Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Client on Redundant CARP pfsense

    OpenVPN
    2
    4
    5.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bobwondernut
      last edited by

      Hey all:

      I've got 2 pfsense instances that otherwise work correctly w/ CARP between them at site A.

      At a remote site, there's also 2 pfsense instances w/ CARP as well at site B.

      I've setup a site to site shared key openvpn instance, but am noticing that both of the OpenVPN client instances at site A are simultaneously connecting to site B, and appear to both be sending redundant packets:

      Jul 23 12:24:04 pf01 openvpn[2161]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21 / time = (1311449003) Sat Jul 23 12:23:23 2011 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Jul 23 12:24:05 pf01 openvpn[2161]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #22 / time = (1311449003) Sat Jul 23 12:23:23 2011 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Jul 23 12:24:06 pf01 openvpn[2161]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #23 / time = (1311449003) Sat Jul 23 12:23:23 2011 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

      Both sites have the OpenVPN client/server bound to the CARP VIP interface.

      Is there a way to only have pfsense bring up an openvpn client interface if it is currently the master for this instance?  At the moment to get this to work I have to power off one of the pf instances on the client side of the link.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You need a devd script hacked in for that instance, to stop/start the client with the CARP status. There is a ticket open on that to address automatically in a future release, hopefully in a generic way so nothing on CARP IPs can initiate traffic unless they have master status.

        1 Reply Last reply Reply Quote 0
        • B
          bobwondernut
          last edited by

          ten-four - thanks for the reply at light speed :)

          -t

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Updating this old thread because it comes up in search results. In 2.0.2 release and newer, you just need to bind the OpenVPN client instance to a CARP IP, and the system automatically handles starting/stopping the client instance with the CARP status.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.