• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] OpenVPN + Cluster of PfSense

Scheduled Pinned Locked Moved OpenVPN
7 Posts 4 Posters 5.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DessaiImrane
    last edited by May 17, 2013, 5:36 AM May 16, 2013, 11:39 AM

    Hi,

    I followed this procedure to connect multiple sites together :

    http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_ (SSL)

    It works.

    But there's still a problem. On each site, I have a cluster of pfsense.

    So throwing a ping through the tunnel, it works for 60sec then it does not work for 60sec and so on

    Here is an interesting message log :

    
    May 16 15:38:39 	openvpn[63442]: SIGUSR1[soft,ping-restart] received, process restarting
    May 16 15:38:39 	openvpn[63442]: [DC4-FW-F] Inactivity timeout (--ping-restart), restarting
    
    

    After some research, it means that TWO clients connect to the server with the same commonName.

    Bingo, every member of my cluster connects to the server, each in turn
    But I do not want this behavior.
    Only the master pfsense should connect to server.

    I try the conf "keepalive n m" but it does not work.

    I do not know how to tell the cluster to initiate the VPN connection from the master only.

    Do you have a solution please?

    Thank you in advance for your comments / suggestions / answers.

    1 Reply Last reply Reply Quote 0
    • P
      phil.davis
      last edited by May 16, 2013, 1:21 PM

      Can you tell us which pfSense version you are using?
      I have a feeling that this issue has been talked about before and perhaps resolved in 2.1-BETA (and in 2.0.? maybe). Someone who remembers better than me, or who can find old posts might help out.

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • D
        DessaiImrane
        last edited by May 16, 2013, 1:24 PM

        Ah ! I forgot this info : we are using 2.0.2 and planning to upgrade to 2.0.3

        We are in production envrionnement, so we can't use Beta

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by May 16, 2013, 1:56 PM

          make sure the client and server are bound to CARP IPs, and that you're running 2.0.3.

          1 Reply Last reply Reply Quote 0
          • K
            keysers0ze
            last edited by May 16, 2013, 3:33 PM

            • If you use peer-to-peer connection -> it means 2 routers connected via vpn(not 1 server and 3 clients).

            • Make one peer-to-peer connection on every router (u have multiple peer-to-peer instances on server router = use different ports).

            • Use ospf to supply routing information between routers.

            • ospf makes possible to have loop protection also..

            • If you use "Remote access TSL / SSL" it means one server + multiple clients (it suitable on multiple client pc connection via vpn = not routers)

            • If you use same certificate on every client -> select "Duplicate Connections" on openvpn server settings. I suggest to use different certificate on every user… its easier to disable if needed (use pfsense usermanager to make users / certs)...

            br.
            .k

            @DessaiImrane:

            Hi,

            I followed this procedure to connect multiple sites together :

            http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_ (SSL)

            It works.

            But there's still a problem. On each site, I have a cluster of pfsense.

            So throwing a ping through the tunnel, it works for 60sec then it does not work for 60sec and so on

            Here is an interesting message log :

            
            May 16 15:38:39 	openvpn[63442]: SIGUSR1[soft,ping-restart] received, process restarting
            May 16 15:38:39 	openvpn[63442]: [DC4-FW-F] Inactivity timeout (--ping-restart), restarting
            
            

            After some research, it means that TWO clients connect to the server with the same commonName.

            Bingo, every member of my cluster connects to the server, each in turn
            But I do not want this behavior.
            Only the master pfsense should connect to server.

            I try the conf "keepalive n m" but it does not work.

            I do not know how to tell the cluster to initiate the VPN connection from the master only.

            Do you have a solution please?

            Thank you in advance for your comments / suggestions / answers.

            1 Reply Last reply Reply Quote 0
            • D
              DessaiImrane
              last edited by May 17, 2013, 4:44 AM

              make sure the client and server are bound to CARP IPs, and that you're running 2.0.3.

              I'll try to check what IPs are used and try to upgrade and test again

              • If you use peer-to-peer connection -> it means 2 routers connected via vpn(not 1 server and 3 clients).

              • Make one peer-to-peer connection on every router (u have multiple peer-to-peer instances on server router = use different ports).

              • Use ospf to supply routing information between routers.

              • ospf makes possible to have loop protection also..

              • If you use "Remote access TSL / SSL" it means one server + multiple clients (it suitable on multiple client pc connection via vpn = not routers)

              • If you use same certificate on every client -> select "Duplicate Connections" on openvpn server settings. I suggest to use different certificate on every user… its easier to disable if needed (use pfsense usermanager to make users / certs)...

              I think, there is a misunderstanding here.
              I use "Remote access TSL / SSL" but between routers (actually pfsense).
              It is what I need (confer Link given in first post).
              Indeed, I need a Hub and Spoke architecture (star).
              About using different Certificate, as I said juste before, I can't. On a cluster, the same certficate must be used for both pfsenses.

              By the way, thanks for the reply.

              1 Reply Last reply Reply Quote 0
              • D
                DessaiImrane
                last edited by May 17, 2013, 5:36 AM

                It's solved, thanks to cmb

                On my client side, the tunnel was bind to WAN interface instead of CARP Address.

                I did not upgrade.

                Thanks everyone.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received