OpenVPN and Dual WAN Failover

ericit

Hello everybody,

I'm having an issue where as soon as I turn on a gateway group, VPN stops working. Before this, though, the VPN is working fine.

I've allowed everything in the firewall rules for every interface and I tried setting the VPN client settings to the failover gateway and a whole bunch of other interfaces.

Am I missing something? Could someone point out the real way to do this or any instructions? Like I said, it only happens when I turn on the group but I thought I would have removed anything that blocks traffic.

Another note, VPN server and the client both say the VPN is connected but it's just not passing traffic.

I'm running pfSense 2.3.1 Release. Let me know if I need to provide any more information.

deajan

Hello,

Did you bind your openVPN instance to interface "any" ?
Also, I created a floating rule with quick apply enabled, that allows my VPN to pass in to all WAN interfaces.

Regards,
Ozy.

jimp

Multi-WAN and OpenVPN work fine together, I've set it up dozens of times over the years. Is this for an OpenVPN server or OpenVPN client?

If it's a server, don't use a gateway group. Bind it to Localhost only and then use port forwards on each WAN, and in the export package, use one of the automatic port forward options. More details here: https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN

If it's for an OpenVPN client, a gateway group should work OK, provided that it's a failover group (only one gateway per tier), though you might have an issue if the group prefers a WAN that isn't your default gateway.

pwood999

I too am having issues with Multi-WAN OpenVPN server on two different pfsense firewall boxes.  This is a simple remote access setup, not Site-Site.
Same issue with 2.3.1_x and latest 2.3.2 plus have tried both upgrade from 2.3.1_5 and clean install on 3rd test box.

• Got Multi-WAN working first with gateway group to balance the two WAN's.

• Both WAN's have GW and DNS, so this part seems to be working correctly.

• Then configured OpenVPN on WAN-1 and tested OK from remote client.

• Then per the HowTo, I changed VPN to Localhost, and added the NAT Redirect Port Forwards for each WAN, plus auto added associated firewall rules as recommended.

• OpenVPN = TCP, but Port Forward & FW Rules are all TCP/UDP just in case I need to change the server setting.

As soon as I enable the Port Forward Localhost Redirect the remote client no longer connects.  Using tcpdump on WAN shows the incoming 1194 traffic, but on "lo0" doesn't show any forwarded traffic.  I also turned on logging for the 127.0.0.1 firewall rules, but don't see anything either.

Finally as temporary measure I have two OpenVPN servers running on 1194 & 1195 for each WAN respctively, but this is a pain because Client round-robin cannot work due to different keys.

Anybody got any ideas ?

Thanks,
Pete

jimp

You won't see anything on lo0.

What shows up in the state table (Diag > States) when you try to connect when it's running on localhost with NAT?

I have yet to see a problem with that setup.

An on an unrelated note, TCP is awful for VPNs, use UDP instead.

pwood999

Update:  My local test box is working for Dual Wan Openvpn after reboot, BUT the connection does seem to take a while on WAN-2.

How important is having Failover GW Groups as well as Load Balance Group ?  I only have Load Balance.

PS, Yes I know TCP is awful for VPN, but UDP never seems to work.

pwood999

FYI, here's the client log.    After connecting via WAN-1 successfully, I disconnect and wait for 30 seconds.  Then when connecting to WAN-2 I get several retries before it connects.  Seeing the same behaviour on my live firewalls.

Tue Aug 02 16:13:33 2016 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Tue Aug 02 16:13:33 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Management Password:
Tue Aug 02 16:13:33 2016 Control Channel Authentication: using 'pfSense-se5100-udp-1194-pwood-tls.key' as a OpenVPN static key file
Tue Aug 02 16:13:33 2016 Attempting to establish TCP connection with [AF_INET]192.168.1.11:1194 [nonblock]
Tue Aug 02 16:13:44 2016 TCP: connect to [AF_INET]192.168.1.11:1194 failed, will try again in 5 seconds: Network Unreachable
Tue Aug 02 16:13:51 2016 SIGHUP[hard,init_instance] received, process restarting
Tue Aug 02 16:13:51 2016 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Tue Aug 02 16:13:51 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Tue Aug 02 16:13:56 2016 Control Channel Authentication: using 'pfSense-se5100-udp-1194-pwood-tls.key' as a OpenVPN static key file
Tue Aug 02 16:13:56 2016 Attempting to establish TCP connection with [AF_INET]192.168.1.11:1194 [nonblock]
Tue Aug 02 16:14:06 2016 TCP: connect to [AF_INET]192.168.1.11:1194 failed, will try again in 5 seconds: Network Unreachable
Tue Aug 02 16:14:21 2016 TCP: connect to [AF_INET]192.168.1.11:1194 failed, will try again in 5 seconds: Network Unreachable
Tue Aug 02 16:14:27 2016 TCP connection established with [AF_INET]192.168.1.11:1194
Tue Aug 02 16:14:27 2016 TCPv4_CLIENT link local (bound): [undef]
Tue Aug 02 16:14:27 2016 TCPv4_CLIENT link remote: [AF_INET]192.168.1.11:1194
Tue Aug 02 16:14:27 2016 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Tue Aug 02 16:14:27 2016 [pfsense_server_Cert] Peer Connection Initiated with [AF_INET]192.168.1.11:1194
Tue Aug 02 16:14:30 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Aug 02 16:14:30 2016 open_tun, tt->ipv6=0
Tue Aug 02 16:14:30 2016 TAP-WIN32 device [Ethernet] opened: \.\Global{EF45BF83-8008-4434-9359-3A205FDACED0}.tap
Tue Aug 02 16:14:30 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.100.200.0/10.100.200.2/255.255.255.0 [SUCCEEDED]
Tue Aug 02 16:14:30 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.100.200.2/255.255.255.0 on interface {EF45BF83-8008-4434-9359-3A205FDACED0} [DHCP-serv: 10.100.200.254, lease-time: 31536000]
Tue Aug 02 16:14:30 2016 Successful ARP Flush on interface [12] {EF45BF83-8008-4434-9359-3A205FDACED0}
Tue Aug 02 16:14:35 2016 Initialization Sequence Completed

ZeroOne

Hello,

I've got a quite similar problem with multi-WAN and OpenVPN Client.

Using a Gateway-Group as Interface does not work. As soon as the used (first) interface goes down or the interface looses connectivity (for example a wireless interface from a wisp under bad weather conditions) the ovpnc1 service crashes. It won't start on the next interface (next tier interface from the gateway group).

I tried to use multiple vpn connections one on each WAN but pfsense won't let me add redundant routes on multiple ovpncX instances.
(my guess was to have multiple vpn connections and set every ovpncX on an interface and make another gateway group with different tiers to manage the connection over vpn)

Any advice?

allan

@jimp:

If it's for an OpenVPN client, a gateway group should work OK, provided that it's a failover group (only one gateway per tier), though you might have an issue if the group prefers a WAN that isn't your default gateway.

Could you elaborate on why this is (and possible workarounds)? I have exactly this set up and I'm running into issues with the client ending up on the default gateway even though it's using a gateway group that prefers a different WAN interface before failover to the default.