[Solved] OpenVPN with VIP

  • Hi,

    I have tested this with a few firmwares, also the firmware from yesterday.  OpenVPN works perfectly when assigned to the WAN interface. But when I change it to the VIP100 interface, which is an ip loadbalanced between two firewall it doesn't work.  A connection is initiated, but nothing happens, the client says it is still down (site to site with vpn).

    Is this not supported or possible?  Or a bug?

  • Rebel Alliance Developer Netgate

    That should be supported. Can you post the contents of the openvpn server config that gets put in /var/etc when you set this up?

  • Hi,

    I forgot to mention something, the vip100 exists on the lagg0 interface.  Here is my config, the xx.xx.xx.xx is my public carp ip (vip100) on lagg0 interface.

    $ cat /var/etc/openvpn/server1.conf
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xx.xx.xx.xx
    lport 1194
    management 1194
    max-clients 4
    push "route"
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.2048

  • Rebel Alliance Developer Netgate

    I have a CARP pair setup in VMware I can test this against on Monday to see what happens. That looks like it should be ok.

  • That looks fine as long as the x.x.x.x IP in the 'local' line is the correct IP.

  • @cmb

    the local line is fine…

    I have a site to site working on the WAN interface (which is on a lagg0).  When I switch to the carp ip, the client can establish a connection, but nothing happens and the client saids it is still down.

    any idea on debug?

  • @tommie:

    any idea on debug?

    Follow the encapsulated and unencapsulated traffic with tcpdump, increase the verbosity on the openvpn processes.

  • Oh my… I feel stupid...  I only allowed traffic to the WAN interface ip and not traffic to the carp ip.

    So sorry for this...


Log in to reply