Open VPN on Virtual IP'S

sai ravi

Hi All
Currently we have built a set up with the PF sense version 2.3.1.Installed Open VPN and were successfully able to VPN into the network.But when primary firewall fails,we are unable to connect Open VPN.

So to connect open VPN seamlessly when any of the firewall fails, i tried the below steps

1. Changed the interface with one of the Virtual IP'S instead of WAN address under "Open VPN Servers"
2. Added the firewall rule for the VIP on the required UDP port
3. Did a firewall reboot
4. Downloaded the configuration files once again

Tried to reconnect the VPN and now its showing " TLS negotiation failed". I tried downloading the file several times but no luck.

I am not sure whether any required configuration has been missed out.

Any suggestions will be really appreciated.

sai ravi

It would be really helpful if you guys suggest to proceed further.

n3by

have a look here how to do it properly ( in your case WAN2 = VIP ):
https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN

sai ravi

Hi
I did a step by step configuration which was mentioned in the URL.I am able to connect to vpn but the network was completely unstable.Even in the Open VPN window, it was throwing some routing errors.

Derelict

Then you're doing it wrong. Post what you've done, not a description of what you think you've done.

Bind your OpenVPN instance to the CARP VIP, or an IP Alias VIP on the CARP VIP.

You don't need new client config files because the IP address they connect to doesn't change.

Failover is not hitless. Usually takes about 60 seconds for the clients to reconnect.

sai ravi

Derelict
I have not mentioned a description of what i think.I mentioned stuffs which was tested in our environment. As said earlier,the option under interface in Open VPN servers has been modified from WAN to one of my VIP.

Still it is connecting to the primary firewall WAN IP address and fails when firewall fail over happens.

n3by

you have to select 127.0.0.1 and PORT as interface to bind in OVPN and not WAN or VIP, then you just open the ports you want the client to come on WAN and VIP and route them to 127.0.0.1 PORT.
this is all.

sai ravi

Hi n3by
Thanks for the reply.I have uploaded my config.Kindly have a look and do suggest me if any.

![Open VPN Conf- NAT.png](/public/imported_attachments/1/Open VPN Conf- NAT.png)
![Open VPN Conf- NAT.png_thumb](/public/imported_attachments/1/Open VPN Conf- NAT.png_thumb)

sai ravi

Missed Open VPN config attachment

![Open VPN Conf- Interfaces.png](/public/imported_attachments/1/Open VPN Conf- Interfaces.png)
![Open VPN Conf- Interfaces.png_thumb](/public/imported_attachments/1/Open VPN Conf- Interfaces.png_thumb)

n3by

it look ok.
test if a vpn client can establish vpn connection on both wan address and after that you can update config clients

sai ravi

Again it fails when i switch the traffic from primary to secondary firewall.

In the open VPN window, i can see it still points to the primary wan address when sec firewall acts as Master.

sai ravi

Hi n3by
Any configuration update required from clients?

n3by

Do you have 2 gateways ?
Maybe traffic still leave from 1 gateway when you test the 2 WAN …

for clients update you just have to add this in config file so it can establish connection to any wan adress:
resolv-retry infinite
remote WAN-address1 1195 udp
remote WAN-address2 1195 udp

sai ravi

Hi
No i have only one gateway. As mentioned by you in one of the previous replies, i made my VIP as the second WAN address in the port forwards.

n3by

Better try to draw a diagram with you hw config maybe I understand something wrong with what you want to achieve…