OpenVPN interface selection - LAN and any



  • I have pfSense systems with LAN, WAN and OPT1. I have OpenVPN P2P shared-key clients connecting out to OpenVPN servers on other pfSense systems across the net. I would like the outgoing client connection attempts to exit to the internet by whichever of WAN and OPT1 is up.
    My LAN has a firewall rule feeding exiting general internet traffic to a gateway group. The gateway group contains WAN and OPT1. This works well when 1 of WAN or OPT1 goes down - the traffic happily goes out the interface that is up.
    I discovered that if I set the OpenVPN client interface to LAN, it still connects out the internet to the server OK. I guess that the outgoing client connect will feed through the gateway group on its way out, thus making it go out WAN or OPT1, whichever is up. So it will provide failover when initiating OpenVPN connections. (I need to give this a test!)

    1. Is the above correct?

    2. What does OpenVPN interface "any" do?
      (I guess it just picks a "random" interface to bind to when initiating the outgoing client connection - that would make it not so useful for failover. But maybe it is smart and only picks an interface that actually seems to be up.)



  • It didn't seem to take any notice of the rules feeding LAN into a gateway group for policy-based routing. It just uses the default route. I enabled default gateway switching (System:Advanced, Miscellaneous) and now the default route changes to OPT1 when WAN goes down, and changes back when WAN comes up again. The OpenVPN Client follows this exiting via whichever interface is the current default route.
    My best-effort at an auto-redundant config is posted at:
    http://forum.pfsense.org/index.php/topic,49033.0.html


  • Rebel Alliance Developer Netgate

    'any' will make it follow whichever gateway is default.

    With gateway switching on, and some outbound NAT and floating rules, it can work that way, but the method we're cooking up for 2.1 is much nicer.



  • Yes, being able to use a gateway group looks good - then I can prioritise the gateway group appropriate and the OpenVPN will listen (server) or connect out through (client) the highest priority interface available in the gateway group. It looks like more good code has been committed for this, just waiting for another snapshot to appear after the current round of rebuilds of stuff then I will give it a try.



  • Just wanted to add to this, in the latest snapshots when you set a gateway group and one of the gateways go down, it seems this bug appears

    http://redmine.pfsense.org/issues/2582

    The ovpn session is unable to assign the new address and the service exits. This completely destroys failover, as even when the original gateway comes back up the ovpn service is stopped.


Log in to reply