OpenVPN (Public VPN Services (i.e. PIA, NordVPN) - What makes them disable or not



  • I was under the impression that normal behavior for OpenVPN connections which you sign in to with credentials (i.e. NordVPN, iVPN, etc) are disabled on the 'Backup' node, or whichever node is not Master. Recently, I've noticed this is not the case much of the time. Actually, more and more of the time. Does this just have to do with the number of available connections with your account? Or, is the connection supposed to be disabled when in 'backup' mode? I'm just wondering if I have something configured wrong? Or, if I could have them active on both nodes at all times, as long as I have enough connections available with the account/membership? Thanks.


  • LAYER 8 Netgate

    Is the OpenVPN client bound to the CARP VIP?



  • Ah, that was it. Thanks.

    Yea, I have a dual WAN group. At some point, I must have switched the interface address to 'generic'. I switched it back to the CARP VIP and it went back to normal. The backup node VPN connections went offline.

    Now that issue is solved. I wonder if that's the best way? If I have enough connections available, can I just leave it the other way, so all (OpenVPN) VPN connections are online? Is there a reason that's bad? I'm guessing so, but not sure what the reason.

    My guess is that even though they are online, when it fails over, it won't actually (instantly) fail over because they aren't the same connections. Right?

    I suppose I could just test it, but was curious about the tech behind the recommended configuration.

    Thanks again.


  • LAYER 8 Netgate

    Well, it will never be perfect, instant, and seamless, by its very nature.

    But with a client, as soon as it comes up after a failover it should try to connect immediately.

    There won't be state sync or anything unless, maybe, they give you the same tunnel address every time. I would be very surprised if that worked so your connections will break and you'll have to reload the page, reconnect ssh, etc.



  • @Derelict Thanks. Yea, that's what I figured. Leaving the connections up would actually be worse than better, as they have to initiate their own, new connections.

    Now, if I can just figure out why my WAN1 connection is down on my backup node as well, just like my OpenVPN connections (I opened a separate thread for this). It's not a big deal, for the same reason. The WAN1 connection starts up immediately on fail over. I'm not too worried about it. I think it has something to do with my AT&T Modem. They do strange firewall updates which cause problems like this I'm guessing the modem isn't playing well with multisync. I could be wrong. Again, I don't know if it's worth the time to figure out. I'm swapping out my 24 port L2 switch with a new 48 port L2 switch. Maybe I'll try to figure it out then. Off topic, I know. Somewhat related though.

    Thanks ... again..


  • LAYER 8 Netgate

    Do you have all the required IP addresses, etc, on that interface? Primary, secondary, and CARP?

    Is it a good, normal MASTER/BACKUP on that interface? Can you ping the gateway monitor IP address from the BACKUP node sourcing from the interface address?



  • I just posted I thought I fixed it, but it turns out I did not. I'll look into the items you listed. It'll take me some time.



  • As posted in other thread...

    @Derelict Thanks for the tips. I got it to work. I didn't really understand what you meant, but I agreed it seemed like a NAT issue. I found a separate thread where you said the 'NAT Addresss" should be the VIP address. So, I made sure to change all the WAN1 and WAN2 mappings to the VIP addresses. (I tried this once in the past, but I didn't think it worked. I must have not refreshed it or something)

    https://forum.netgate.com/topic/119782/solved-setup-manual-outbound-nat-section-in-pfsense-docs-unclear-to-me/4

    Anyway, after using the VIP addresses in the NAT mappings, it fixed the WAN1 to be online at all times.

    Thanks!


Log in to reply