Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP + OpenVPN

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    3 Posts 2 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nastraga
      last edited by

      Hi,

      CARP is functioning BRILLIANTLY on the latested snapshots.

      Only small problem I'm running into is OpenVPN.

      OpenVPN server is running on WAN CARP virtual IP.  This works well, and when the CARP master dies, fails over.  The problem arises when you try to access the LAN IP address of the slave firewall through the OpenVPN tunnel.  Since OpenVPN is running on the slave, it tries to route traffic out its' own VPN interface which has nothing connected to it.

      Since it takes awhile for clients to reconnect after a failover anyways, would it make sense/be possible to only start OpenVPN instances running on CARP interfaces when the interface becomes a master, and kill them off again when not?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Starting them in that way could be tricky. Right now the CARP switch just happens seamlessly, without relying on any OS "events" to make it happen.

        There is an event that gets fired by devd on the CARP switch, but right now nothing uses it, and if the CARP state is flapping, it could kill/restart things several times. (And if the transitions are coalesced, something might get skipped)

        You could do a few different things to get around this:

        • Port forward on OpenVPN and access the secondary via the port forward.
        • Outbound NAT on LAN so that traffic going to the secondary is NAT'd to an IP on LAN
        • Setup a separate VPN instance that connects to the WAN IP, not the CARP VIP, for remote access and use a separate VPN instance to manage the secondary.

        The NAT options may require assigning your OpenVPN instance as an OPT interface.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          nastraga
          last edited by

          jimp, THANKS  ;D

          Didn't want to run 2 VPN instances because then can't sync settings between boxes.

          For reference, Outbound NAT on LAN method works flawlessly.
          Master firewall is syncing NAT rules with backup (+ everything else)

          Rules:

          NATed source:ANY, destination:backup firewall LAN, NAT address: LAN CARP
          NATed source:ANY, destination:master firewall LAN, NAT address: LAN CARP

          This results in 1 bogus NAT rule per box, but I don't see a major problem with it. 
          CARP IP on backup firewall is inactive and can't be routed to(even internally) it seems while in the 'backup' state.

          It IS much cleaner than starting/stopping services or working with port forwards(as far as I can tell).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.