Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open VPN on Virtual IP'S

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sai ravi
      last edited by

      Hi All
                Currently we have built a set up with the PF sense version 2.3.1.Installed Open VPN and were successfully able to VPN into the network.But when primary firewall fails,we are unable to connect Open VPN.

      So to connect open VPN seamlessly when any of the firewall fails, i tried the below steps

      1. Changed the interface with one of the Virtual IP'S instead of WAN address under "Open VPN Servers"
      2. Added the firewall rule for the VIP on the required UDP port
      3. Did a firewall reboot
      4. Downloaded the configuration files once again

      Tried to reconnect the VPN and now its showing " TLS negotiation failed". I tried downloading the file several times but no luck.

      I am not sure whether any required configuration has been missed out.

      Any suggestions will be really appreciated.

      1 Reply Last reply Reply Quote 0
      • S
        sai ravi
        last edited by

        It would be really helpful if you guys suggest to proceed further.

        1 Reply Last reply Reply Quote 0
        • N
          n3by
          last edited by

          have a look here how to do it properly ( in your case WAN2 = VIP ):
          https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN

          1 Reply Last reply Reply Quote 0
          • S
            sai ravi
            last edited by

            Hi
                I did a step by step configuration which was mentioned in the URL.I am able to connect to vpn but the network was completely unstable.Even in the Open VPN window, it was throwing some routing errors.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Then you're doing it wrong. Post what you've done, not a description of what you think you've done.

              Bind your OpenVPN instance to the CARP VIP, or an IP Alias VIP on the CARP VIP.

              You don't need new client config files because the IP address they connect to doesn't change.

              Failover is not hitless. Usually takes about 60 seconds for the clients to reconnect.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • S
                sai ravi
                last edited by

                Derelict
                                  I have not mentioned a description of what i think.I mentioned stuffs which was tested in our environment. As said earlier,the option under interface in Open VPN servers has been modified from WAN to one of my VIP.

                Still it is connecting to the primary firewall WAN IP address and fails when firewall fail over happens.

                1 Reply Last reply Reply Quote 0
                • N
                  n3by
                  last edited by

                  you have to select 127.0.0.1 and PORT as interface to bind in OVPN and not WAN or VIP, then you just open the ports you want the client to come on WAN and VIP and route them to 127.0.0.1 PORT.
                  this is all.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sai ravi
                    last edited by

                    Hi n3by
                                  Thanks for the reply.I have uploaded my config.Kindly have a look and do suggest me if any.

                    ![Open VPN Conf- NAT.png](/public/imported_attachments/1/Open VPN Conf- NAT.png)
                    ![Open VPN Conf- NAT.png_thumb](/public/imported_attachments/1/Open VPN Conf- NAT.png_thumb)

                    1 Reply Last reply Reply Quote 0
                    • S
                      sai ravi
                      last edited by

                      Missed Open VPN config attachment

                      ![Open VPN Conf- Interfaces.png](/public/imported_attachments/1/Open VPN Conf- Interfaces.png)
                      ![Open VPN Conf- Interfaces.png_thumb](/public/imported_attachments/1/Open VPN Conf- Interfaces.png_thumb)

                      1 Reply Last reply Reply Quote 0
                      • N
                        n3by
                        last edited by

                        it look ok.
                        test if a vpn client can establish vpn connection on both wan address and after that you can update config clients

                        1 Reply Last reply Reply Quote 0
                        • S
                          sai ravi
                          last edited by

                          Again it fails when i switch the traffic from primary to secondary firewall.

                          In the open VPN window, i can see it still points to the primary wan address when sec firewall acts as Master.

                          1 Reply Last reply Reply Quote 0
                          • S
                            sai ravi
                            last edited by

                            Hi n3by
                                          Any configuration update required from clients?

                            1 Reply Last reply Reply Quote 0
                            • N
                              n3by
                              last edited by

                              Do you have 2 gateways ?
                              Maybe traffic still leave from 1 gateway when you test the 2 WAN …

                              for clients update you just have to add this in config file so it can establish connection to any wan adress:
                              resolv-retry infinite
                              remote WAN-address1 1195 udp
                              remote WAN-address2 1195 udp

                              1 Reply Last reply Reply Quote 0
                              • S
                                sai ravi
                                last edited by

                                Hi
                                    No i have only one gateway. As mentioned by you in one of the previous replies, i made my VIP as the second WAN address in the port forwards.

                                1 Reply Last reply Reply Quote 0
                                • N
                                  n3by
                                  last edited by

                                  Better try to draw a diagram with you hw config maybe I understand something wrong with what you want to achieve…

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.