Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP and VPN reconnect (the VPN service kind)

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 532 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      talaverde
      last edited by

      This isn't necessarily an issue, but more of an annoyance and partially diminishes the function of CARP...

      All but two of my LAN computers (workstations and servers) are connected through a VPN (i.e. ExpressVPN, PIA, NordVPN, etc). (My default internet connection is via VPN, so I have to manually allow a computer to not use a VPN.)

      My CARP works great. VPN works great. But the two together... eh?

      CARP is (properly) configured to sync the state table. HOWEVER, it also shuts the VPN down on the backup node. Without VPN, the CARP fail-over is seamless. You can be watching a YouTube video without a single dropped frame.

      I'm sure you all see the problem here. The VPN is disconnected on the backup node, so upon fail over, this connection is initiated, which creates a NEW VPN connection (very likely new IP address).

      After 30-60 seconds, everything is up and running, no problem. However, the 'seamless' feature of CARP is all but worthless.

      Is there a way to have seamless fail-over, while ALSO having all your computers on a VPN service?

      One thought I had was just to pay for twice as many VPN services, so I could have all connections open and running on both the active node and the backup node. However, last time I tried, the backup node AUTOMATICALLY disables OpenVPN connections. Thus, making this idea null and void.

      Has anyone else had problems with this? Are there solutions?

      (If this has been discussed and settled somewhere else, I apologize. Just point me to the link. Otherwise, I'd like to start a conversation on solutions)

      Thanks for listening!!

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        That is likely never going to work because even if you had two connections to the same VPN provider going, the Outbound NAT address wouldn't match between the nodes so state sync would be useless.

        You would need cooperation from the VPN provider to swing an address from one connection to the other - or at least the configuration of a static address you could use as an Alias to NAT to but they would have to know which connection to send reply traffic to and OpenVPN would have to be able to use the Alias address, which I doubt highly would work.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T Offline
          talaverde
          last edited by

          So, in short, the 'seamless, state-table sync' functionality of CARP simply isn't going to work with computers using a VPN service? I'm willing to accept that. I just wanted to be sure.

          I suppose one solution is to use the VPN apps (installed on the computers) as an alternative for those computers which must not loose connection on a fail over. I can't think of any that would fall into that category at the moment, but I might test it to know if it's an option. (Only drawback is that you use up a connection for a single computer, instead of many. Not a big deal, now that they give you 6 or so for $4 a month.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.