Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site 2 site vpn –> never check 'Synchronize OpenVPN'?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hcoin
      last edited by

      If two pfsense boxes are operating as primary/failover with pfsync, with the usual carp virtual ip's for the lan and wan gateway:

      Is there any way to use the 'Synchronize OpenVPN' checkbox when the boxes are configured to do site-to-site openvpn?

      With that box checked, packets cross the openvpn tunnel (open vpn status shows traffic over both interfaces in both directions) but it appears never to leave the routers.  Does the conflict come in the 'client specific overrides' section on a far server owing to both pfsense boxes needing the same 'iroute <pfsense lan=""><pfsense lan="" netmask="">'?

      What's really needed is a way to sync everything, but bring up / take down the openvpn site-site client when becoming / losing the status as carp VIP master.

      Have I missed a clean way to do this somehow?   ???

      P.S. Also if somehow both boxes are to be logged in as same site-2-site clients at once– each pfsense box needs to use a different user client certificate, calls for a pfsync tweak much like the dhcp failover.  There has to be a way to not have the same client certificate on both sides of the pfsync.  OpenVPN doesn't like multiple log-ins with the same user certificate, (it can be overcome, but it's not best practice).

      Harry</pfsense></pfsense>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It works just fine with synchronize enabled using the same settings even, however, if the pfSense cluster set to sync is acting as the OpenVPN -client- then they may both be trying to connect and thus making it fail on the other side because it thinks the two clients are both trying to connect at the same time.

        In 2.0.2 and 2.1 we've added extra code that stops openvpn instances from running when a cluster node is in a backup state to prevent that situation.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • H
          hcoin
          last edited by

          The enhancement to start and stop openvpn based on whether it is the master or backup prevents the route and server certificate conflicts and so adds up to a fix.  Is there a roadmap to guide expectations within a few months either way about release planning?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            2.0.2 should be out in the near future (had a few things hold up the release… still trying to get it out) There are test images out there for 2.0.2, linked in a thread on the forum here.

            2.1 will be out in the next few months if all goes well, realistically close to the start of the year, maybe later.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.