OpenVPN SERVER not working on CARP interface



  • I have two sites, each with two pfsense boxes setup with CARP interfaces on both the internal default gateway and external WAN, all statically assigned, with both sites having being tested and confirmed to have failover between the two boxes.

    On top of that, I built an OpenVPN Peer to Peer SSL/TLS, however, was unable to get it to connect, I kept getting, "reconnecting; ping-restart".

    So to attempt to find the issue via the process of elimination, I took CARP out of the equation at both sites, and after poking the appropriate hole in the firewall, it popped right up.  I then changed the client end back to the CARP interface, and after modifying the firewall rule to account for the change in source IP address, it popped back up, however whenever I try to change the server side to the CARP interface it refuses to connect again.

    I tried making a Peer to Peer Shared Key VPN with the same results however I'm not including the logs from that attempt because I'd rather not use it if possible.

    Before someone asks, yes when I change the server to CARP, I'm changing the clients target IP address as well as the servers bound interface.

    Thanks so much in advance for any help, while one site being redudant is nice, both sites being redundant would be better.

    **Included below are the relevant setting from the server side. Let me know if there's anything else you need to know. **

    Firewall rules on server side.  This is on the WAN tab
    Protocol   Source           Port Destination   Port Gateway Queue
    IPv4 UDP  "Client CARP"  *            "Server WAN"    1194      *              none
    IPv4 UDP  "Client CARP"  *            "Server CARP"  1194      *              none

    Server Outbound NAT
    Interface  Source                                 Source Port Destination Destination Port NAT Address   NAT Port   Static Port
    WAN                "Server LAN Subnet"                *                      *                      500                          "WAN CARP"    *                Keep Source Port Static
    WAN                "Server LAN Subnet"                *                      *                      *                              "WAN CARP"    *                Randomize Source Port
    WAN                "OpenVPN Tunnel Subnet"      *                      *                      500                          "WAN CARP"    *                Keep Source Port Static
    WAN                "OpenVPN Tunnel Subnet"      *                      *                      *                              "WAN CARP"    *                Randomize Source Port

    Below are the Logs from both sides

    Server Side OpenVPN Logs
    Feb 24 18:17:45 openvpn 96189 Initialization Sequence Completed
    Feb 24 18:17:45 openvpn 96189 UDPv4 link remote: [AF_UNSPEC]
    Feb 24 18:17:45 openvpn 96189 UDPv4 link local (bound): [AF_INET]"Server WAN CARP":1194
    Feb 24 18:17:45 openvpn 96189 /usr/local/sbin/ovpn-linkup ovpns4 1500 1621 192.168.50.129 255.255.255.128 init
    Feb 24 18:17:45 openvpn 96189 /sbin/ifconfig ovpns4 192.168.50.129 192.168.50.130 mtu 1500 netmask 255.255.255.128 up
    Feb 24 18:17:45 openvpn 96189 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Feb 24 18:17:45 openvpn 96189 TUN/TAP device /dev/tun4 opened
    Feb 24 18:17:45 openvpn 96189 TUN/TAP device ovpns4 exists previously, keep at program end
    Feb 24 18:17:45 openvpn 96189 Initializing OpenSSL support for engine 'rdrand'
    Feb 24 18:17:45 openvpn 96189 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Feb 24 18:17:45 openvpn 96000 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
    Feb 24 18:17:45 openvpn 96000 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
    Feb 24 18:17:45 openvpn 37461 SIGTERM[hard,] received, process exiting
    Feb 24 18:17:45 openvpn 37461 /usr/local/sbin/ovpn-linkdown ovpns4 1500 1621 192.168.50.129 255.255.255.128 init
    Feb 24 18:17:45 openvpn 37461 event_wait : Interrupted system call (code=4)

    Client Side OpenVPN Logs
    Feb 24 18:20:43 openvpn 47524 UDPv4 link remote: [AF_INET]"Server WAN CARP":1194
    Feb 24 18:20:43 openvpn 47524 UDPv4 link local (bound): [AF_INET]"Client WAN CARP":0
    Feb 24 18:20:43 openvpn 47524 TCP/UDP: Preserving recently used remote address: [AF_INET]"Server WAN CARP":1194
    Feb 24 18:20:43 openvpn 47524 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Feb 24 18:20:43 openvpn 47524 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 24 18:20:38 openvpn 47524 SIGUSR1[soft,ping-restart] received, process restarting
    Feb 24 18:20:38 openvpn 47524 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Feb 24 18:19:38 openvpn 47524 UDPv4 link remote: [AF_INET]”Server WAN CARP”:1194
    Feb 24 18:19:38 openvpn 47524 UDPv4 link local (bound): [AF_INET]”Client WAN CARP”:0
    Feb 24 18:19:38 openvpn 47524 TCP/UDP: Preserving recently used remote address: [AF_INET]”Server WAN CARP”:1194
    Feb 24 18:19:38 openvpn 47524 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Feb 24 18:19:38 openvpn 47524 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 24 18:19:33 openvpn 47524 SIGUSR1[soft,ping-restart] received, process restarting
    Feb 24 18:19:33 openvpn 47524 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Feb 24 18:18:32 openvpn 47524 UDPv4 link remote: [AF_INET]”Server WAN CARP”:1194
    Feb 24 18:18:32 openvpn 47524 UDPv4 link local (bound): [AF_INET]”Client WAN CARP”:0
    Feb 24 18:18:32 openvpn 47524 TCP/UDP: Preserving recently used remote address: [AF_INET]”Server WAN CARP”:1194
    Feb 24 18:18:32 openvpn 47524 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Feb 24 18:18:32 openvpn 47524 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 24 18:18:27 openvpn 47524 SIGUSR1[soft,ping-restart] received, process restarting
    Feb 24 18:18:27 openvpn 47524 [UNDEF] Inactivity timeout (–ping-restart), restarting
    Feb 24 18:17:27 openvpn 47524 UDPv4 link remote: [AF_INET]”Server WAN CARP”:1194
    Feb 24 18:17:27 openvpn 47524 UDPv4 link local (bound): [AF_INET]”Client WAN CARP”:0
    Feb 24 18:17:27 openvpn 47524 TCP/UDP: Preserving recently used remote address: [AF_INET]”Server WAN CARP”:1194
    Feb 24 18:17:27 openvpn 47524 Initializing OpenSSL support for engine 'rdrand'
    Feb 24 18:17:27 openvpn 47524 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Feb 24 18:17:27 openvpn 47524 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 24 18:17:27 openvpn 47524 WARNING: using --pull/--client and --ifconfig together is probably not what you want
    Feb 24 18:17:27 openvpn 47250 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
    Feb 24 18:17:27 openvpn 47250 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
    Feb 24 18:17:27 openvpn 72187 SIGTERM[hard,] received, process exiting
    Feb 24 18:17:27 openvpn 72187 /usr/local/sbin/ovpn-linkdown ovpnc3 1500 1560 192.168.50.128 255.255.255.128 init
    Feb 24 18:17:27 openvpn 72187 event_wait : Interrupted system call (code=4)



  • I found that the solution can also lie in the interface settings.

    https://forum.pfsense.org/index.php?topic=129871.0

    In the OpenVPN Client Protocol dropdown, you probably have selected "UDP IPv4 and Ipv6 on all interfaces (multihome)".
    That ignores the selected interface.
    Select "UDP on IPv4 only"

    Also, make sure the OpenVPN interface is set to be the WAN CARP VIP, not the WAN IP.

    This fixed the problem on my end.