OpenVPN Dual WAN - partially working

eddi1984

Hi folks,

I have a pfsense 2.2.4 setup with OpenVPN and dual WAN.

Until now, the OpenVPN (was just using one WAN connection) was working just fine.
However, I need to setup, so that it will work over the second WAN as well, in case the first one fails.
I have Loadbalance and Failover setup for the WAN1&2 connections.

I followed this How-to to setup dual WAN VPN: https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN

WAN 1 is the default gateway.
I use TUN and User + TLS Authentication.
Both WAN's have a static IP.

This is what is happening:
When I connect using Openvpn client, it will try WAN1 and connect no problem (config has remote WAN1-IP PORT as a first entry on client).
When I switch the remote statments in the config, so that it will try WAN2 first, it will sit there, than give me a

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting

and than jump to the second remote entry (WAN1) and connect fine.

If I go to System/Routing and set WAN2 as the default gateway, it works exactly the opposite as I described above.

I am a gold member and have access to the OpenVPN Hangout. There they talk about "reply-to", basically OpenVPN will reply back over the same route that it received the packet, but this does not seem to work for me.

Open OpenVPN only works on the default gateway. How can I change that?

What am I missing here?

Cheers,

Eddi

jimp

Sounds like either your WAN interface(s) are missing gateways (e.g. Interfaces > WAN2 has no gateway chosen on that page) or you bound the server to "any" interface and not Localhost as the wiki doc suggested, or maybe the WAN/WAN2 firewall or NAT rules are not quite right (e.g. do NOT use "pass" for the rule type on port forward, use an associated firewall rule).

We'll need to see a lot more info about the server config, rules, interfaces, etc, to say anything definite.

eddi1984

@jimp:

…  the WAN/WAN2 firewall or NAT rules are not quite right (e.g. do NOT use "pass" for the rule type on port forward, use an associated firewall rule

Well, this has done it. Not it works.

I changed each of the port forwards to "Associated Firewall Rule" and it started working.

Thanks!

jimp

The reason that works is that "pass" type NAT rules do not support pf's "reply-to" mechanism which ensures inbound traffic returns to the gateway it came from. Using an associated firewall rule, the rule gets "reply-to" and works as expected.

That isn't mentioned on the wiki since the wiki assumes any options not mentioned specifically are left at the default values. :-)

eddi1984

@jimp:

That isn't mentioned on the wiki since the wiki assumes any options not mentioned specifically are left at the default values. :-)

What confused me, is, that I have not touched that setting when setting up the port forward. And it did not work.
After the rule was created, I had to go back into the port forward settings and change it by hand and volia, it worked.

I had to do this on 2 separate and independent machines.

Oh well, working now …

acriollo

Hi Guys , i have a similar issue like this but with a dual WAN on the client side.

Client just work with the default gateway ( WAN or WAN2 ), but if I do a test with just the WAN2 , connection do not work.  I do a openvpn resync or just click no the submit button on the openvpn config and connection works in a couple of seconds.  fast!

can you please provide some help.