OpenVPN failover - both clients try running at the same time



  • Hello

    I've finished setting up a failover cluster using one alix 2d13 box and one vmware vm; both using pfsense 2.1.
    A dedicated interface is assigned on both for this purpose; about the synching configuration, the only checkboxes not checked are "auth servers", ipsec, "load balancer" and "traffic shaper (layer7)". A Virtual CARP LAN IP has been created, used as gateway on the LAN side.
    I use one OpenVPN client config to connect to another pfSense 2.1 box OpenVPN server and the related network: peer-to-peer, shared key, aes-128-cbc (hw accelerated on the alix box)

    This works pretty well, Aliases, Rules and the rest are well synched, the backup box takes the Virtual IP if the master isn't available and gives it back if it comes back, but there's one really annoying thing: OpenVPN client tries to run on both master and slave at the same time (after both are freshly booted or after a failover operation), giving huge ping response first then disconnection every 2-3 minutes.

    In the OpenVPN server log, I can see "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" errors and in both pfSense client log I can see they both try to connect: master gets the connection, 2-3 minutes, slave gets the connection (but not the Virtual IP, no need as the master is still there doing its other jobs), 2-3 minutes, master gets the connection, etc etc

    Changing the OpenVPN server config on the remote side to allow 2 concurrent connections does not solve the problem
    If I manually disable OpenVPN client service on the backup box, the OpenVPN client connection works flawlessly

    I would have expected the OpenVPN client on the master to always run and the one on the backup to run only if master isn't available (then no more when the master is back).

    Is this a bug, a feature I don't fully understand or am I missing something obvious?

    Thanks
    ChristOff


  • Rebel Alliance Developer Netgate

    On the client, make sure the OpenVPN "interface" is a CARP VIP on the WAN side.

    If it's a CARP VIP used for the interface for OpenVPN, then it does track master/backup status and only run one.



  • Thanks for answering, but that won't fit my configuration: both WAN IP are /32 ones (using PPPoE)

    I tried to set IP Aliases on the WAN side of both local boxes, then a CARP VIP in the Aliases subnet, but that don't work; the OpenVPN client config can't be validated (ipv4 selected but interface has no address); actually I can't use the IP Alias directly as OpenVPN client "interface"(Socket bind failed on local address [AF_INET]192.168.200.1: Can't assign requested address)


  • Rebel Alliance Developer Netgate

    You can't do a proper CARP config with PPPoE. What you're attempting is unsupported for a reason.

    Your next best bet is to set it to listen to your LAN-side CARP VIP, and do port forwards on WAN from the WAN address in to the LAN CARP IP.



  • Hi everyone,

    Jimp I agree with you, setting the CARP_VIP in the client, this way the backup box does not attempt to connect to openvpn server at the same time of the master, but in my case I have a problem with that, hope someone help me.

    I Have 2 WAN in site 'A' and two WAN in site 'B', I set the openVPN server to listen in 'any' interface (in firewall rules I set pass only in the wan interfaces), thats works fine with carp, no problem.

    In the client I set 'server host or address' to 'server-WAN-1' and in the 'Advanced' I add 'remote server-WAN-2 ovpn-port', this way if a wan-1 link fail in the server the openvpn auto connect to wan-2 ip of the server. That works fine without carp. When I activate carp I need to change the 'interface' to a CARP_VIP, but doing that I loose the wan failover on the client, for an example, if the "Client WAN-1 link" fail the client does not attempt to connect using "Client WAN-2 Link" because de CARP_VIP of the WAN-1 is configured in OpenVPN Client.

    There is another way to do this? 2 sites, 2 wan in each site, with 2 pfsense box in each site, sites connected with VPN full redundancy (Redundancy of the links on site A/B and redundancy of pfsense in site A/B)?

    Today I set the "pfsense openvpn client site MASTER" to not sync openvpn config, and in the backup box of the client site I set the CARP_VIP, but in this case if I lost master box I lost the WAN redundancy.

    Thansk in advance.


  • Rebel Alliance Developer Netgate

    Please start a new thread as that is a completely different issue.


Log in to reply