Open VPN-Additional Client Conf options-Add 2nd WAN



  • Hello!

    In Client Export > Additional Configuration Options:I have added remote MY_SECOND_WAN_IP 1196 in order to have failover WAN for OpenVPN. However, the specific connection works only with the second wan ip.

    Is this possible at all (to add both WAN ips in one OpenVPN connection)?

    Best regards

    Kostas



  • Does your confic includes

    
    remote first_wan_ip port
    remote second_wan_ip port
    
    


  • Thank you.

    No, just remote first WAN IP port.

    Kostas



  • What happens if you add that kind of configuration?



  • I will try and post back.

    I have to check with the first WAN connected and then disconnected, in order to see if it falls to the second.

    Thank you!

    Kostas



  • After several checks I found this: the OpenVPN accepts connections only in one of the WANs. If I set the other WAN as option in client export I get:

    Feb 08 17:54:13: TCP/UDP: Incoming packet rejected from <wan-1-ip></wan-1-ip>:1196[2], expected peer address: <wan-2-ip></wan-2-ip>:1196 (allow this incoming source address/port by removing –remote or adding --float)

    There is a floating rule for OpenVPN, though.

    The **<wan-1-ip></wan-1-ip>**is a PPoE VLAN interface and the **<wan-2-ip></wan-2-ip>**is the main WAN port of PFSense.

    Best regards

    Kostas



  • @costasppc:

    After several checks I found this: the OpenVPN accepts connections only in one of the WANs. If I set the other WAN as option in client export I get:

    Feb 08 17:54:13: TCP/UDP: Incoming packet rejected from <wan-1-ip></wan-1-ip>:1196[2], expected peer address: <wan-2-ip></wan-2-ip>:1196 (allow this incoming source address/port by removing –remote or adding --float)

    There is a floating rule for OpenVPN, though.

    The **<wan-1-ip></wan-1-ip>**is a PPoE VLAN interface and the **<wan-2-ip></wan-2-ip>**is the main WAN port of PFSense.

    Best regards

    Kostas

    Am I right, that your OpenVPN server is listening on WAN1 and WAN2 and you are using UDP as protocol ?

    Then Failover will not work. Failover and OpenVPN do not work with this kind of configuration. To make it work configure it this way:

    The OpenVPN Server is listening on the LAN address, port 1194, UDP
    Create a “Port Forward” from WAN1 address, poirt 1194 to LAN address, port 1194
    Create a “Port Forward” from WAN2 address, port 1194 to LAN address, port 1194
    Create corresponding firewall rules for these two Port Forwards.

    Add this to your OpenVPN client.conf

    
    remote-random
    remote WAN1_address 1194
    remote WAN2_address 1194
    
    

    remote random means: The client tries to use the one or the other IP. There is no order, it is “random”.
    If you delete “remote random” then the client first uses WAN1-IP and if this fails WAN2-IP. It checks the remote IP addresses from top to down.

    PS: Delete the floating rule for OpenVPN - just use “normal” rules like I wrote above - that’s enough.



  • Thank you for your answer!

    It is listening to <any>interface, UDP, port 1196 (I have a OpenVPN appliance in 1194).

    If I delete remote-random (I need a specific faster (WAN1) to be tried first and if failed, the other (WAN2)) my client conf is like this?

    remote WAN1_address 1196
    remote WAN2_address 1196
    

    Best regards

    Kostas</any>



  • @costasppc:

    Thank you for your answer!

    It is listening to <any>interface, UDP, port 1196 (I have a OpenVPN appliance in 1194).

    If I delete remote-random (I need a specific faster (WAN1) to be tried first and if failed, the other (WAN2)) my client conf is like this?

    remote WAN1_address 1196
    remote WAN2_address 1196
    

    Best regards

    Kostas</any>

    If you first WAN1 is faster and you want that the WAN1 should be used first if it is up, than remove “remote-random”. Then in your case it will first youse WAN1 and only WAN2 if WAN2 is down/not reachable.



  • Thank you!

    I will check and get back.

    Best regards

    Kostas



  • Well, it not working on the one of the WANs, only to the second:

    I have deleted the floating rule for the WAN in question, created a NAT rule and the corresponding FW rule. I have let the other floating rule untouched, though:

    NAT Rule

    Firewall rule

    I have added the info to the Client export for Viscosity:

    However, Viscosity conf contains the info for the 1st WAN address, nothing for the second:

    dev tun
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    tls-client
    client
    resolv-retry infinite
    remote 1st_WAN_address 1196
    tls-remote VPNServer
    auth-user-pass
    comp-lzo

    ca ca.crt
    tls-auth ta.key 1
    cert cert.crt
    key key.key

    The connection is failing, the log is below, and if by hand change the WAN address in the conf file to the 2nd WAN address the connection succeeds:

    Mar 03 14:38:46: LZO compression initialized
    Mar 03 14:38:46: UDPv4 link local (bound): [undef]:1194
    Mar 03 14:38:46: UDPv4 link remote: 46.198.128.106:1196
    Mar 03 14:39:46: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 03 14:39:46: TLS Error: TLS handshake failed
    Mar 03 14:39:46: SIGUSR1[soft,tls-error] received, process restarting

    Best regards

    Kostas


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy