OpenVPN server with multiple public IP addresses [Resolved]



  • Hello,

    I want my OpenVPN (for mobile clients, not site-to-site) setup to work with any of my public IP addresses but it does not.

    I have a WAN for which my ISP gave me 1+8 public IP addresses (1 legacy + 8 others bought later).
    They were all added into an host alias and used in a "Outgoing NAT" rule with "Round Robin with Sticky Address" so that outgoing traffic uses all theses addresses : this works fine (eg. for outgoing surf).

    I have configured a very simple OpenVPN server.
    As my setup is multi-WAN (with load balancing), I also added a NAT rule "map external port 1194 to self's port 1194" for all my WANs.

    Problem is that clients (official OpenVPN client v2.3.11) fails to connect to server (with error: TCP: connect to [AF_INET]5.5.5.5:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)) when using an address other than the first of the "host alias".

    I am starting to believe that the outgoing Round Robin NAT rule causes problem with the server's response to client's connection query.
    I tried configuring the OpenVPN server to use TCP instead of UDP (thinking that TCP would be better for session-handling) : no luck.

    What could have I missed?
    How can I debug my setup and check how the OpenVPN responses are routed to the clients?

    Note : I am running pfSense v2.3.1.


  • Rebel Alliance Developer Netgate

    Bind the OpenVPN server to localhost and port forward in for all the IP addresses to 127.0.0.1 on the appropriate port. That works fine, lots of people using that with success.

    The outbound NAT shouldn't be able to interfere with that.



  • It seems to work just fine: thanks! :)

    I guess I can use the same pattern for any pfSense local service?



  • Probably so.
    Especially if that service wants to be < 1024 port. ;)