OpenVPN with two WANs

djs52

I have a dual-WAN setup and I want to have OpenVPN listening on the same port on both interfaces.

In the configuration options I can set interface to "any", but the openvpn documentation suggests that this is not expected to work. I find that the daemon listens on one interface but not the other.

On pfsense-1.3 I ran two OpenVPN instances, one for each interface, but the web interface won't let me do that on v2.0 – it claims that the port (1194) is already in use (which I suppose it is, but not on this interface). Commenting out the relevant line in /usr/local/www/vpn_openvpn_server.php is sufficient to get this configuration working, though a better solution would be to make openvpn_port_used take into account the interface in /etc/inc/openvpn.inc

Dan.

shaggy63

I believe this is relevant http://redmine.pfsense.org/issues/1507

djs52

I think that's unrelated – I don't want failover, I want to listen on both interfaces.

If I understand the documentation correctly, openvpn server would not be expected to work properly on multiple interfaces (i.e., without a local line in the configuration) because multihome is not available. From the man page:

–multihome
      Configure  a  multi-homed UDP server.  This option can be used when OpenVPN has been configured
      to listen on all interfaces, and will attempt to bind client sessions to the interface on which
      packets  are  being  received, so that outgoing packets will be sent out of the same interface.
      Note that this option is only relevant for UDP servers and currently  is  only  implemented  on
      Linux.

jimp

To do that I just run the server on the LAN interface and do a port forward from WAN/WAN2 to 1194 on the LAN IP. Then pf's reply-to mojo makes sure it goes back out the way it came in.

Though when I pick 'any' it does bind to all interfaces on the same port, I wouldn't expect that to work properly with UDP, but it appears that the multihome option may work around that, you could always try that in the advanced options and see if it helps.

EDIT: I didn't have a quick way to test if it worked, but it didn't complain when I added the option. If someone could test that and provide some feedback I can commit a change to the code that will add the multihome parameter if we are bound to 'any' and using UDP. (TCP should work normally as-is). According to the man page, multihome is only implemented on Linux, but it's possible they just haven't updated the man page there since 2.1 and pfSense 2.0 is using OpenVPN 2.2 now.

jeffbearer

I tried adding multihome to the end of my advanced options and complains for me.

Jun  8 11:54:01 fw openvpn[33516]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/server2.conf:38: multihome (testing-cee388313521)
Jun  8 11:54:01 fw openvpn[33516]: Use --help for more information.

jimp

@jeffbearer:

I tried adding multihome to the end of my advanced options and complains for me.

Jun  8 11:54:01 fw openvpn[33516]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/server2.conf:38: multihome (testing-cee388313521)
Jun  8 11:54:01 fw openvpn[33516]: Use --help for more information.

Are you on a current snapshot?

jeffbearer

The running on the LAN interface and setting up NAT rules seems to work like a charm…  at least after I remembered to remove multihome from my adv config.