OpenVPN vs. Multi-Wan



  • I have a pfSense box with 2 bge NICs (LAN and WAN) and a USB 3G Modem as backup (OPT1/ppp1). WAN and OPT1 are configured in a failover gateway group.

    I'd like to have OpenVPN listen on both WAN (bge0) and the 3G Modem (OPT1/PPP1), but I'm running in to a problem:

    If I set OpenVPN's interface to 'any', I get "An IPv4 protocol was selected, but the selected interface has no IPv4 address."

    I'm not sure what interface it's referring to, since all the physical interfaces have IP configs of one sort or another (PPP, DHCP, static). Maybe the gateway group?

    If I try to create another OpenVPN server on the same box, it tells me the port is already in use. This would make sense if OpenVPN was listening on OPT1 anyway, but it's not. There is a firewall rule for 1194/udp on the 3G interface, and if I tcpdump ppp1 and use nc to send traffic on 1194/udp, I see the packets in the tcpdump.

    What am I missing here?



  • @zandr:

    If I set OpenVPN's interface to 'any', I get "An IPv4 protocol was selected, but the selected interface has no IPv4 address."

    What am I missing here?

    PPP interfaces don't have a "permanent IP" address; they don't have an IP address if PPP is not "up".



  • Try binding OpenVPN daemon to a local interface and port-forwarding the others (WAN, OPTx etc)



  • @wallabybob:

    @zandr:

    If I set OpenVPN's interface to 'any', I get "An IPv4 protocol was selected, but the selected interface has no IPv4 address."

    What am I missing here?

    PPP interfaces don't have a "permanent IP" address; they don't have an IP address if PPP is not "up".

    Same could be said of DHCP, thus my confusion. I'll try dhatz's suggestion of binding to LAN and port forwarding.





  • @dhatz:

    http://doc.pfsense.org/index.php/Multi-WAN_OpenVPN

    Oh, the 'local' config might address the issue, now that I look at it.

    I'm remote from the pfsense box, so I don't really want to saw off the limb I'm sitting on. I'll try this from home tonight.



  • @zandr:

    @dhatz:

    http://doc.pfsense.org/index.php/Multi-WAN_OpenVPN

    Oh, the 'local' config might address the issue, now that I look at it.

    This howto (adding the local config) doesn't actually work, it still complains about the port being in use.

    I'm running with the second interface on 1195/udp for the moment, I'll try the port forward when I have a little more time.


  • Rebel Alliance Developer Netgate

    That doc is old. Really old. The "local" suggestion was for 1.2.x only.

    Best way to do what you're after is just to bind to the LAN interface and port forward from each WAN there.

    Though selecting "any" can work in certain circumstances, that was broken in the GUI. Should be fixed after my last commit. Seems the IPv4/IPv6 detection code mussed that up a bit.

    https://github.com/bsdperimeter/pfsense/commit/489f484cbda027e0bb677218ff2167ecf125f70e

    One of these days I should also add "localhost" as an interface option too…



  • @jimp:

    Best way to do what you're after is just to bind to the LAN interface and port forward from each WAN there.

    Can you think of any reason why this method would work for TCP but not for UDP ? (as reported in e.g. http://forum.pfsense.org/index.php/topic,51789.0/all.html)


  • Rebel Alliance Developer Netgate

    Binding to "any" may not work because of the system's routing table - UDP would flow back via the IP on the default gateway WAN always, TCP would go back the way the connection was initiated.

    Binding to LAN and using port forwards should work for TCP or UDP, as long as the NAT rules and firewall rules refer to the proper protocol. (Or unless one of the multiple ISPs filters the inbound traffic…)



  • @jimp:

    Best way to do what you're after is just to bind to the LAN interface and port forward from each WAN there.

    OK, I'm a few hours from leaving town again, but I'll set this up on my return. Thanks for the help.



  • @jimp:

    Best way to do what you're after is just to bind to the LAN interface and port forward from each WAN there.

    Hi, ony to knowledge.

    I have this scenario ruunning in UDP port, and this work perfect!!!

    :)


Locked