Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Dual WAN - partially working

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eddi1984
      last edited by

      Hi folks,

      I have a pfsense 2.2.4 setup with OpenVPN and dual WAN.

      Until now, the OpenVPN (was just using one WAN connection) was working just fine.
      However, I need to setup, so that it will work over the second WAN as well, in case the first one fails.
      I have Loadbalance and Failover setup for the WAN1&2 connections.

      I followed this How-to to setup dual WAN VPN: https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN

      WAN 1 is the default gateway.
      I use TUN and User + TLS Authentication.
      Both WAN's have a static IP.

      This is what is happening:
      When I connect using Openvpn client, it will try WAN1 and connect no problem (config has remote WAN1-IP PORT as a first entry on client).
      When I switch the remote statments in the config, so that it will try WAN2 first, it will sit there, than give me a

      TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      TLS Error: TLS handshake failed
      SIGUSR1[soft,tls-error] received, process restarting
      

      and than jump to the second remote entry (WAN1) and connect fine.

      If I go to System/Routing and set WAN2 as the default gateway, it works exactly the opposite as I described above.

      I am a gold member and have access to the OpenVPN Hangout. There they talk about "reply-to", basically OpenVPN will reply back over the same route that it received the packet, but this does not seem to work for me.

      Open OpenVPN only works on the default gateway. How can I change that?

      What am I missing here?

      Cheers,

      Eddi

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Sounds like either your WAN interface(s) are missing gateways (e.g. Interfaces > WAN2 has no gateway chosen on that page) or you bound the server to "any" interface and not Localhost as the wiki doc suggested, or maybe the WAN/WAN2 firewall or NAT rules are not quite right (e.g. do NOT use "pass" for the rule type on port forward, use an associated firewall rule).

        We'll need to see a lot more info about the server config, rules, interfaces, etc, to say anything definite.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • E
          eddi1984
          last edited by

          @jimp:

          …  the WAN/WAN2 firewall or NAT rules are not quite right (e.g. do NOT use "pass" for the rule type on port forward, use an associated firewall rule

          Well, this has done it. Not it works.

          I changed each of the port forwards to "Associated Firewall Rule" and it started working.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The reason that works is that "pass" type NAT rules do not support pf's "reply-to" mechanism which ensures inbound traffic returns to the gateway it came from. Using an associated firewall rule, the rule gets "reply-to" and works as expected.

            That isn't mentioned on the wiki since the wiki assumes any options not mentioned specifically are left at the default values. :-)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • E
              eddi1984
              last edited by

              @jimp:

              That isn't mentioned on the wiki since the wiki assumes any options not mentioned specifically are left at the default values. :-)

              What confused me, is, that I have not touched that setting when setting up the port forward. And it did not work.
              After the rule was created, I had to go back into the port forward settings and change it by hand and volia, it worked.

              I had to do this on 2 separate and independent machines.

              Oh well, working now …

              1 Reply Last reply Reply Quote 0
              • A
                acriollo
                last edited by

                Hi Guys , i have a similar issue like this but with a dual WAN on the client side.

                Client just work with the default gateway ( WAN or WAN2 ), but if I do a test with just the WAN2 , connection do not work.  I do a openvpn resync or just click no the submit button on the openvpn config and connection works in a couple of seconds.  fast!

                can you please provide some help.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.