OpenVPN on Failover GW and master/slave config fails



    • I have two pfSense servers in master/slave configuration.
    • I have two WAN interfaces.
    • I need to have failover for OpenVPN

    When I create a OpenVPN client instance and set the interface to a WAN CARP IP on either of the WAN interfaces it works fine. When the master goes down the slave takes over. What's missing with this is when the primary WAN goes down the OpenVPN does not switch to the second WAN interface.

    When I set the OpenVPN interface to a failover GW, the OpenVPN service on both servers starts. They both try to connect to the remote OpenVPN server and they both succeed in this alternately. Which means no consistent connection from one site to the other because when the slave OpenVPN is up there is no route on the master. This is basicly the same problem as choosing a non-CARP IP.

    Setting the OpenVPN interface to any does not work either because we have gateways to separated parts of our network.

    Any ideas? Is this a bug or a feature?



  • I don't believe the the code to handle OpenVPN with gateway groups is in place yet. We had a brief discussion about something similar here: http://forum.pfsense.org/index.php/topic,65105.msg353585.html#msg353585. Haven't gotten around to log it as a bug yet.

    One option is to bind your OpenVPN client to the localhost interface and have an outbound NAT rule to handle OpenVPN traffic. That way your client will failover from the main WAN link to the backup one when main link goes down.

    On the server side you just create one server each on CARP IPs on both WANs. Or you can bind the server to the localhost as well and have an inbound NAT rule <- I have not tried this yet. The client being bound to localhost I have tried and that is working fine.

    With this setup I have noticed that sometimes both primary and backup firewalls in the cluster wind up establishing a VPN to the server FW. That happens when the primary WAN connection on the primary firewall flaps for some reason. I have not seen any loss of connectivity with that though.



  • Using gateway groups in OpenVPN client is working now.



  • @ssheikh:

    Using gateway groups in OpenVPN client is working now.

    Since when/what? What has changed?



  • Not sure what changed. I just happened to test it last night and found it to be working on the client side.



  • @ssheikh:

    Not sure what changed. I just happened to test it last night and found it to be working on the client side.

    Are you using a master/slave configuration?



  • Both my firewalls in the CARP cluster establish simultaneous OpenVPN tunnels to the other side. That is just how I have configured them.

    I am talking about gateway groups for an OpenVPN client on a single firewall which didn't seem to be working earlier in the month when I tested it.



  • Ah, ok, but that's not my challenge.

    The issue is that when using gateway groups, BOTH pfSense servers try to establish the OpenVPN connection. Only the server running as master should try to do that.



  • I think there is a difference in how we are using some of the terms here.

    To me OpenVPN servers do not initiate or make a VPN connection. They just sit there and wait for clients to connect to them. OpenVPN servers configured on a CARP IP shared between two firewalls work just fine as far as I have tested. When the primary node fails, the clients just re-establish the connection to the backup node as long as the OpenVPN server was bound to a CARP IP.

    OpenVPN clients are what initiate a VPN session. In pfSense when you setup an OpenVPN client, that client is not clustering aware. Or that is my understanding - someone please correct me if I am wrong. I do not see any code in the CARP clustering that tries to communicate between the OpenVPN Clients on the two pfSense firewalls to figure out which one should establish the connection.

    So if you have two OpenVPN firewalls, both with a mirrored client configuration - even if the client is bound to a CARP IP then both firewalls will attempt to make a connection to the server at the same time because they are essentially two clients. And though the outbound packets from both clients may make it to the server, the return packets will only get picked up by the firewall that is the master for that CARP IP that OpenVPN clients are bound to.

    Or at least so I believe how this works. Someone please correct me if I am wrong.



  • @ssheikh:

    So if you have two OpenVPN firewalls, both with a mirrored client configuration - even if the client is bound to a CARP IP then both firewalls will attempt to make a connection to the server at the same time because they are essentially two clients.

    When a OpenVPN client on pfSense is bound to a CARP IP then only the master server is running the associated service. The slave does not try to establish the connection. But binding it to a CARP IP does not help when the WAN of that CARP IP goes down. I have two WAN connections, I'd like to use them in a really redundant OpenVPN client setup.



  • I have added two bugs #3172 and #3174 to redmine for this.

    Implement the fixes mentioned in there and see if that fixes your issue.

    I haven't quite figured out how to use git yet to submit these changes through git.



  • This should help you get started with simple GitHub online edits: http://forum.pfsense.org/index.php/topic,47676.msg251034.html#msg251034



  • Thx. That post is a big help. I am using Notepad++ as well.


Log in to reply