Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Once VPN is established, cannot access second (backup) pfsense

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scar
      last edited by

      hello,

      i have my VPN up and running.  when i am connected to it, i can access my first pfsense box by using the LAN ip, and i can access other hosts on the LAN too.  however, i cannot access the second pfsense box (CARP backup) using its LAN address.  if i ssh to another box on the LAN, i can use lynx and access the backup just fine… just not through the VPN.  i notice also on the backup that the OpenVPN connection has not been synchronized over.... so if my master goes down then my VPN goes down too, that shouldn't be.

      this is pfsense-1.2.3.  thanks

      edit:  when i say 'cannot access' i mean, i type the address into the address bar and wait, and wait wait wait... after a while i think firefox says the host is taking too long to respond.  the VPN is setup on debian lenny using NetworkManager 0.6.6.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        OpenVPN doesn't sync on 1.2.3, you'd have to set that up manually.

        As for accessing the box, it's likely that it doesn't have a route back to you. It doesn't have a route to the OpenVPN subnet in its routing table, so it would try to sent it out the default gateway (WAN) which is wrong.

        You'd have to assign the OpenVPN interface as an OPT interface, and setup some NAT rules which would translate the OpenVPN traffic to an IP on the LAN when trying to access the backup, and that should work.

        Or you could do an ssh port forward to get the job done also.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          scar
          last edited by

          hmm well i am already using the OPT interfaces for the CARP syncing, so there is not yet a way to access the Web GUI of the backup through the VPN?

          if i create the same OpenVPN on the backup, is that going to cause any conflicts with the master?  if so, what would be the correct way to setup a redundant OpenVPN?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You need to setup the second OpenVPN instance manually, and on both of them, in the custom options put "local x.x.x.x;" where x.x.x.x is the CARP VIP on WAN.

            It doesn't really matter how you try to reach the secondary, its routing won't find its way back to the master from a VPN like that.

            A couple ways around it:
            1. Put the master and slave OpenVPN instance on a separate subnet, and add a static route to the opposing router for that subnet
            or
            2. Assign the OpenVPN interface as an opt interface, and setup NAT so that the traffic coming from OpenVPN and going to the secondary router has NAT applies such that it leaves from a VIP on the LAN side, so the secondary will only see that the traffic is coming from a LAN host and it should be able to get back to the source then.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.