OpenVPN and CARP just doesn't work

  • I've been working with pfSense A LOT now for 2 years and felt that I had a grasp as to how to setup OpenVPN in a CARP configuration and I'm failing miserably.  Continue to work fine when it's focused on an the WAN interface IP Address.  But when I attempt to connect to the WAN CARP VIP, a TLS Error is all I get.  Times out.

    Anyone that has this working so that when I do maintenance on the master and the Backup is primary, the OpenVPN connections will migrate.

    Thanks ahead of time.

  • Not sure what your problem is. I have remote access and site-to-site OpenVPN on CARP clusters. Only thing different from a stand alone setup is the Interface is set to the CARP interface in the OpenVPN setup. And I have the firewall rule on the WAN set to 'WAN net' for destination and not 'WAN address'. Are your errors on the client side, or the server side?

  • Thanks for commenting!

    I figured it was something really simple.  Nothing different with the Outbound NAT?  Any changes to the NAT Address (CARP VIP instead of WAN Address)?

    As for errors, I appears it's just on the client:

    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

    Thanks again!!

  • I'm running OpenVPN directly on the CARP interface, not using a port-forward. Check the logs on the firewall and verify nothing is getting blocked.

  • Hey Guys,

    Recently I upgraded my pfsense 2.3.1 to 2.3.2 and I can't connect to my OpenVPN anymore. And I'm getting this error on the client side "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)".

    My pfsense is configured with High Availability Sync using CARP. The only package installed is the pfBlockerNG.

    I could however connect to the backup pfSense wiithout any errors.

    Any help would greatly appreciated.



  • rex907 - Please open another post instead of hijacking this one.  Simply because it keeps the conversation to the point and less confusing.  Thank you and good luck.

    I checked the logs and the firewall rules and I'm just not seeing it.  Even went to the extent of moving the rule to Floating, at the top, and to apply right away.  Same result.  I'll keep looking.

    Any other suggestions would be appreciated.

  • Just to sanity check, have you tried verifying your CARP VIP is reachable? Try a simple port forward to the CARP and make sure you can hit that.

  • This is a production unit on a 30 / 30 MB connection ranging from ~40-65% utilization so I'm pretty confident that the CARP VIP is reachable.  Also, I fail the MASTER over via Maintenance mode every other week for updates (if not sooner) with zero interruption in connection so I've always assumed that I had CARP configured properly.

    If I am misunderstanding you question please reword.

    Thanks again for the assistance.

  • Figured it out.  After drawing out the path and dumping down the troubleshooting, my mistake became pretty clear.

    Between my desk and the remote site sits 3 firewalls.  The one closest to me was preventing the outbound port.  I thought that I put in a rule to allow that but in checking it realized that had it turned around.

    The posts DID help because you made it very clear this was pretty straightforward.  Thanks again!