Open VPN on Virtual IP'S



  • Hi All
              Currently we have built a set up with the PF sense version 2.3.1.Installed Open VPN and were successfully able to VPN into the network.But when primary firewall fails,we are unable to connect Open VPN.

    So to connect open VPN seamlessly when any of the firewall fails, i tried the below steps

    1. Changed the interface with one of the Virtual IP'S instead of WAN address under "Open VPN Servers"
    2. Added the firewall rule for the VIP on the required UDP port
    3. Did a firewall reboot
    4. Downloaded the configuration files once again

    Tried to reconnect the VPN and now its showing " TLS negotiation failed". I tried downloading the file several times but no luck.

    I am not sure whether any required configuration has been missed out.

    Any suggestions will be really appreciated.



  • It would be really helpful if you guys suggest to proceed further.



  • have a look here how to do it properly ( in your case WAN2 = VIP ):
    https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN



  • Hi
        I did a step by step configuration which was mentioned in the URL.I am able to connect to vpn but the network was completely unstable.Even in the Open VPN window, it was throwing some routing errors.


  • LAYER 8 Netgate

    Then you're doing it wrong. Post what you've done, not a description of what you think you've done.

    Bind your OpenVPN instance to the CARP VIP, or an IP Alias VIP on the CARP VIP.

    You don't need new client config files because the IP address they connect to doesn't change.

    Failover is not hitless. Usually takes about 60 seconds for the clients to reconnect.



  • Derelict
                      I have not mentioned a description of what i think.I mentioned stuffs which was tested in our environment. As said earlier,the option under interface in Open VPN servers has been modified from WAN to one of my VIP.

    Still it is connecting to the primary firewall WAN IP address and fails when firewall fail over happens.



  • you have to select 127.0.0.1 and PORT as interface to bind in OVPN and not WAN or VIP, then you just open the ports you want the client to come on WAN and VIP and route them to 127.0.0.1 PORT.
    this is all.



  • Hi n3by
                  Thanks for the reply.I have uploaded my config.Kindly have a look and do suggest me if any.

    ![Open VPN Conf- NAT.png](/public/imported_attachments/1/Open VPN Conf- NAT.png)
    ![Open VPN Conf- NAT.png_thumb](/public/imported_attachments/1/Open VPN Conf- NAT.png_thumb)



  • Missed Open VPN config attachment

    ![Open VPN Conf- Interfaces.png](/public/imported_attachments/1/Open VPN Conf- Interfaces.png)
    ![Open VPN Conf- Interfaces.png_thumb](/public/imported_attachments/1/Open VPN Conf- Interfaces.png_thumb)



  • it look ok.
    test if a vpn client can establish vpn connection on both wan address and after that you can update config clients



  • Again it fails when i switch the traffic from primary to secondary firewall.

    In the open VPN window, i can see it still points to the primary wan address when sec firewall acts as Master.



  • Hi n3by
                  Any configuration update required from clients?



  • Do you have 2 gateways ?
    Maybe traffic still leave from 1 gateway when you test the 2 WAN …

    for clients update you just have to add this in config file so it can establish connection to any wan adress:
    resolv-retry infinite
    remote WAN-address1 1195 udp
    remote WAN-address2 1195 udp



  • Hi
        No i have only one gateway. As mentioned by you in one of the previous replies, i made my VIP as the second WAN address in the port forwards.



  • Better try to draw a diagram with you hw config maybe I understand something wrong with what you want to achieve…


Log in to reply