OpenVPN and dual WAN
-
This problem is similiar what you encounter if you try to setup ipsec at an opt interface. Not sure if there is a way to work around that. This is still an unsolved issue atm, might turn out to be a limitation in 1.0 but that is not sure yet.
But IPsec have the option to choose which interface to use, and then it searches which is the gateway, am I right?
-
Okay, clear something up for me.
You're listening on all interfaces. Then you have the issue that the connecting client uses its own default gateway, or the gateway of the pfSense box?
There are all kinds of push/pull statements available to pfSense clients and servers to force the client to conform to your will. Have you looked at the example configs at the OpenVPN site?
-
Don't know if this is going to fix your issue, you can use option "float" to allow incoming packets from any IPs. From the openvpn man page:
–float
Allow remote peer to change its IP address and/or port number,
such as due to DHCP (this is the default if --remote is not
used). --float when specified with --remote allows an OpenVPN
session to initially connect to a peer at a known address, how-
ever if packets arrive from a new address and pass all authenti-
cation tests, the new address will take control of the session.
This is useful when you are connecting to a peer which holds a
dynamic address such as a dial-in user or DHCP client.Essentially, --float tells OpenVPN to accept authenticated pack-
ets from any address, not only the address which was specified
in the --remote option. -
Okay, clear something up for me.
You're listening on all interfaces. Then you have the issue that the connecting client uses its own default gateway, or the gateway of the pfSense box?
There are all kinds of push/pull statements available to pfSense clients and servers to force the client to conform to your will. Have you looked at the example configs at the OpenVPN site?
When I said 'default gateway', I wanted to say 'pfSense OPT1 default GW'
I have 2 WAN connections, the WAN connection has default gw GW1, and OPT1 has default gw GW2. When I connect any other service in the pfSense box, the service send packets over the GW from which he received incoming packets. In the case of OpenVPN, he takes the default gw from the system, so he always have GW1, and whenever he receives any packets (it doesn't matter if by WAN or OPT1), he replies by GW1.
-
Don't know if this is going to fix your issue, you can use option "float" to allow incoming packets from any IPs. From the openvpn man page:
I have tried, but it doesn't work yet. But I think it can be the solution.
-
I would suggest you look at the example configs on the OpenVPN website. There are definitely route push statements that will fix this for you.
-
Don't know if this is going to fix your issue, you can use option "float" to allow incoming packets from any IPs. From the openvpn man page:
I have tried, but it doesn't work yet. But I think it can be the solution.
Are you getting warning messages of packages from other IPs than expected? If so, I think "float" will fix it. Use it on the client box, the box with only one WAN.
-
I would suggest you look at the example configs on the OpenVPN website. There are definitely route push statements that will fix this for you.
My problem is with the gateway of the server, not with the client.
-
Are you getting warning messages of packages from other IPs than expected? If so, I think "float" will fix it.
No, it simply don't connect
Use it on the client box, the box with only one WAN.
Yes, yes, I know.
-
there are also route-up and route-down, plus just plain route statments that can be placed into your server config. ;D
Please look more carefully at the examples. You'll be amazed at how customized openvpn can get.