OpenVPN on Failover GW and master/slave config fails
-
-
Not sure what changed. I just happened to test it last night and found it to be working on the client side.
-
Not sure what changed. I just happened to test it last night and found it to be working on the client side.
Are you using a master/slave configuration?
-
Both my firewalls in the CARP cluster establish simultaneous OpenVPN tunnels to the other side. That is just how I have configured them.
I am talking about gateway groups for an OpenVPN client on a single firewall which didn't seem to be working earlier in the month when I tested it.
-
Ah, ok, but that's not my challenge.
The issue is that when using gateway groups, BOTH pfSense servers try to establish the OpenVPN connection. Only the server running as master should try to do that.
-
I think there is a difference in how we are using some of the terms here.
To me OpenVPN servers do not initiate or make a VPN connection. They just sit there and wait for clients to connect to them. OpenVPN servers configured on a CARP IP shared between two firewalls work just fine as far as I have tested. When the primary node fails, the clients just re-establish the connection to the backup node as long as the OpenVPN server was bound to a CARP IP.
OpenVPN clients are what initiate a VPN session. In pfSense when you setup an OpenVPN client, that client is not clustering aware. Or that is my understanding - someone please correct me if I am wrong. I do not see any code in the CARP clustering that tries to communicate between the OpenVPN Clients on the two pfSense firewalls to figure out which one should establish the connection.
So if you have two OpenVPN firewalls, both with a mirrored client configuration - even if the client is bound to a CARP IP then both firewalls will attempt to make a connection to the server at the same time because they are essentially two clients. And though the outbound packets from both clients may make it to the server, the return packets will only get picked up by the firewall that is the master for that CARP IP that OpenVPN clients are bound to.
Or at least so I believe how this works. Someone please correct me if I am wrong.
-
So if you have two OpenVPN firewalls, both with a mirrored client configuration - even if the client is bound to a CARP IP then both firewalls will attempt to make a connection to the server at the same time because they are essentially two clients.
When a OpenVPN client on pfSense is bound to a CARP IP then only the master server is running the associated service. The slave does not try to establish the connection. But binding it to a CARP IP does not help when the WAN of that CARP IP goes down. I have two WAN connections, I'd like to use them in a really redundant OpenVPN client setup.
-
-
This should help you get started with simple GitHub online edits: http://forum.pfsense.org/index.php/topic,47676.msg251034.html#msg251034
-
Thx. That post is a big help. I am using Notepad++ as well.