OpenVpn server on WAN and OPT1 (site-to-site only) [SOLVED]

unguzov

Hi,

I have site-to-site OpenVPN setup and it works well.
I wanted to add failover - when my WAN goes offline then OPT1 to save my site-to-site link.

Configuration works well when WAN is up, but doesn't work when WAN goes down. OpenVPN logs shows that two boxes are connected, but I cant ping from one to other LAN…

Please help?

My configuration:

pfSense Box 1:
WAN-----(11.11.11.11)
                                 ---- pfSense --- LAN (192.168.28.0/24)
OPT1-----(22.22.22.22)/

pfSense BOX 2:
WAN-----(33.33.33.33)---- pfSense --- LAN (192.168.130.0/24)

On BOX 1 I have two OpenVPN servers:

First:
Protocol: TCP
Local port 10101
Address pool 10.10.11.0/24
Remote network: 192.168.130.0/24
Shared key: XXX
Custom options: local 11.11.11.11

Second:
Protocol: TCP
Local port 20101
Address pool 10.11.12.0/24
Remote network: 192.168.130.0/24
Shared key: XXX
Custom options: local 22.22.22.22

On BOX 2 I have one OpenVPN client:

Protocol: TCP
Server port 10101
Interface IP 10.11.12.0/24
Remote network: 192.168.28.0/24
Shared key: XXX
Custom options: remote 22.22.22.22 20101

GruensFroeschli

I would bind the OpenVPN server to both interfaces and do the failover in the OpenVPN client config.
–> The client connects in a failover manner to the different IPs of the server.
If one interface of the server should go down, the client automatically connects to the other interface.

unguzov

@GruensFroeschli:

I would bind the OpenVPN server to both interfaces and do the failover in the OpenVPN client config.
–> The client connects in a failover manner to the different IPs of the server.
If one interface of the server should go down, the client automatically connects to the other interface.

Thank you GruensFroeschli, you point me to the right direction  :)

Now it works as planned. My WORKING configuration:

pfSense BOX 1:
WAN–---(11.11.11.11)
                                  ---- pfSense --- LAN (192.168.28.0/24)
OPT1-----(22.22.22.22)/

pfSense BOX 2:
WAN-----(33.33.33.33)---- pfSense --- LAN (192.168.130.0/24)

On BOX 1: One OpenVPN server:

Protocol: TCP
Local port 10101
Address pool 10.10.11.0/24
Remote network: 192.168.130.0/24
Shared key: XXX

On BOX 2: One OpenVPN client:

Protocol: TCP
Server port 10101
Interface IP 10.10.11.0/24
Remote network: 192.168.28.0/24
Shared key: XXX
Custom options: remote 22.22.22.22 10101

FrAsErTaG

Hi I am looking at setting up the same style of VPN.

Is there any static routes that need to be set with your config?
How exactly do you "BIND" the interfaces via Openvpn?

unguzov

@FrAsErTaG:

Hi I am looking at setting up the same style of VPN.

Is there any static routes that need to be set with your config?
How exactly do you "BIND" the interfaces via Openvpn?

You do not need any additional static routes to make this work. You can "BIND" OpenVPN to specific adapter with custom options and "local" parameter, but in this case you do not need this. When "local" parameter is not set OpenVPN is bind to all adapters (0.0.0.0).

joyfulway

Hi,

do this post and this one tell the same thing ?
http://forum.pfsense.org/index.php/topic,21941.msg112804.html#msg112804

GruensFroeschli, when you say in the other post:
"With OpenVPN you have the ability to specify multiple servers and how to connect to them (balancing/failover)."
is this achieved by
"binding the OpenVPN server to both interfaces and do the failover in the OpenVPN client config"
i.e "using the Custom options ?

Thanks for your help