OpenVPN - works for 1 WAN, issues with DUAL WAN



  • Single WAN RoadWarrior OpenVPN works 100% using  http://blog.stefcho.eu/?p=492.
    Dual WAN = no go

    goal:
    VPN client to autoconnects to whichever WAN is up
    "remote mydomain.com 1194"
    "remote mydomain2.com 1194"

    1st approach

    • Select "Interface = any" under OpenVPN: Server
    • open OpenVPN port on both WANs
      result:
      works for 1 WAN, changing "remote mydomain.com 1194" to "remote mydomain2.com 1194" doesn't connect
      log:
      Jul 24 17:51:34 openvpn[37968]: 70.30.110.178:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Jul 24 17:50:34 openvpn[37968]: 70.30.110.178:1194 LZO compression initialized
      Jul 24 17:50:34 openvpn[37968]: 70.30.110.178:1194 Re-using SSL/TLS context
      Jul 24 17:50:24 openvpn[37968]: admin_remote/70.30.110.178:1194 [admin_remote] Inactivity timeout (–ping-restart), restarting

    2st approach

    • 2 OpenVPN servers, different ports
      result:
      no go using the same "Tunnel Network on both",
      started working when i made them different,
      i was able to connect to either for a few minutes, then it broke,
      now it only connect to one and no the other
      log:
      Jul 24 17:56:29 openvpn[59406]: TLS Error: incoming packet authentication failed from [AF_INET]70.30.110.178:1194
      Jul 24 17:56:29 openvpn[59406]: Authenticate/Decrypt packet error: packet HMAC authentication failed

    How can i get this to work?



  • run it on LAN interface an portforward from both wans to lan



  • @heper:

    run it on LAN interface an portforward from both wans to lan

    thanks for the suggestion,
    i tried out of desperation, no go
    NAT shouldn't be in play here at all



  • UPDATE:

    I have:
    WAN1 = cable
    WAN2 = dsl

    With identical VPN server and firewall settings, i can't connect on WAN2 only.
    OpenVPN log shows "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"
    I've been able to connect on WAN2 before, but not anymore, no matter what i try.

    Why would OpenVPN work on WAN1 and not WAN2?



  • firewall rules or if dsl-router is in between, missing portforwards, blocks at isp level, …



  • I have the exact same issue. Did you ever figure it out?



  • no solution, gave up, waiting for 2.1 to try again

    is documentation outdated or is there something inherently wrong with a single openvpn server listening on all interfaces?
    this suggests running 2 openvpn servers http://doc.pfsense.org/index.php/Multi-WAN_OpenVPN



  • there is no reason why it wouldn't work … i currently have it working on multiple sites.



  • It seems it only works on whichever of the two WANs the 'default' gateway at the time as shows under diagnostic>routes

    What can i do about this to be able to connect to either?



  • tried something random,

    got non-default WAN2 working by switching OpenVPN to tcp mode,
    am i really the only one to ever come across this?
    tcp isn't ideal, is there a workaround to be able to use udp?

    @themisa:

    It seems it only works on whichever of the two WANs the 'default' gateway at the time as shows under diagnostic>routes

    What can i do about this to be able to connect to either?



  • Since you mention a different behavior between TCP and UDP, have you by any chance enabled NAT reflection for port forwards ? (under System -> Advanced -> Firewall & NAT)



  • No, it's disabled (default)

    ok. this http://forum.pfsense.org/index.php/topic,8297.msg46717.html seems identical,
    i tried this as per their suggestion, didn't help.

    pf wiki http://doc.pfsense.org/index.php/Multi-WAN_OpenVPN
    mentions 'udp caveats' at the top, and it suggests running 2 vpn server which i tried

    to recap:
    single openvpn server with 'any' for interface and 'tcp' allows me to connect from either WAN,
    'udp' only works on 'default gateway' which is the problem



  • Well, then perhaps heper could share the way he configured it.



  • Hi all,

    I used the links from themisa to help configure multi-wan OpenVPN for a non pf-sense router, but what was missing is that in addition to adding a 'local $IP' line to the duplicated config, you need to change the subnet for for VPN connections, having the DHCP address pools separated, but on the same subnet was not sufficient.

    Hope that helps.



  • @themisa:

    No, it's disabled (default)

    ok. this http://forum.pfsense.org/index.php/topic,8297.msg46717.html seems identical,
    i tried this as per their suggestion, didn't help.

    pf wiki http://doc.pfsense.org/index.php/Multi-WAN_OpenVPN
    mentions 'udp caveats' at the top, and it suggests running 2 vpn server which i tried

    to recap:
    single openvpn server with 'any' for interface and 'tcp' allows me to connect from either WAN,
    'udp' only works on 'default gateway' which is the problem

    add to advanced options of openvpn client:
    local 127.0.0.1;lport 0
    Set "Interface" to any real interface, but NOT "any" (otherwise OpenVPN will not start).
    In Gateway groups add group what suits your need (WAN as Tier 1, Second WAN as Tier 2 in your case);
    in Rules add floating rule with following settings:
    Quick: Enabled
    Interface: select both WAN interfaces
    direction: out
    Proto: TCP/UDP or plain TCP
    Source: Any
    Destination: IP of OpenVPN server to whom you connecting
    Dest port range: add your ports
    Gateway: Choose previously created Gateway group.

    Should work (although without failback)



  • I have same issue.
    On my OVPN server, i can have either of the vpn connections up if the other one is down. The log produces this:

    Oct 5 14:42:24 php: /status_interfaces.php: Starting 3gstats.php on device '' for interface 'wan'
    Oct 5 14:42:29 check_reload_status: Reloading filter
    Oct 5 14:42:32 php: : Gateways status could not be determined, considering all as up/active.
    Oct 5 14:42:34 php: : Resyncing OpenVPN instances for interface WAN.
    Oct 5 14:42:34 kernel: ovpns1: link state changed to UP
    Oct 5 14:42:34 kernel: ifa_add_loopback_route: insertion failed
    Oct 5 14:42:34 kernel: ovpns1: link state changed to DOWN

    If ovpns1 is up then the log changes to ovpns2: if_add_loopaback_route: insertion failed etc.


Log in to reply