OpenVPN SERVER not working on CARP interface
-
I have two sites, each with two pfsense boxes setup with CARP interfaces on both the internal default gateway and external WAN, all statically assigned, with both sites having being tested and confirmed to have failover between the two boxes.
On top of that, I built an OpenVPN Peer to Peer SSL/TLS, however, was unable to get it to connect, I kept getting, "reconnecting; ping-restart".
So to attempt to find the issue via the process of elimination, I took CARP out of the equation at both sites, and after poking the appropriate hole in the firewall, it popped right up. I then changed the client end back to the CARP interface, and after modifying the firewall rule to account for the change in source IP address, it popped back up, however whenever I try to change the server side to the CARP interface it refuses to connect again.
I tried making a Peer to Peer Shared Key VPN with the same results however I'm not including the logs from that attempt because I'd rather not use it if possible.
Before someone asks, yes when I change the server to CARP, I'm changing the clients target IP address as well as the servers bound interface.
Thanks so much in advance for any help, while one site being redudant is nice, both sites being redundant would be better.
**Included below are the relevant setting from the server side. Let me know if there's anything else you need to know. **
Firewall rules on server side. This is on the WAN tab
Protocol Source Port Destination Port Gateway Queue
IPv4 UDP "Client CARP" * "Server WAN" 1194 * none
IPv4 UDP "Client CARP" * "Server CARP" 1194 * noneServer Outbound NAT
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
WAN "Server LAN Subnet" * * 500 "WAN CARP" * Keep Source Port Static
WAN "Server LAN Subnet" * * * "WAN CARP" * Randomize Source Port
WAN "OpenVPN Tunnel Subnet" * * 500 "WAN CARP" * Keep Source Port Static
WAN "OpenVPN Tunnel Subnet" * * * "WAN CARP" * Randomize Source PortBelow are the Logs from both sides
Server Side OpenVPN Logs
Feb 24 18:17:45 openvpn 96189 Initialization Sequence Completed
Feb 24 18:17:45 openvpn 96189 UDPv4 link remote: [AF_UNSPEC]
Feb 24 18:17:45 openvpn 96189 UDPv4 link local (bound): [AF_INET]"Server WAN CARP":1194
Feb 24 18:17:45 openvpn 96189 /usr/local/sbin/ovpn-linkup ovpns4 1500 1621 192.168.50.129 255.255.255.128 init
Feb 24 18:17:45 openvpn 96189 /sbin/ifconfig ovpns4 192.168.50.129 192.168.50.130 mtu 1500 netmask 255.255.255.128 up
Feb 24 18:17:45 openvpn 96189 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 24 18:17:45 openvpn 96189 TUN/TAP device /dev/tun4 opened
Feb 24 18:17:45 openvpn 96189 TUN/TAP device ovpns4 exists previously, keep at program end
Feb 24 18:17:45 openvpn 96189 Initializing OpenSSL support for engine 'rdrand'
Feb 24 18:17:45 openvpn 96189 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Feb 24 18:17:45 openvpn 96000 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Feb 24 18:17:45 openvpn 96000 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
Feb 24 18:17:45 openvpn 37461 SIGTERM[hard,] received, process exiting
Feb 24 18:17:45 openvpn 37461 /usr/local/sbin/ovpn-linkdown ovpns4 1500 1621 192.168.50.129 255.255.255.128 init
Feb 24 18:17:45 openvpn 37461 event_wait : Interrupted system call (code=4)Client Side OpenVPN Logs
Feb 24 18:20:43 openvpn 47524 UDPv4 link remote: [AF_INET]"Server WAN CARP":1194
Feb 24 18:20:43 openvpn 47524 UDPv4 link local (bound): [AF_INET]"Client WAN CARP":0
Feb 24 18:20:43 openvpn 47524 TCP/UDP: Preserving recently used remote address: [AF_INET]"Server WAN CARP":1194
Feb 24 18:20:43 openvpn 47524 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Feb 24 18:20:43 openvpn 47524 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 24 18:20:38 openvpn 47524 SIGUSR1[soft,ping-restart] received, process restarting
Feb 24 18:20:38 openvpn 47524 [UNDEF] Inactivity timeout (–ping-restart), restarting
Feb 24 18:19:38 openvpn 47524 UDPv4 link remote: [AF_INET]”Server WAN CARP”:1194
Feb 24 18:19:38 openvpn 47524 UDPv4 link local (bound): [AF_INET]”Client WAN CARP”:0
Feb 24 18:19:38 openvpn 47524 TCP/UDP: Preserving recently used remote address: [AF_INET]”Server WAN CARP”:1194
Feb 24 18:19:38 openvpn 47524 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Feb 24 18:19:38 openvpn 47524 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 24 18:19:33 openvpn 47524 SIGUSR1[soft,ping-restart] received, process restarting
Feb 24 18:19:33 openvpn 47524 [UNDEF] Inactivity timeout (–ping-restart), restarting
Feb 24 18:18:32 openvpn 47524 UDPv4 link remote: [AF_INET]”Server WAN CARP”:1194
Feb 24 18:18:32 openvpn 47524 UDPv4 link local (bound): [AF_INET]”Client WAN CARP”:0
Feb 24 18:18:32 openvpn 47524 TCP/UDP: Preserving recently used remote address: [AF_INET]”Server WAN CARP”:1194
Feb 24 18:18:32 openvpn 47524 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Feb 24 18:18:32 openvpn 47524 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 24 18:18:27 openvpn 47524 SIGUSR1[soft,ping-restart] received, process restarting
Feb 24 18:18:27 openvpn 47524 [UNDEF] Inactivity timeout (–ping-restart), restarting
Feb 24 18:17:27 openvpn 47524 UDPv4 link remote: [AF_INET]”Server WAN CARP”:1194
Feb 24 18:17:27 openvpn 47524 UDPv4 link local (bound): [AF_INET]”Client WAN CARP”:0
Feb 24 18:17:27 openvpn 47524 TCP/UDP: Preserving recently used remote address: [AF_INET]”Server WAN CARP”:1194
Feb 24 18:17:27 openvpn 47524 Initializing OpenSSL support for engine 'rdrand'
Feb 24 18:17:27 openvpn 47524 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Feb 24 18:17:27 openvpn 47524 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 24 18:17:27 openvpn 47524 WARNING: using --pull/--client and --ifconfig together is probably not what you want
Feb 24 18:17:27 openvpn 47250 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Feb 24 18:17:27 openvpn 47250 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
Feb 24 18:17:27 openvpn 72187 SIGTERM[hard,] received, process exiting
Feb 24 18:17:27 openvpn 72187 /usr/local/sbin/ovpn-linkdown ovpnc3 1500 1560 192.168.50.128 255.255.255.128 init
Feb 24 18:17:27 openvpn 72187 event_wait : Interrupted system call (code=4) -
I found that the solution can also lie in the interface settings.
https://forum.pfsense.org/index.php?topic=129871.0
In the OpenVPN Client Protocol dropdown, you probably have selected "UDP IPv4 and Ipv6 on all interfaces (multihome)".
That ignores the selected interface.
Select "UDP on IPv4 only"Also, make sure the OpenVPN interface is set to be the WAN CARP VIP, not the WAN IP.
This fixed the problem on my end.