Site 2 site vpn –> never check 'Synchronize OpenVPN'?



  • If two pfsense boxes are operating as primary/failover with pfsync, with the usual carp virtual ip's for the lan and wan gateway:

    Is there any way to use the 'Synchronize OpenVPN' checkbox when the boxes are configured to do site-to-site openvpn?

    With that box checked, packets cross the openvpn tunnel (open vpn status shows traffic over both interfaces in both directions) but it appears never to leave the routers.  Does the conflict come in the 'client specific overrides' section on a far server owing to both pfsense boxes needing the same 'iroute <pfsense lan=""><pfsense lan="" netmask="">'?

    What's really needed is a way to sync everything, but bring up / take down the openvpn site-site client when becoming / losing the status as carp VIP master.

    Have I missed a clean way to do this somehow?   ???

    P.S. Also if somehow both boxes are to be logged in as same site-2-site clients at once– each pfsense box needs to use a different user client certificate, calls for a pfsync tweak much like the dhcp failover.  There has to be a way to not have the same client certificate on both sides of the pfsync.  OpenVPN doesn't like multiple log-ins with the same user certificate, (it can be overcome, but it's not best practice).

    Harry</pfsense></pfsense>


  • Rebel Alliance Developer Netgate

    It works just fine with synchronize enabled using the same settings even, however, if the pfSense cluster set to sync is acting as the OpenVPN -client- then they may both be trying to connect and thus making it fail on the other side because it thinks the two clients are both trying to connect at the same time.

    In 2.0.2 and 2.1 we've added extra code that stops openvpn instances from running when a cluster node is in a backup state to prevent that situation.



  • The enhancement to start and stop openvpn based on whether it is the master or backup prevents the route and server certificate conflicts and so adds up to a fix.  Is there a roadmap to guide expectations within a few months either way about release planning?


  • Rebel Alliance Developer Netgate

    2.0.2 should be out in the near future (had a few things hold up the release… still trying to get it out) There are test images out there for 2.0.2, linked in a thread on the forum here.

    2.1 will be out in the next few months if all goes well, realistically close to the start of the year, maybe later.


Log in to reply