CARP and VPN reconnect (the VPN service kind)

  • This isn't necessarily an issue, but more of an annoyance and partially diminishes the function of CARP...

    All but two of my LAN computers (workstations and servers) are connected through a VPN (i.e. ExpressVPN, PIA, NordVPN, etc). (My default internet connection is via VPN, so I have to manually allow a computer to not use a VPN.)

    My CARP works great. VPN works great. But the two together... eh?

    CARP is (properly) configured to sync the state table. HOWEVER, it also shuts the VPN down on the backup node. Without VPN, the CARP fail-over is seamless. You can be watching a YouTube video without a single dropped frame.

    I'm sure you all see the problem here. The VPN is disconnected on the backup node, so upon fail over, this connection is initiated, which creates a NEW VPN connection (very likely new IP address).

    After 30-60 seconds, everything is up and running, no problem. However, the 'seamless' feature of CARP is all but worthless.

    Is there a way to have seamless fail-over, while ALSO having all your computers on a VPN service?

    One thought I had was just to pay for twice as many VPN services, so I could have all connections open and running on both the active node and the backup node. However, last time I tried, the backup node AUTOMATICALLY disables OpenVPN connections. Thus, making this idea null and void.

    Has anyone else had problems with this? Are there solutions?

    (If this has been discussed and settled somewhere else, I apologize. Just point me to the link. Otherwise, I'd like to start a conversation on solutions)

    Thanks for listening!!

  • LAYER 8 Netgate

    That is likely never going to work because even if you had two connections to the same VPN provider going, the Outbound NAT address wouldn't match between the nodes so state sync would be useless.

    You would need cooperation from the VPN provider to swing an address from one connection to the other - or at least the configuration of a static address you could use as an Alias to NAT to but they would have to know which connection to send reply traffic to and OpenVPN would have to be able to use the Alias address, which I doubt highly would work.

  • So, in short, the 'seamless, state-table sync' functionality of CARP simply isn't going to work with computers using a VPN service? I'm willing to accept that. I just wanted to be sure.

    I suppose one solution is to use the VPN apps (installed on the computers) as an alternative for those computers which must not loose connection on a fail over. I can't think of any that would fall into that category at the moment, but I might test it to know if it's an option. (Only drawback is that you use up a connection for a single computer, instead of many. Not a big deal, now that they give you 6 or so for $4 a month.

Log in to reply