OpenVPN + Load Balancing + STunnel



  • Hello.

    I'm trying to configure multiple OpenVPN clients with the interface localhost and stunnel package. The stunnel discussion is here.
    With the multiple clients I want to use load balancing. Everything works well with one client, but with multiple clients, they always crash.

    I have the following error messages in system-> general log:

    /rc.newwanip: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1547574979] unbound[12781:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953 [1547574979] unbound[12781:0] error: cannot open control interface 127.0.0.1 953 [1547574979] unbound[12781:0] fatal error: could not open ports'
    

    What does the error message mean?

    I use 4 x following OpenVPN Client configuration:

    Protocol: TCP
    Interface: Localhost
    Server host or address: 127.0.0.1
    Server port: 995
    Advanced:
           route Server_IP 255.255.255.255 net_gateway
    

  • LAYER 8 Rebel Alliance

    You can't just bind the same Port multiple times to localhost.

    -Rico



  • Without same ports to localhost I have this error message again:

    Jan 27 13:09:38 php-fpm 47087 /rc.newwanip: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1548594578] unbound[17890:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953 [1548594578] unbound[17890:0] error: cannot open control interface 127.0.0.1 953 [1548594578] unbound[17890:0] fatal error: could not open ports' 
    

    OpenVPN clients are still crashing and I have a new error message:

    Jan 27 12:41:03 openvpn 97238 ERROR: FreeBSD route add command failed: external program exited with error status: 1
    

    Is this a routing problem?

    0_1548595026809_routes.PNG



  • Maybe I have found a solution for me. OpenVPN error messages are still there:

    Jan 27 13:09:38 php-fpm 47087 /rc.newwanip: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1548594578] unbound[17890:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953 [1548594578] unbound[17890:0] error: cannot open control interface 127.0.0.1 953 [1548594578] unbound[17890:0] fatal error: could not open ports' 
    
    Jan 27 12:41:03 openvpn 97238 ERROR: FreeBSD route add command failed: external program exited with error status: 1
    
    Feb 2 18:56:11 openvpn 47315 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.3.2.3,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 95.211.146.77,dhcp-option DNS 37.48.94.55,ifconfig-ipv6 fdbf:1d37:bbe0:0:48:18:0:f1/112 fdbf:1d37:bbe0:0:48:18:0:1,ifconfig 10.3.2.241 255.255.255.0,peer-id 0' 
    Feb 2 18:56:11 openvpn 47315 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) 
    Feb 2 18:56:11 openvpn 47315 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) 
    Feb 2 18:56:11 openvpn 47315 Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS]) 
    Feb 2 18:56:11 openvpn 47315 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) 
    Feb 2 18:56:11 openvpn 47315 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) 
    

    I do not have the full speed, but it works with these NAT rules:

    0_1549135808917_NAT.PNG

    Why do i need this localhost rules for OpenVPN?
    Do I need more rules like these?

    browse "System: General Setup"
       specify desired third-party DNS servers on WAN_DHCP
       [x] Do not use the DNS Forwarder as a DNS server for the firewall
    browse "Services: DNS Forwarder"
       [ ] Enable DNS forwarder
    browse "System: Advanced: Networking"
       [ ] Allow IPv6
       [x] Prefer to use IPv4 even if IPv6 is available
    browse "System: Advanced: Miscellaneous"
       [x] Skip rules when gateway is down
       [x] Enable gateway monitoring debug logging