Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open VPN binding to a VIP - cannot start Daemon

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 2 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Deadringers
      last edited by

      Hi all,

      So I have my Virtual IP address range setup and it's working 100% fine for in/outbound nat etc.

      however I have tried to move the openvpn server onto one of the VIPs.

      and now I am getting the following error:

      And ideas what might be wrong?

      I think i have it setup correctly but if there is a guide to getting it working on a VIP it would be good.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        Are you using a CARP VIP?

        1 Reply Last reply Reply Quote 0
        • D
          Deadringers
          last edited by

          @dotdash:

          Are you using a CARP VIP?

          No I'm not… Just IP Alias.

          Thought you could bind services to an ip alias.

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            Haven't tried to bind to an alias IP, but I've been binding OpenVPN and IPSec to CARP IP's for years without problems.

            1 Reply Last reply Reply Quote 0
            • D
              Deadringers
              last edited by

              @dotdash:

              Haven't tried to bind to an alias IP, but I've been binding OpenVPN and IPSec to CARP IP's for years without problems.

              Thanks for that :)

              I'll give it a try.

              Can you just give me a quick run down of your setup.

              E.g. what settings you have for opt1 and what interfaces have you bound together?

              1 Reply Last reply Reply Quote 0
              • dotdashD
                dotdash
                last edited by

                I'm binding to a CARP VIP so I can float the instance to a secondary firewall if the primary fails. The only unusual things are the interface selection points to the CARP IP instead of the interface IP and the sync OpenVPN option is checked in the CARP settings. The clients seem to reconnect gracefully when the primary gets rebooted.

                1 Reply Last reply Reply Quote 0
                • D
                  Deadringers
                  last edited by

                  hmm I don't understand what i am doing wrong…

                  I assigned the server to the WAN interface, and soon as I do that OPT1 interface drops offline which gives me the following errors in my logs:

                  Oct 16 16:27:41 openvpn[53413]: Exiting due to fatal error
                  Oct 16 16:27:41 openvpn[53413]: TCP/UDP: Socket bind failed on local address [AF_INET]217...*:1195: Can't assign requested address
                  Oct 16 16:27:41 openvpn[53413]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
                  Oct 16 16:27:41 openvpn[53413]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                  Oct 16 16:27:41 openvpn[53413]: OpenVPN 2.3.2 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jul 24 2013

                  IP address has been edited.

                  1 Reply Last reply Reply Quote 0
                  • dotdashD
                    dotdash
                    last edited by

                    Confused as to what the OPT interface has to do with anything. My setup is one provider on WAN, second provider on OPT. The VIP in question is setup as a CARP on the WAN interface.
                    WAN if 4.6.8.3/25
                    [Secondary fw WAN 4.6.8.4/25]
                    CARP VIP (WAN) 4.6.8.2/25

                    The carp is used as the outbound NAT IP and has OpenVPN and IPSec bound to it.

                    1 Reply Last reply Reply Quote 0
                    • D
                      Deadringers
                      last edited by

                      okay I really have no idea what I've done wrong here…

                      So I have my open VPN setup on a VIP (IP Alias).
                      But if I do this the VPN service cannot start as I put in my screenshot above.

                      So I tried to make the VIP into a CARP interface but then when I select this interface from the list in the openvpn server options it states:

                      An IPv4 protocol was selected, but the selected interface has no IPv4 address.

                      But the CARP interface has an ipv4 address!

                      Where am I going wrong?

                      1 Reply Last reply Reply Quote 0
                      • dotdashD
                        dotdash
                        last edited by

                        A CARP VIP must be within the subnet of the Actual WAN interface. Perhaps your ISP is providing a second subnet routed to the WAN. In this case, you would need to add an alias VIP in the secondary subnet, then add a CARP VIP (also on the secondary subnet).

                        1 Reply Last reply Reply Quote 0
                        • D
                          Deadringers
                          last edited by

                          @dotdash:

                          A CARP VIP must be within the subnet of the Actual WAN interface. Perhaps your ISP is providing a second subnet routed to the WAN. In this case, you would need to add an alias VIP in the secondary subnet, then add a CARP VIP (also on the secondary subnet).

                          That's exactly what I did and I received those errors?

                          And you are right.

                          My WAN interface is a random dynamic IP and BT "routes" my static IP range to me.

                          So I had my 5 IPs setup as IP Alias.
                          I then changed the one I wanted to bind to open vpn to a CARP interface.

                          Tried to assign this within the openvpn server page..

                          Then get the error "An IPv4 protocol was selected, but the selected interface has no IPv4 address."

                          But what I don't understand is why my openvpn server can't bind to the IP Alias?

                          it gives me this error:
                          "TCP/UDP: Socket bind failed on local address [AF_INET]..*.130:1194: Can't assign requested address"

                          That address is not in use for anything except openvpn server!

                          1 Reply Last reply Reply Quote 0
                          • dotdashD
                            dotdash
                            last edited by

                            Not sure what your issue is. Perhaps it's something to do with the dynamic IP on the interface, I haven't dealt that setup.
                            For reference, my closest config is something like-
                            WAN 7.8.9.10/30 gateway 7.8.9.9
                            Alias IP (WAN) 8.9.10.193/28
                            CARP IP (WAN) 8.9.10.194/28

                            1 Reply Last reply Reply Quote 0
                            • D
                              Deadringers
                              last edited by

                              @dotdash:

                              Not sure what your issue is. Perhaps it's something to do with the dynamic IP on the interface, I haven't dealt that setup.
                              For reference, my closest config is something like-
                              WAN 7.8.9.10/30 gateway 7.8.9.9
                              Alias IP (WAN) 8.9.10.193/28
                              CARP IP (WAN) 8.9.10.194/28

                              I have no idea either :(

                              really frustrating as it clearly states that you can bind services to the VIPs (ip Alias and CARP) but I can't!


                              1 Reply Last reply Reply Quote 0
                              • D
                                Deadringers
                                last edited by

                                Okay my work around for this:

                                Bind Open VPN to the LAN interface.

                                Port forward on the .130 WAN VIP to the LAN interface on my open VPN port.

                                then have the clients connect to my static IP on that port and it works.

                                not pretty but it works!

                                1 Reply Last reply Reply Quote 0
                                • dotdashD
                                  dotdash
                                  last edited by

                                  I use a tun device for my OpenVPN server. Not sure if that changes anything.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.