Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN interface selection - LAN and any

    OpenVPN
    3
    5
    2.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phil.davis
      last edited by

      I have pfSense systems with LAN, WAN and OPT1. I have OpenVPN P2P shared-key clients connecting out to OpenVPN servers on other pfSense systems across the net. I would like the outgoing client connection attempts to exit to the internet by whichever of WAN and OPT1 is up.
      My LAN has a firewall rule feeding exiting general internet traffic to a gateway group. The gateway group contains WAN and OPT1. This works well when 1 of WAN or OPT1 goes down - the traffic happily goes out the interface that is up.
      I discovered that if I set the OpenVPN client interface to LAN, it still connects out the internet to the server OK. I guess that the outgoing client connect will feed through the gateway group on its way out, thus making it go out WAN or OPT1, whichever is up. So it will provide failover when initiating OpenVPN connections. (I need to give this a test!)

      1. Is the above correct?

      2. What does OpenVPN interface "any" do?
        (I guess it just picks a "random" interface to bind to when initiating the outgoing client connection - that would make it not so useful for failover. But maybe it is smart and only picks an interface that actually seems to be up.)

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        It didn't seem to take any notice of the rules feeding LAN into a gateway group for policy-based routing. It just uses the default route. I enabled default gateway switching (System:Advanced, Miscellaneous) and now the default route changes to OPT1 when WAN goes down, and changes back when WAN comes up again. The OpenVPN Client follows this exiting via whichever interface is the current default route.
        My best-effort at an auto-redundant config is posted at:
        http://forum.pfsense.org/index.php/topic,49033.0.html

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          'any' will make it follow whichever gateway is default.

          With gateway switching on, and some outbound NAT and floating rules, it can work that way, but the method we're cooking up for 2.1 is much nicer.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Yes, being able to use a gateway group looks good - then I can prioritise the gateway group appropriate and the OpenVPN will listen (server) or connect out through (client) the highest priority interface available in the gateway group. It looks like more good code has been committed for this, just waiting for another snapshot to appear after the current round of rebuilds of stuff then I will give it a try.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • X
              xternal
              last edited by

              Just wanted to add to this, in the latest snapshots when you set a gateway group and one of the gateways go down, it seems this bug appears

              http://redmine.pfsense.org/issues/2582

              The ovpn session is unable to assign the new address and the service exits. This completely destroys failover, as even when the original gateway comes back up the ovpn service is stopped.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.