Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn client for site2site on a multiwan and HA/carp setup

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pcdxinupro
      last edited by

      Running pfsense 2.3.2-RELEASE-p1 at a few remote sites each with a pair of firewalls leveraging CARP and multiwan.  It seems that multiwan and HA/CARP are mutually exclusive when running an openvpn client on the firewalls.  Within the openvpn client config, you can either select a CARP interface or a gateway group.  My initial configuration had the interface specified as the CARP as I wanted the openvpn client to follow whichever was the master firewall.  But in a multiwan setup, there doesn't seem to be a hook (unless I'm missing it) to have the openvpn client reconfigure during a gateway change with CARP as the interface.  Since we've had more issues of failing ISP connections than firewalls themselves, my config now uses the gateway groups as the interface.  The only semi bullet proof solution I can come up with is to remove the openvpn client from the firewalls and place it on a separate system inside.  Space and resource limitations make that restrictive though.  Is there something that I'm not seeing?  Perhaps a custom hook to react to multiwan changes?

      Thanks
      Peter

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        OpenVPN client should work just fine with a gateway group.

        Did you set the CARP VIPs in the gateway group settings?

        The interface on the OpenVPN client should be the failover gateway group.

        When the Tier 1 ISP fails, the OpenVPN client will be reconfigured to use the Tier 2 WAN and should automatically reconnect.

        The reverse should happen when Tier 1 recovers.

        This is distinct from HA/CARP. When an HA failover occurs the OpenVPN client will be stopped on the failed unit and started on the new master. It will use the same multi-wan configuration as the primary since they should be identical.

        Some of this might change if you do not have the requisite 3 public IP addresses on both WANs. But it might even work with only one as long as the CARP VIPs are selected in the gateway group settings.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 2
        • P Offline
          pcdxinupro
          last edited by

          Derelict,

          I think you nailed it with the CARP interface specified in the gateway group.  I had one of them set and the other was using the interface, not the CARP.  Must have been through my tinkering I must have adjusted and the several layers of disconnection between the vpn client and that config never had me check again.  Going to test during a maintenance window or if we lose ISP, whichever happens first.

          Thanks
          Peter

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.