Multiple OpenVPN clients non-functional
-
Good catch Derelict.. Glad that is settled…
-
Aha. I knew it had to be something.
The interface you select there is not the assigned interface, it is the interface used to establish the VPN connection - usually WAN. Or maybe a gateway group if you are running multi-wan and you want it to switch if your tier 1 fails.
So all of your OpenVPN client configurations will have WAN selected there because that is the interface used to ESTABLISH the VPN connection.
Sorry for being dull, but I'm gonna parrot what you said to make sure I understand.
The WAN interface is used to establish the VPN connection, so regardless of what interface I have selected there (unless I have multi-wan) it will use the WAN interface?
If that's the case, how do I set up routing rules for the VPN clients if they will all use the WAN interface? Do I always select WAN in my OpenVPN client setup?
-
You have to specify a real interface there. In the example you posted to imgur, when your firewall needs to connect to xxx.vpnaccess.com on server port xxxx it will use the interface specified there to source from for the TUNNEL PACKETS - the Outer tunnel packets. It has nothing to do with what traffic is sent through the tunnel itself. It has to be a real interface. What you have there is nonsense.
Create all three OpenVPN clients. Tell them all to use the WAN interface.
Go into Interfaces > (assign). Assign an interface to each ovpncx instance.
Edit each interface, enable it, name it, leave the IPv4 and IPv6 configurations as None.
Make sure you bounce each OpenVPN as this is a required step after initial interface assignment. Another Edit/Save with no changes of each OpenVPN client will do this, as will a Stop/Start of each service in Status > Services.
Make sure outbound NAT is set for each new interface so traffic leaving that interface gets source translated to that particular tunnel address.
You can then policy route whatever traffic you want over each OpenVPN at any time using the policy routing rules on the source network interface. You will have three OpenVPN gateways to choose from. One on each assigned interface.
-
You have to specify a real interface there. In the example you posted to imgur, when your firewall needs to connect to xxx.vpnaccess.com on server port xxxx it will use the interface specified there to source from for the TUNNEL PACKETS - the Outer tunnel packets. It has nothing to do with what traffic is sent through the tunnel itself. It has to be a real interface. What you have there is nonsense.
Create all three OpenVPN clients. Tell them all to use the WAN interface.
Go into Interfaces > (assign). Assign an interface to each ovpncx instance.
Edit each interface, enable it, name it, leave the IPv4 and IPv6 configurations as None.
Make sure you bounce each OpenVPN as this is a required step after initial interface assignment. Another Edit/Save with no changes of each OpenVPN client will do this, as will a Stop/Start of each service in Status > Services.
Make sure outbound NAT is set for each new interface so traffic leaving that interface gets source translated to that particular tunnel address.
You can then policy route whatever traffic you want over each OpenVPN at any time using the policy routing rules on the source network interface. You will have three OpenVPN gateways to choose from. One on each assigned interface.
And we're working!
Thanks a ton for sticking with me and helping me sort this out.
-
Excellent to hear. Glad it's working.
-
It is absolutely NOT possible to run 2 concurrent OpenVPN clients in 2.4.
Absolute nonsense.
-
It is absolutely NOT possible to run 2 concurrent OpenVPN clients in 2.4.
Absolute nonsense.
Great answer! At least wirh AirVPN this does not. I changed nothing configuration wise, just updated and nothing is working anymore. Then did everything from scratch, not working. I configured 20 times minimum 2 concurrent VPN on AirVPN with 2.x. No problems, never.
And as said there are always hard ifconfig errors coming up, change just a simple setting in Routing of one VPNM and both go down (a monitoring IP for instance).
What do you want to tell me with this significant sentence?If you can help help otherwise why bother?
When I was testing 2.4 I was getting ifconfig errors too. But, obviously it works for some people.
I've always had Don't Pull Routes and Don't Add/Remove Routes enabled for my OVPN clients.
The networks for the different VPNs I used did not overlap.
Anyway, I went back to 2.3.x and am happy in the meantime. Hopefully this will get figured out because I've seen several other people with the same problem.
-
It is absolutely NOT possible to run 2 concurrent OpenVPN clients in 2.4.
Absolute nonsense.
Great answer! At least wirh AirVPN this does not. I changed nothing configuration wise, just updated and nothing is working anymore. Then did everything from scratch, not working. I configured 20 times minimum 2 concurrent VPN on AirVPN with 2.x. No problems, never.
And as said there are always hard ifconfig errors coming up, change just a simple setting in Routing of one VPNM and both go down (a monitoring IP for instance).
What do you want to tell me with this significant sentence?If you can help help otherwise why bother?
When I was testing 2.4 I was getting ifconfig errors too. But, obviously it works for some people.
I've always had Don't Pull Routes and Don't Add/Remove Routes enabled for my OVPN clients.
The networks for the different VPNs I used did not overlap.
Anyway, I went back to 2.3.x and am happy in the meantime. Hopefully this will get figured out because I've seen several other people with the same problem.
Don't pull routes should be standard, yes. That was not the problem. If you had monitoring IPs in your Routing try to to remove them and just leave it blank. That did it for me. In pfsense 2.3.x this was no problem at all but in 2.4.1 it seems to. So no monitoring IPs and everything is working as expected now.
Thank you for your answer.
Cheers
-
It is absolutely NOT possible to run 2 concurrent OpenVPN clients in 2.4.
Absolute nonsense.
Great answer! At least wirh AirVPN this does not. I changed nothing configuration wise, just updated and nothing is working anymore. Then did everything from scratch, not working. I configured 20 times minimum 2 concurrent VPN on AirVPN with 2.x. No problems, never.
And as said there are always hard ifconfig errors coming up, change just a simple setting in Routing of one VPNM and both go down (a monitoring IP for instance).
What do you want to tell me with this significant sentence?If you can help help otherwise why bother?
When I was testing 2.4 I was getting ifconfig errors too. But, obviously it works for some people.
I've always had Don't Pull Routes and Don't Add/Remove Routes enabled for my OVPN clients.
The networks for the different VPNs I used did not overlap.
Anyway, I went back to 2.3.x and am happy in the meantime. Hopefully this will get figured out because I've seen several other people with the same problem.
Don't pull routes should be standard, yes. That was not the problem. If you had monitoring IPs in your Routing try to to remove them and just leave it blank. That did it for me. In pfsense 2.3.x this was no problem at all but in 2.4.1 it seems to. So no monitoring IPs and everything is working as expected now.
Thank you for your answer.
Cheers
Oh, is that it? Thanks for that tip. Yes, I do edit the IP for gateway monitoring as I like to see the RTT to the other side of the tunnel. Stinks that won't work in 2.4.
-
Same with me or like i did. Deleting it solved ALL the problems there were with the gateways, the ifconfig problems and everything else.
In a second :(
