Problem with VPN configuration, please help

icomaznev

@johnpoz What you mean John? In the VPN - OpenVPN - Servers to start one server on WAN1 and another one (identical) on the WAN2?
And second question - which openVPN client can I use in order to use option one (you proposed)? So far I use the VPN client dounloaded from here https://openvpn.net/index.php/open-source/downloads.html

johnpoz

Yes the openvpn can do that, you just put them in the ovpn file..

And yes just run another instance on your other 2nd wan. You can run as many instances of openvpn you need. I run 3.. 1 on tcp 443, one on 1194 udp and another as client too my vps, etc.

icomaznev

@johnpoz Sorry to ask "stupid " questions, but teacher teached me that "it is better to ask how to do things right than to do stupid things and after that to fееl sorry".
So speaking about the config file - do you mean to have something like:

dev tap
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite

remote xxx.xxx.xxx.xxx 1194 udp

remote yyy.yyy.yyy.yyy 1195 udp

verify-x509-name "myserver" name

pkcs12 whatevername1-UDP4-1194-myclient.p12
tls-auth whatevername1-UDP4-1194-myclient-tls.key 1

pkcs12 whatevername2-UDP4-1195-myclient.p12
tls-auth whatevername2-UDP4-1195-myclient-tls.key 1

remote-cert-tls server

Will this make the client if xxx.xxx.xxx.xxx (WAN1 public address) is not reachible to try to connect to the yyy.yyy.yyy.yyy (WAN2 public address)?
Or I have to add something else in the configuration file?

I red the documentation, but the description of this is vague and almost not clear.
So again sorry to ask, but it is better to ask experience people than to conduct series of experiments with not clear exit :).

icomaznev

And one more question.
When I added the second instance (server) for the WAN2 and try to export the configuration for the OpenVPN client, in the configuration file there is no lines for the second WAN.
I mean there is :
pkcs12 whatevername1-UDP4-1194-myclient.p12
tls-auth whatevername1-UDP4-1194-myclient-tls.key 1
But there are missing:
pkcs12 whatevername2-UDP4-1195-myclient.p12
tls-auth whatevername2-UDP4-1195-myclient-tls.key 1
Is this normal?

icomaznev

Or may be I missed to issue manually certificates for the second server instance?

icomaznev

No, I just took a look at the server certificate options - there is no place where you to point to which server you issue the certificate. May be all instances using one server certificate?

Rico

Hi,
@jimp did some VERY great pfSense Videos on OpenVPN RAS combined with MultiWAN.
I recommend you check them out to get some things clear.
https://www.youtube.com/embed/qscIIZ10WTQ
https://www.youtube.com/embed/iJ5GACqfIGs
https://www.youtube.com/embed/ku-fNfJJV7w
https://www.youtube.com/embed/svZ6PKqGdtg

-Rico

icomaznev

@rico Thanks Rico. I will take a look right now.

Rico

This post is deleted!

JeGr

@icomaznev just to add two cent to your problem: you have to upstream connections and want the OVPN instance to be available via both, right? Then you don't need to setup two servers or need other things in your clients configuration rather than the second "remote" statement as fallback. All you have to do (now with 2.4.4 there are other possibilities but this still works very nice for MultiWAN):

1. configure your OVPN server instance running as localhost on udp/1194 (not WAN or WAN2)
2. add a port forward on WAN and WAN2 (your ADSL line) for incoming traffic on WAN(2) address and port 1194 and forward that to localhost/1194
3. check both forwards are active
4. (optional) create DNS entries (if the IPs on WAN/WAN2 are static ones) for vpn1/vpn2.domain.example
5. in OpenVPN client export choose "host name resolution" as "other" and enter IP or DNS for the WAN IP below
6. in the "additional configuration options" box below enter the second "remote" statement needed für dns2/IP on WAN2
7. export some client config and check both remote settings are in there

Now test that (connection to WAN1) and to test WAN2 simply edit the config and switch the remote lines to connect directly to WAN2. If both work, you're done and can rollout that configuration to your clients :)

Greets
Jens

johnpoz

@Rico that was a spammer - their post has been removed and account banned (should be deleted but I don't have ability as only mod)... They had a link hidden in their post to nonsense.

icomaznev

@johnpoz Who is the spammer?

icomaznev

@jegr Thank you I will try this solution too

icomaznev

BTW guys I have another issue with my two internet lines.
When the "master one" (the FO one) goes down for some reason the pfsense acts as I expected - switches very fast to the second line (the ADCL one). BUT when the FO one is back (up and running) the pfsense doesnt switch back to the faster line, doesn't matter I have set up the FO as tear1 and the ADCL as 2 and they've been monitoring by different DNS servers.
I red tons of posts and watchet more then 10 videos concerning this issue. Obviously it is not only me who have such a problem.
So if somebody knows the solution ... please let share it.
Best regards to the community.

johnpoz

The post above yours that assumed you were responding too asking for details and start their own thread ;) Its gone now.