OpenVPN - works for 1 WAN, issues with DUAL WAN
-
Single WAN RoadWarrior OpenVPN works 100% using http://blog.stefcho.eu/?p=492.
Dual WAN = no gogoal:
VPN client to autoconnects to whichever WAN is up
"remote mydomain.com 1194"
"remote mydomain2.com 1194"1st approach
- Select "Interface = any" under OpenVPN: Server
- open OpenVPN port on both WANs
result:
works for 1 WAN, changing "remote mydomain.com 1194" to "remote mydomain2.com 1194" doesn't connect
log:
Jul 24 17:51:34 openvpn[37968]: 70.30.110.178:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 24 17:50:34 openvpn[37968]: 70.30.110.178:1194 LZO compression initialized
Jul 24 17:50:34 openvpn[37968]: 70.30.110.178:1194 Re-using SSL/TLS context
Jul 24 17:50:24 openvpn[37968]: admin_remote/70.30.110.178:1194 [admin_remote] Inactivity timeout (–ping-restart), restarting
2st approach
- 2 OpenVPN servers, different ports
result:
no go using the same "Tunnel Network on both",
started working when i made them different,
i was able to connect to either for a few minutes, then it broke,
now it only connect to one and no the other
log:
Jul 24 17:56:29 openvpn[59406]: TLS Error: incoming packet authentication failed from [AF_INET]70.30.110.178:1194
Jul 24 17:56:29 openvpn[59406]: Authenticate/Decrypt packet error: packet HMAC authentication failed
How can i get this to work?
-
run it on LAN interface an portforward from both wans to lan
-
run it on LAN interface an portforward from both wans to lan
thanks for the suggestion,
i tried out of desperation, no go
NAT shouldn't be in play here at all -
UPDATE:
I have:
WAN1 = cable
WAN2 = dslWith identical VPN server and firewall settings, i can't connect on WAN2 only.
OpenVPN log shows "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"
I've been able to connect on WAN2 before, but not anymore, no matter what i try.Why would OpenVPN work on WAN1 and not WAN2?
-
firewall rules or if dsl-router is in between, missing portforwards, blocks at isp level, …
-
I have the exact same issue. Did you ever figure it out?
-
no solution, gave up, waiting for 2.1 to try again
is documentation outdated or is there something inherently wrong with a single openvpn server listening on all interfaces?
this suggests running 2 openvpn servers http://doc.pfsense.org/index.php/Multi-WAN_OpenVPN -
there is no reason why it wouldn't work … i currently have it working on multiple sites.
-
It seems it only works on whichever of the two WANs the 'default' gateway at the time as shows under diagnostic>routes
What can i do about this to be able to connect to either?
-
tried something random,
got non-default WAN2 working by switching OpenVPN to tcp mode,
am i really the only one to ever come across this?
tcp isn't ideal, is there a workaround to be able to use udp?@themisa:
It seems it only works on whichever of the two WANs the 'default' gateway at the time as shows under diagnostic>routes
What can i do about this to be able to connect to either?
-
Since you mention a different behavior between TCP and UDP, have you by any chance enabled NAT reflection for port forwards ? (under System -> Advanced -> Firewall & NAT)
-
No, it's disabled (default)
ok. this http://forum.pfsense.org/index.php/topic,8297.msg46717.html seems identical,
i tried this as per their suggestion, didn't help.
pf wiki http://doc.pfsense.org/index.php/Multi-WAN_OpenVPN
mentions 'udp caveats' at the top, and it suggests running 2 vpn server which i triedto recap:
single openvpn server with 'any' for interface and 'tcp' allows me to connect from either WAN,
'udp' only works on 'default gateway' which is the problem -
Well, then perhaps heper could share the way he configured it.
-
Hi all,
I used the links from themisa to help configure multi-wan OpenVPN for a non pf-sense router, but what was missing is that in addition to adding a 'local $IP' line to the duplicated config, you need to change the subnet for for VPN connections, having the DHCP address pools separated, but on the same subnet was not sufficient.
Hope that helps.
-
@themisa:
No, it's disabled (default)
ok. this http://forum.pfsense.org/index.php/topic,8297.msg46717.html seems identical,
i tried this as per their suggestion, didn't help.pf wiki http://doc.pfsense.org/index.php/Multi-WAN_OpenVPN
mentions 'udp caveats' at the top, and it suggests running 2 vpn server which i triedto recap:
single openvpn server with 'any' for interface and 'tcp' allows me to connect from either WAN,
'udp' only works on 'default gateway' which is the problemadd to advanced options of openvpn client:
local 127.0.0.1;lport 0
Set "Interface" to any real interface, but NOT "any" (otherwise OpenVPN will not start).
In Gateway groups add group what suits your need (WAN as Tier 1, Second WAN as Tier 2 in your case);
in Rules add floating rule with following settings:
Quick: Enabled
Interface: select both WAN interfaces
direction: out
Proto: TCP/UDP or plain TCP
Source: Any
Destination: IP of OpenVPN server to whom you connecting
Dest port range: add your ports
Gateway: Choose previously created Gateway group.Should work (although without failback)
-
I have same issue.
On my OVPN server, i can have either of the vpn connections up if the other one is down. The log produces this:Oct 5 14:42:24 php: /status_interfaces.php: Starting 3gstats.php on device '' for interface 'wan'
Oct 5 14:42:29 check_reload_status: Reloading filter
Oct 5 14:42:32 php: : Gateways status could not be determined, considering all as up/active.
Oct 5 14:42:34 php: : Resyncing OpenVPN instances for interface WAN.
Oct 5 14:42:34 kernel: ovpns1: link state changed to UP
Oct 5 14:42:34 kernel: ifa_add_loopback_route: insertion failed
Oct 5 14:42:34 kernel: ovpns1: link state changed to DOWNIf ovpns1 is up then the log changes to ovpns2: if_add_loopaback_route: insertion failed etc.