NAT port forward from CARP IP to WAN IP for OpenVPN



  • My CARP failover is working great, and so is OpenVPN access via the WAN IP of each firewall.

    I would like to use OpenVPN through the WAN CARP IP, so users can use the VPN regardless of the master FW. I can see where to setup the NAT port forwarding rule to forward from the CARP IP to the WAN IP, but there is no drop down for target IP to select "WAN", I have to put in an IP (or alias which doesn't help). This is fine until it sync's to the backup server which obviously has a different WAN IP.

    I can work around this by setting the rule not to sync, and then creating a matching rule on the backup server with it's own IP, but it seems like it should be possible to do this without that extra overhead.

    I tried running OpenVPN on the WAN CARP IP, with OpenVPN traffic to the actual WAN IP forwarding to the CARP IP, which would have solved the issue. Unfortunately that stops the OpenVPN server on the backups FW from running when it's not the master of the WAN interface. >:(

    Any ideas how to achieve my goal?



  • …I take back my workaround idea. The rule I create on the backup is removed when I save any changes to the rule on the primary.  :o


  • LAYER 8 Netgate

    Tell your OpenVPN server to listen on localhost.

    Create a port forward that forwards your CARP VIP:OpenVPN to 127.0.0.1:OpenVPN port with tracked firewall rules.

    Tell your clients to connect to CARP VIP:OpenVPN Port.

    And you're done.



  • GENIUS!!! I knew there must be a simple answer. Thank-you very, very much!  :)


  • LAYER 8 Netgate

    Excellent.

    In that configuration the server is running on both nodes all the time. Whichever holds the CARP VIP gets the traffic from the clients.

    You can also bind the openvpn server to the CARP VIP (select that instead of WAN in the server config). That makes the server die on the BACKUP node and start on the MASTER node.

    I like the port forward technique because it results in fewer things that have to happen on a failover event. Especially as the number of server processes goes up.


Log in to reply