Site-to-site Tunnel with Fail-Over [SOLVED]

Kinder

Hello,

I've setup 2 Pfsense with an Openvpn tunnel site-to-site. It is functional, traffic is OK.

But, the tunnel don't connect through the right Internet link.

On 1 Pfense (Openvpn server), I have a SDSL link with 6 IP addresses. On the other, I have 1 ADSL (WAN, 1 fixed IP address) and 1 SDSL (OPT1, 1 fixed IP address) link with fail-over (It doesn't work with load balancing or no FO/LB). The Openvpn tunnel must go through the SDSL link, but it doesn't (openvpn[445]: write UDPv4: Network is unreachable (code=51)), the OpenVPN link only works through the ADSL link.

Any help/advice would be great, thanks

jimp

If you're on 1.2.3 you need to add "local x.x.x.x;" to the OpenVPN config where x.x.x.x is the router's IP on the SDSL side.

You might also try switching to TCP instead of UDP if that alone doesn't fix it.

It should work much better on 2.0 by just selecting the SDSL interface when making the OpenVPN instance.

Kinder

I tried with TCP and local x.x.x.x on the 1st Pfsense box, but it doesn't work, the tunnel is still initiated through the ADSL link on the second Pfsense box.

Same version on both sides, 1.2.3-RELEASE.

jimp

You might try adding a static route to the server's IP that goes out via the SDSL line at the multi-wan site.

Kinder

There are all the necessary routes in both Pfsense boxes, configured par OpenVPN :

Pfsense - Main site (SDSL, 109.x.x.x/29)

default 109.x.x.x UGS 0 9110429 1500 re0   
10.0.8.2 10.0.8.1 UH 1 0 1500 tun0   
109.x.x.x/29 link#1 UC 0 0 1500 re0   
109.x.x.x 00:ff:db:9e:ef:f0 UHLW 2 233480 1500 re0 1185 
127.0.0.1 127.0.0.1 UH 0 0 16384 lo0   
192.168.1.0/24 link#4 UC 0 2 1500 re3   
192.168.2.0/24 10.0.8.2 UGS 0 2029238 1500 tun0 

Pfsense - Site 1 (SDSL, 109.x.x.x/30 + ADSL, 90.x.x.x)

default 90.x.x.x UGS 0 3740249 1500 re0   
10.0.8.1 10.0.8.2 UH 1 0 1500 tun0   
90.x.x.0/24 link#1 UC 0 0 1500 re0   
90.x.x.x 127.0.0.1 UGHS 0 1390 16384 lo0   
90.x.x.x 00:22:6b:a9:b1:f6 UHLW 2 0 1500 re0 721 
109.x.x.x/30 link#2 UC 0 0 1500 re1   
109.x.x.x 00:ff:6e:51:db:8d UHLW 2 48810 1500 re1 1198 
127.0.0.1 127.0.0.1 UH 1 0 16384 lo0   
192.168.1.0/24 10.0.8.1 UGS 0 1586099 1500 tun0   
192.168.2.0/24 link#4 UC 0 0 1500 re3   

Kinder

Ok, that was the solution.

I added the routes in static routes in both Pfsense and the OpenVPN tunnel now goes through the SDSL lines. (I think only a static route in the distant site is required).

Thanks !!