connection via vpn = not routers)

• If you use same certificate on every client -> select "Duplicate Connections" on openvpn server settings. I suggest to use different certificate on every user… its easier to disable if needed (use pfsense usermanager to make users / certs)...

I think, there is a misunderstanding here.
I use "Remote access TSL / SSL" but between routers (actually pfsense).
It is what I need (confer Link given in first post).
Indeed, I need a Hub and Spoke architecture (star).
About using different Certificate, as I said juste before, I can't. On a cluster, the same certficate must be used for both pfsenses.

By the way, thanks for the reply.

DessaiImrane

It's solved, thanks to cmb

On my client side, the tunnel was bind to WAN interface instead of CARP Address.

I did not upgrade.

Thanks everyone.