Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense 2.4.2P1 - OpenVPN with CARP VIP

    OpenVPN
    2
    3
    293
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rkelleyrtp last edited by

      Greetings all,

      Having problems getting OpenVPN working with a CARP VIP on the WAN side.  Using the WAN IP works fine with OpenVPN, but I can't seem to find the magic to make it work on the CARP VIP.

      Some details (example IPs):
      –-----------------------
      WAN CARP VIP: 99.99.99.1
      pfSense1 - WAN IP - 99.99.99.2
      pfSense2 - WAN IP - 99.99.99.3

      CARP is working properly as I can switch between active/standby with no issues.

      Setup OpenVPN (using same settings as WAN IP OpenVPN config except the following)

      --> VPN-->OpenVPN-->Servers-->Add
      --> Interface:  99.99.99.1 (WAN VIP)
      --> Protocol: UDP
      --> Port 1201

      Firewall-->Rules-->Add (WAN)
      Action: Pass
      Interface: WAN
      Protocol: UDP4
      Source: *
      Destination: Single Host or Alias:  99.99.99.1
      Destination Port: 1201

      However, my OpenVPN client (Viscosity on Mac) just stays stuck on Connecting.  The OpenVPN status window never shows a connection.

      For what it's worth, I even tried using the "localhost" method (OpenVPN listens on 127.0.0.1) and set a NAT on the WAN VIP to port forward 1201 to 127.0.0.1.

      I must be missing something simple but can't see it yet.

      Any pointers?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        The first thing I would do is packet capture on WAN for the WAN VIP, UDP, port 1201 and attempt a connection from the outside.

        See if the traffic is even arriving. Be sure the destination MAC adddress is the CARP MAC.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • R
          rkelleyrtp last edited by

          Thanks for the assist.  Turns out, I had to generate a new VPN profile for my client to get it working.  Editing the old VPN config (changing port numbers and IPs) did not work…

          1 Reply Last reply Reply Quote 0
          • First post
            Last post