OpenVPN Gateways getting marked down
-
Hi,
I have an issue with the OpenVPN gateways to AirVPN getting marked down. My configuration is as follows.5 VPN connections to AirVPN. The gateway groups are setup as follows:
All OpenVPN clients establish connections, get ip's and routes.
The Gateway status is:
The routing table is as follows:
Destination Gateway Flags Netif Expire default 98.239.76.1 UGS ix0 10.4.0.0/16 10.4.0.1 UGS ovpnc4 10.4.0.1 10.4.6.110 UGHS lo0 10.4.6.110 link#12 UHS lo0 10.6.0.0/16 10.6.0.1 UGS ovpnc3 10.6.0.1 10.6.0.22 UGHS lo0 10.6.0.22 link#11 UHS lo0 10.8.0.0/16 10.8.0.1 UGS ovpnc2 10.8.0.1 10.8.0.37 UGHS lo0 10.8.0.37 link#10 UHS lo0 10.110.0.0/16 10.110.0.1 UGS ovpnc6 10.110.0.1 10.110.0.33 UGHS lo0 10.110.0.20 link#13 UHS lo0 10.110.0.33 link#14 UHS lo0 10.112.0.1 10.110.0.20 UGHS lo0 75.75.75.75 98.239.76.1 UGHS ix0 98.239.76.0/23 link#1 U ix0 98.239.76.X link#1 UHS lo0 127.0.0.1 link#6 UH lo0 192.168.11.0/24 link#2 U ix1 192.168.11.1 link#2 UHS lo0 192.168.12.0/24 192.168.12.2 UGS ovpns1 192.168.12.1 link#9 UHS lo0 192.168.12.2 link#9 UH ovpns1
I SSH'd into the router to try to ping the gateways of the "downed" gateways and got the following from ping
36 bytes from localhost (127.0.0.1): Redirect Host(New addr: 10.4.6.110) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 ffdd 0 0000 02 01 0000 127.0.0.1 10.4.0.1
I am able to ping all the remote sides of the gateways from the LAN network
$ ping 10.4.0.1 PING 10.4.0.1 (10.4.0.1) 56(84) bytes of data. 64 bytes from 10.4.0.1: icmp_seq=1 ttl=63 time=17.7 ms 64 bytes from 10.4.0.1: icmp_seq=2 ttl=63 time=17.0 ms 64 bytes from 10.4.0.1: icmp_seq=3 ttl=63 time=19.6 ms
I have firewall rules on the LAN interface to route IPv4 traffic out via the VPN_GROUP_IPV4 gateway group and IPv6 traffic via the VPN_GROUP_IPV6.
IPv4 works:$ traceroute 8.8.4.4 traceroute to 8.8.4.4 (8.8.4.4), 64 hops max, 52 byte packets 1 10.110.0.1 (10.110.0.1) 162.564 ms 372.407 ms 161.059 ms 2 91.195.103.1 (91.195.103.1) 161.691 ms 162.250 ms 161.911 ms 3 core1.ams.net.google.com (80.249.208.247) 165.386 ms 163.760 ms 164.435 ms 4 108.170.241.193 (108.170.241.193) 163.000 ms 108.170.241.161 (108.170.241.161) 164.660 ms 164.478 ms 5 108.170.236.149 (108.170.236.149) 168.381 ms 216.239.42.119 (216.239.42.119) 305.556 ms 216.239.42.127 (216.239.42.127) 163.684 ms 6 google-public-dns-b.google.com (8.8.4.4) 163.140 ms 164.492 ms 163.072 ms
IPv6 works as well:
$ traceroute6 2001:4860:4860::8888 traceroute6 to 2001:4860:4860::8888 (2001:4860:4860::8888) from 2601:205:c0XX:XXXX:XXXX:XXXX:XXXX:af65, 64 hops max, 12 byte packets 1 router 2.019 ms 0.872 ms 0.823 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 2001:4860:0:1::836 16.998 ms 2001:4860:0:1::1c18 26.802 ms 2001:4860:0:1::1cce 26.343 ms 8 2001:4860:0:1::2c5 17.408 ms 2001:4860:0:1::14df 16.544 ms 2001:4860:0:1::1509 17.081 ms 9 google-public-dns-a.google.com 16.356 ms 15.682 ms 16.642 ms
The outbound NAT rules are
I am thinking that the issue with pinging the gateways from the pfsense box with the Redirect Host message is probably the cause of dpinger marking them down. The only info I could find on that was to do with overlapping subnets. Although VPN4 and VPN5 (ipv4) have the same subnets, the routing looks okay for it.
Does anyone have any suggestions on what I've done wrong?
Any help is greatly appreciated.
-
If i change the monitoring IP to an external IP instead of the gateway IP, it shows the gateways as up, but then the RTT is not going to be accurate.
Any ideas?
-
You can't use AirVPN gateway to monitor with dpinger. You need to use an external gateway. It used to work, but something has changed either from AirVPN side or from Pfsense since 2.3.x