OpenVPN Listen on Two Interfaces

  • Hi.

    I setup an OpenVPN server on my pfSense system (SG-2440) and all is working great except it is only listening on the WAN interface's IPv4 address. Normally this would be ok, but I have my IPv6 coming from Hurricane Electric on another interface called HE_NET. Is there a way to get my OpenVPN server instance to listen on both my WAN IPv4 address and my HE_NET IPv6 address? (I'm using UDP on the standard port 1194.)

    Can I get this to work easily?


  • Banned

    Uhm… OpenVPN has its own interface. Set up IPv6 Tunnel Network in OpenVPN and set up a firewall rule to allow access to OpenVPN port on the tunnel.

  • Hmmm - Never tried it but I would set up two instances of openvpn. 
    One for ipv4 and the other for ipv6 and experiment.

  • Banned

    Well, perhaps I misread the question. If you want to use IPv6 as transport, then yeah, set up another one if there's no IPv6 on your WAN.

  • LAYER 8 Netgate

    I've never tried it either (not having IPv6 anywhere but here). Listen on any and only pass it on the WANs you want?

  • Just to clarify a few things…
    I do have IPv6 working though the VPN. i.e. When a client connects they can access things via IPv4 and IPv6. The issue is how you initially connect to the VPN server. You have to use the IPv4 address to connect because OpenVPN is only listening on the IPv4 address. I want the server service to listen on both IPv4 and IPv6.

    Per your suggestions, I could listen on "any" interface or start another OpenVPN server on the IPv6 interface.  I also thought about adding another "lcoal" line with the IPv6 address in the config file for the server.

    I've read that using "any" is not recommended in pfSense as it breaks things and it is only there to facilitate upgrades from older systems. So, I think that's out.

    As for starting a 2nd OpenVPN service, I'm ok with that, but what bothers me is that if I give it the same tunnel IP ranges won't that cause conflicts? Do they have to be different?

    Is it possible to add a second "local" line to the config file for the server?


Log in to reply