OpenVpn server on WAN and OPT1 (site-to-site only) [SOLVED]



  • Hi,

    I have site-to-site OpenVPN setup and it works well.
    I wanted to add failover - when my WAN goes offline then OPT1 to save my site-to-site link.

    Configuration works well when WAN is up, but doesn't work when WAN goes down. OpenVPN logs shows that two boxes are connected, but I cant ping from one to other LAN…

    Please help?

    My configuration:

    pfSense Box 1:
    WAN-----(11.11.11.11)
                                     ---- pfSense --- LAN (192.168.28.0/24)
    OPT1-----(22.22.22.22)/

    pfSense BOX 2:
    WAN-----(33.33.33.33)---- pfSense --- LAN (192.168.130.0/24)

    On BOX 1 I have two OpenVPN servers:

    First:
    Protocol: TCP
    Local port 10101
    Address pool 10.10.11.0/24
    Remote network: 192.168.130.0/24
    Shared key: XXX
    Custom options: local 11.11.11.11

    Second:
    Protocol: TCP
    Local port 20101
    Address pool 10.11.12.0/24
    Remote network: 192.168.130.0/24
    Shared key: XXX
    Custom options: local 22.22.22.22

    On BOX 2 I have one OpenVPN client:

    Protocol: TCP
    Server port 10101
    Interface IP 10.11.12.0/24
    Remote network: 192.168.28.0/24
    Shared key: XXX
    Custom options: remote 22.22.22.22 20101



  • I would bind the OpenVPN server to both interfaces and do the failover in the OpenVPN client config.
    –> The client connects in a failover manner to the different IPs of the server.
    If one interface of the server should go down, the client automatically connects to the other interface.



  • @GruensFroeschli:

    I would bind the OpenVPN server to both interfaces and do the failover in the OpenVPN client config.
    –> The client connects in a failover manner to the different IPs of the server.
    If one interface of the server should go down, the client automatically connects to the other interface.

    Thank you GruensFroeschli, you point me to the right direction  :)

    Now it works as planned. My WORKING configuration:

    pfSense BOX 1:
    WAN–---(11.11.11.11)
                                      ---- pfSense --- LAN (192.168.28.0/24)
    OPT1-----(22.22.22.22)/

    pfSense BOX 2:
    WAN-----(33.33.33.33)---- pfSense --- LAN (192.168.130.0/24)

    On BOX 1: One OpenVPN server:

    Protocol: TCP
    Local port 10101
    Address pool 10.10.11.0/24
    Remote network: 192.168.130.0/24
    Shared key: XXX

    On BOX 2: One OpenVPN client:

    Protocol: TCP
    Server port 10101
    Interface IP 10.10.11.0/24
    Remote network: 192.168.28.0/24
    Shared key: XXX
    Custom options: remote 22.22.22.22 10101



  • Hi I am looking at setting up the same style of VPN.

    Is there any static routes that need to be set with your config?
    How exactly do you "BIND" the interfaces via Openvpn?



  • @FrAsErTaG:

    Hi I am looking at setting up the same style of VPN.

    Is there any static routes that need to be set with your config?
    How exactly do you "BIND" the interfaces via Openvpn?

    You do not need any additional static routes to make this work. You can "BIND" OpenVPN to specific adapter with custom options and "local" parameter, but in this case you do not need this. When "local" parameter is not set OpenVPN is bind to all adapters (0.0.0.0).



  • Hi,

    do this post and this one tell the same thing ?
    http://forum.pfsense.org/index.php/topic,21941.msg112804.html#msg112804

    GruensFroeschli, when you say in the other post:
    "With OpenVPN you have the ability to specify multiple servers and how to connect to them (balancing/failover)."
    is this achieved by
    "binding the OpenVPN server to both interfaces and do the failover in the OpenVPN client config"
    i.e "using the Custom options ?

    Thanks for your help


Log in to reply