[Solved] OpenVPN with VIP



  • Hi,

    I have tested this with a few firmwares, also the firmware from yesterday.  OpenVPN works perfectly when assigned to the WAN interface. But when I change it to the VIP100 interface, which is an ip loadbalanced between two firewall it doesn't work.  A connection is initiated, but nothing happens, the client says it is still down (site to site with vpn).

    Is this not supported or possible?  Or a bug?


  • Rebel Alliance Developer Netgate

    That should be supported. Can you post the contents of the openvpn server config that gets put in /var/etc when you set this up?



  • Hi,

    I forgot to mention something, the vip100 exists on the lagg0 interface.  Here is my config, the xx.xx.xx.xx is my public carp ip (vip100) on lagg0 interface.

    
    $ cat /var/etc/openvpn/server1.conf
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xx.xx.xx.xx
    tls-server
    ifconfig 10.1.3.1 10.1.3.2
    lport 1194
    management 127.0.0.1 1194
    max-clients 4
    push "route 10.1.0.0 255.255.255.0"
    route 10.0.0.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.2048
    
    

  • Rebel Alliance Developer Netgate

    I have a CARP pair setup in VMware I can test this against on Monday to see what happens. That looks like it should be ok.



  • That looks fine as long as the x.x.x.x IP in the 'local' line is the correct IP.



  • @cmb

    the local line is fine…

    I have a site to site working on the WAN interface (which is on a lagg0).  When I switch to the carp ip, the client can establish a connection, but nothing happens and the client saids it is still down.

    any idea on debug?



  • @tommie:

    any idea on debug?

    Follow the encapsulated and unencapsulated traffic with tcpdump, increase the verbosity on the openvpn processes.



  • Oh my… I feel stupid...  I only allowed traffic to the WAN interface ip and not traffic to the carp ip.

    So sorry for this...

    tommie


Locked