OpenVPN Interface: any

  • Hi,

    I am running two OpenVPN servers since several weeks without problems on my pfsense with two DSL lines. OpenVPN1 is on DSL1 and OpenVPN2 is on DSL2.

    Now I tried to bind OpenVPN1 to both DSL lines but after this the service didn't start:

    Mar 7 21:36:28 	openvpn[33935]: Exiting
    Mar 7 21:36:28 	openvpn[33935]: TCP/UDP: Socket bind failed on local address [undef]: Address already in use
    Mar 7 21:36:28 	openvpn[33935]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Mar 7 21:36:28 	openvpn[33935]: Initializing OpenSSL support for engine 'cryptodev'
    Mar 7 21:36:28 	openvpn[33935]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 7 21:36:28 	openvpn[33935]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
    Mar 7 21:36:28 	openvpn[33935]: [DEPRECATED FEATURE ENABLED: random-resolv] Resolving hostnames will use randomisation if more than one IP address is found
    Mar 7 21:36:28 	openvpn[33935]: OpenVPN testing-cee388313521 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Feb 21 2011

    I am using:
    2.0-RC1 (i386) built on Wed Mar 2 03:30:11 EST 2011

  • Rebel Alliance Developer Netgate

    Is the port already in use on DSL2? It sounds like it's just not able to grab that port.

  • That's it!!

    This server is running on port TCP/443. From WAN side there is no problem, but I am using HTTPS on port 443 for accessing the webGUI from LAN side.

    hmm…the pull-down menu in the OpenVPN Server tab isn't ideal because you could only select one or all interfaces. Isn't it possible to change it like in the squid package where you could use CTRL to select the interfaces you want ?

  • Rebel Alliance Developer Netgate

    It may be possible, but that isn't so trivial to do. It would require code changes in several areas.

    My favorite thing to do is just bind it to LAN and forward ports into it from each WAN I want it to run on, but that's me.

  • I read this tip/workaround in another thread and I think this isn't really bad. The other OpenVPN server is using UDP and so there is no other way than to bind it to the LAN port.


  • Rebel Alliance Developer Netgate

    Yeah there have been some UDP issues in the past where the return traffic will use the default gateway regardless of the interface used for connecting when using 'any' interface, though I haven't tried that lately on 2.0 so I'm not sure if that's really an issue these days.

    Binding to LAN and forwarding ports lets it take advantage of pf's reply-to directive which ensures the traffic goes back out the WAN it came in on.

Log in to reply