VPN auto reconnect



  • I have 2 pfsense machines which act in a failover formation (pfsync, carp, virtual ip's etc)

    When I connect to the OpenVPN, I suspect that the connections go to the master pfsense machine which is all good. For testing, I unplugged the master and the backup then becomes the master.

    However the VPN still thinks it is connected and I need to manually disconnect and reconnect it again which works but will be annoying if the VPN fails for all of our users.

    I connect to the VPN via a shared virtual WAN IP which is NATed to local LAN virtual IP which the OpenVPN listens on.

    Is there an option to detect a dead server and force a re connection so that it starts to use the backup instead?

    This is my local OpenVPN config file:

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    tls-client
    client
    resolv-retry infinite
    remote x.x.x.x 1194 udp
    tls-remote myserver
    auth-user-pass
    pkcs12 myserver-udp-1194-myname.p12
    tls-auth myserver-udp-1194-myname-tls.key 1
    comp-lzo
    remote-random
    float

    From the default config, I added:

    remote-random
    float

    in the hope it would fix this

    Thanks is advance.

    Graham


  • Rebel Alliance Developer Netgate

    You want to bind the VPN to the CARP VIP, not to the "WAN" interface. You should not need two remote lines or remote-random.

    For the client, try something like:

    keepalive 10 60
    ping-timer-rem
    


  • @jimp:

    You want to bind the VPN to the CARP VIP, not to the "WAN" interface. You should not need two remote lines or remote-random.

    For the client, try something like:

    keepalive 10 60
    ping-timer-rem
    

    I actually bind the VPN to the CARP VIP on the LAN side and NAT through connections on the OpenLDAP port from the WAN to the LAN (I read to do it this was instead of binding to the WAN CARP VIP)

    Does this change things?


  • Rebel Alliance Developer Netgate

    As long as the port forward is on the CARP VIP, what I mentioned should be the same.



  • Those 2 settings worked perfectly thanks. (NAT was pointing to the CARP VIP :) )


Locked