Pfsense HA and openvpn client



  • Hello.

    I have installed a HA cluster with two nodes and CARP. It is awesome. Thanks to all people involved in pfSense development.

    Then, I istalled a OpenVPN client in the master node following the instruccions in https://forum.pfsense.org/index.php?topic=76015.0.
    It was replicated in the slave node, but now I have two instances of the OpenVPN client, one in the master and one in the slave. This causes
    problems and the clients are restarted every 5 minutes.

    I Have seen that the problem can be solved creatint a vitual CARP IP, but when a try to create a VIP I get the error message

    The interface chosen for the VIP has no IPv4 or IPv6 address configured so it cannot be used as a parent for the VIP.

    Anybody knows how to configure an OpenVPN client in a HA environment and explaim me the steps to follow.

    Thanks in advance.


  • Rebel Alliance Developer Netgate

    You don't need to create a CARP VIP for the OpenVPN interface.

    You set the OpenVPN client instance to use a WAN CARP VIP as its Interface value.



  • Thank you very much.

    Now it works fine.



  • Expanding on the scenario above, which works fine, suppose a situation that we need the openvpnclient to be able to use multiple links in case one fails. (not concurrently).
    So I have created a vpnclient_gateway_group, and put 2 carp vips in the group, with priority 1 and 2 respectively.
    Vpn client works as expected, however whenever I do a simple change on master pf instance, (my favorite is changing the graphs display from inverse to simple and back) secondary vpn client kicks in, primary is also up leading to vpn havoc..
    I need to go to secondary and stop openvpn service to recover.
    Switching this config to use the same carp vip directly (without gw redanduncy) eliminates the issue.
    Is thus supported? Or is it a bug?

    on pfsense 2.4.4_p2



  • Upgraded to 2.4.4 p3, (unlikely to solve it) so does anyone ever has tried this?


  • LAYER 8 Netgate

    @netblues said in Pfsense HA and openvpn client:

    So I have created a vpnclient_gateway_group, and put 2 carp vips in the group, with priority 1 and 2 respectively.

    I have no idea what this even means.

    HA is compatible with Multi-WAN as long as Multi-WAN is all HA-compatible (/29's for both, both configured on both nodes, etc).

    however whenever I do a simple change on master pf instance, (my favorite is changing the graphs display from inverse to simple and back) secondary vpn client kicks in, primary is also up leading to vpn havoc..

    If this is triggering any sort of failure, you have something configured wrong. Hard to say where.



  • @Derelict said in Pfsense HA and openvpn client:

    @netblues said in Pfsense HA and openvpn client:

    So I have created a vpnclient_gateway_group, and put 2 carp vips in the group, with priority 1 and 2 respectively.

    I have no idea what this even means.

    HA is compatible with Multi-WAN as long as Multi-WAN is all HA-compatible (/29's for both, both configured on both nodes, etc).

    I'm aware of what HA needs, and yes it works fine, on multiwan with no issues

    Now lets put an openvpn client on the situation

    The openvpnclient when is bound to a HA interface, it start and stop automatically, following the status of active/standby node.
    This also works fine.

    Now I want to combine multiwan failover, HA and openvpn client.

    For multiwan a gateway group is created, with two members (HA compatible)
    This gateway group also works fine.
    Now, if this used as the interface for openvpn client, it works
    but openvpnclient on the standby node kicks in if anything changes on primary.

    In esence there are two openvpn clients trying to connect to the same server.


  • LAYER 8 Netgate

    Show your gateway group.



  • 162a0852-f100-49fe-81dd-58da8cc38e79-image.png

    Silly me... I noticed that in the tier1 and 2 I had specified the interface address and not the carp ip. Changing it to the carp ip resolved the issue.


  • LAYER 8 Netgate

    This post is deleted!

Log in to reply