Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with two WANs

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    7 Posts 4 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      djs52
      last edited by

      I have a dual-WAN setup and I want to have OpenVPN listening on the same port on both interfaces.

      In the configuration options I can set interface to "any", but the openvpn documentation suggests that this is not expected to work. I find that the daemon listens on one interface but not the other.

      On pfsense-1.3 I ran two OpenVPN instances, one for each interface, but the web interface won't let me do that on v2.0 – it claims that the port (1194) is already in use (which I suppose it is, but not on this interface). Commenting out the relevant line in /usr/local/www/vpn_openvpn_server.php is sufficient to get this configuration working, though a better solution would be to make openvpn_port_used take into account the interface in /etc/inc/openvpn.inc

      Dan.

      1 Reply Last reply Reply Quote 0
      • S
        shaggy63
        last edited by

        I believe this is relevant http://redmine.pfsense.org/issues/1507

        1 Reply Last reply Reply Quote 0
        • D
          djs52
          last edited by

          I think that's unrelated – I don't want failover, I want to listen on both interfaces.

          If I understand the documentation correctly, openvpn server would not be expected to work properly on multiple interfaces (i.e., without a local line in the configuration) because multihome is not available. From the man page:

          –multihome
                Configure  a  multi-homed UDP server.  This option can be used when OpenVPN has been configured
                to listen on all interfaces, and will attempt to bind client sessions to the interface on which
                packets  are  being  received, so that outgoing packets will be sent out of the same interface.
                Note that this option is only relevant for UDP servers and currently  is  only  implemented  on
                Linux.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            To do that I just run the server on the LAN interface and do a port forward from WAN/WAN2 to 1194 on the LAN IP. Then pf's reply-to mojo makes sure it goes back out the way it came in.

            Though when I pick 'any' it does bind to all interfaces on the same port, I wouldn't expect that to work properly with UDP, but it appears that the multihome option may work around that, you could always try that in the advanced options and see if it helps.

            EDIT: I didn't have a quick way to test if it worked, but it didn't complain when I added the option. If someone could test that and provide some feedback I can commit a change to the code that will add the multihome parameter if we are bound to 'any' and using UDP. (TCP should work normally as-is). According to the man page, multihome is only implemented on Linux, but it's possible they just haven't updated the man page there since 2.1 and pfSense 2.0 is using OpenVPN 2.2 now.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              jeffbearer
              last edited by

              I tried adding multihome to the end of my advanced options and complains for me.

              Jun  8 11:54:01 fw openvpn[33516]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/server2.conf:38: multihome (testing-cee388313521)
              Jun  8 11:54:01 fw openvpn[33516]: Use --help for more information.
              
              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                @jeffbearer:

                I tried adding multihome to the end of my advanced options and complains for me.

                Jun  8 11:54:01 fw openvpn[33516]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/server2.conf:38: multihome (testing-cee388313521)
                Jun  8 11:54:01 fw openvpn[33516]: Use --help for more information.
                

                Are you on a current snapshot?

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J
                  jeffbearer
                  last edited by

                  The running on the LAN interface and setting up NAT rules seems to work like a charm…  at least after I remembered to remove multihome from my adv config.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.