Client peer-to-peer tunnels between CARP'd pfsenses

  • Two pfsenses, CARP'd together just fine.  One - the CARP Master - has a client Peer-to-peer OpenVPN tunnel back to a NOC Server Pfsense. The other - CARP Backup - has an identical tunnel configured, but currently disabled.  Just verified that the settings are identical, and the P2P Client tunnel in question is set up to use the WAN VIP IP/interface.  However, since it is configured on the Master, and the current Backup pfsense's tunnel is disabled, that will kill tunnel connection to the NOC, correct?  (Obvious question, but still, feel I should ask…)

    The main point of this post is this: IF I enable the tunnel on the Backup pfsense, which is using the same WAN VIP as the Master's P2P tunnel, will that cause routing issues? Or should the two tunnels use unique WAN interfaces, and not the WAN VIP?

  • Responses will never reach the backup, since they are directed to the WAN VIP which is used by the master.

    Enable XMLRPC sync of "OpenVPN configuration" in System > 'High Availability Sync'. So the whole OpenVPN settings are synced to the backup automatically and in case of a failover the backup will re-establish the tunnel.

  • Thanks for that! I double checked, and OpenVPN is not selected to sync.

Log in to reply