OpenVPN, CARP and DNS.



  • Hey all,

    Thanks in advance for any help you can give me with this problem, it may be that I have overlooked something and you can point this out straight away.

    –---

    I have a CARP setup with two firewalls (one called FW1, once called FW2) able to failover to each other, passing the connections backwards and forwards just fine, all that side of it works.

    I have an OpenVPN server setup on a CARP VIP on the WAN interface.

    An external OpenVPN user connects just fine and has proper communication with devices on the internal network.

    pfsense version is 2.2.3 on both.
    openvpn clients are all 2.3 and later (no legacy or deprecated clients).
    Testing has been done with Windows 7 and later machines as that is what is in general use.

    So the issues:

    I dont want to give away too much information on certain ip's and aliases etc so i'll give an example.

    I want clients to be able to connect via ovpn.domain.com, which then points to the Virtual Address on the WAN interface.
    Currently this is setup and if I allow ICMP briefly I can ping ovpn.domain.com externally it will point to the Virtual Address on the WAN interface.

    All good so far  :) , however when publishing the openvpn executable using the Client Export Utility, I can only seem to get this to actually work with the "Interface IP", or other and input "ovpn.domain.com". Not ideal if we have to switch at some point.

    Secondly and this is probably related. When CARP failover occurs the VPN doesn't reconnect, I have followed the advice here -> https://doc.pfsense.org/index.php/CARP_Secondary_Unreachable_Over_VPN.

    But it still doesn't appear to connect.  :'(

    I'm not sure if I am misconfiguring something in the Client Export config, missed some DNS setting or if I have missed something server side, so any advice is appreciated.



  • @^nighthawk^:

    I want clients to be able to connect via ovpn.domain.com, which then points to the Virtual Address on the WAN interface.
    Currently this is setup and if I allow ICMP briefly I can ping ovpn.domain.com externally it will point to the Virtual Address on the WAN interface.

    All good so far  :) , however when publishing the openvpn executable using the Client Export Utility, I can only seem to get this to actually work with the "Interface IP", or other and input "ovpn.domain.com". Not ideal if we have to switch at some point.

    Not sure exactly what is a problem here. In a carp cluster, you want to point to your shared IP, not the Interface. Using the DNS name would be the best solution.

    @^nighthawk^:

    Secondly and this is probably related. When CARP failover occurs the VPN doesn't reconnect, I have followed the advice here -> https://doc.pfsense.org/index.php/CARP_Secondary_Unreachable_Over_VPN.

    The linked article is about accessing the secondary cluster member from a VPN client, so I don't think it's relevant to your problem.
    Make sure OpenVPN is bound to the CARP VIP, the port is open to the VIP, and your OpenVPN config is sync'd between cluster members. If you configure it correctly it should failover to the backup firewall.



  • Thanks :) ,Maybe i didnt explain it as clearly as I would have liked, but I will check that the config is as you describe and then post back my findings or what i needed to change in the hope it helps someone else.

    Thanks again!



  • Hi,

    Just wanted to report back that, your advice was correct and when I checked my actual config, i had done all that. It was in fact fine.

    My problem was situational… in that my connection is PPPoE so when i send FW1 for a reboot during testing, i have to wait until that PPPoE is established on FW2, the CARP VIP's are transferred to FW2 and eventually the VPN connection will come back up. The issue was FW1 rebooted so fast that it causes a flip flop effect whereby it takes the CARP Master roles back...but the PPPoE WAN connection is still up on FW2 until i reboot it.

    I have now tested this all works with a full shutdown of one node (and someone on site to power it back up :) ) and visa versa.

    Interestingly the VPN all stay up despite the FW2 now having the backup CARP role for the VPN VIP, This may be due to the fact I do connect with "other" -> "ovpn.domain.com" in my client exports and that resolves anywhere with applicable DNS lookup to the CARP VPN VIP (an alias on the WAN). Seems this is nice and versatile.

    If you have any suggestion for how to handle an automatic failback (although doing it manually is ok) ....whereby the PPPoE gets dropped from FW2 back to FW1 if it comes back up i'd love to hear about that.

    Also I'll raise a seperate topic for this if I can't get it to work, but is there an easy way of assigning a static ip to an openvpn client, obviously not in the main network range but just making sure it gets the same ip everytime it connects in without creating a ton of different servers. I've read a bit about doing this but wondered if there was a nice way through the web gui... most other methods are detailed file edits in the underlying FreeBSD system?

    On 2.2.4 on both nodes now.

    Thanks.