pfSense HA as OpenVPN client

  • Hi there,

    I'm a linux/unix expert for decades but I'm fairly new to pfSense.
    Since a few weeks I'm running pfSense on two identical boxes configured as HA on a dual-WAN setup with two DSL connections and dynamic IPs. I also have a dedicated server at some ISP on the internet somewhere, running OpenVPN as a server.
    Now I'd like to setup pfSense as OpenVPN-Client on this HA-pfSense-cluster, but it shows strange behavior: instead of creating one VPN connection from the pfSense master to my server (and eventually fail-over to the slave when necessary) it creates two connections in parallel (I have allowed duplicate-cn on the server for testing, but I'd like to turn that off later).
    What am I doing wrong?
    I simply created the VPN connection on the pfSense master and it got synchronized to the slave and now they both connect.
    Is there any way to get the expected behavior of only one connection to the pfSense cluster instead of having two connections (one to each node)?


  • @charly65
    If you select the WAN CARP VIP at interface in the client settings, the secondary should shut down the VPN when it is not master.

  • @viragomann
    Thanks for your fast reply - in the meantime I've tried that and it works, that's great!
    However, having to bind to a WAN CARP IP means I cannot take advantage of my dual WAN setup, so that doesn't quite solve my problem.
    Any more ideas?

  • @charly65
    Ahh, didn't notice the dual-WAN.
    So you have two CARP-VIPs (one for each WAN) and you have already added them to a gateway group, I assume. Then you have to bind the client to this gateway group instead.

  • @viragomann
    That works as expected! Thanks a lot!
    Now I have another problem -> new thread.