Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OPENVPN with OSPF and REMOTE configured for redundancy.

    OpenVPN
    2
    4
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Slicster
      last edited by

      Hi Guys,
      Rather simple issue I'm having that might require a complicated solution.  We have two identical OPENVPN servers configured with client setup to connect to the first one and the REMOTE option for the second server should the first fail.  Everything works and the client easily switch between the two but the issue is that when they switch, we can no longer connect to the clients because the OSPF routes show the previous routes from the failed server.  The only way we can get the routes to redistribute properly is the shutdown the failed OPENVPN servers service and restart the other.

      My first though to get around this was to have the client push his own route so that OSPF would automatically learn via the OPENVPN tunnel it opens.  I tried to add a push "route x.x.x.x" on the client so that it would throw its routes whenever it established an OPENVPN connection but this doesn't seem to be supported.

      We're looking into something with CDD files but so far nothing.

      I know we can probably get this working by installing OSPF on the client but we'd rather keep things simple since we have many clients.

      Is there some sort of magical command for this?  I'm certain that I'm not the only person to have tried this type of redundant setup.

      "route-up, route-down" ? perhaps?

      Let me know, thanks.

      Here is some of the configuration…

      SERVER
      dev ovpns2
      verb 1
      dev-type tun
      tun-ipv6
      dev-node /dev/tun2
      writepid /var/run/openvpn_server2.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto tcp-server
      cipher BF-CBC
      auth SHA1
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local X.X.X.X - HIDDEN
      tls-server
      server 10.15.16.0 255.255.252.0
      client-config-dir /var/etc/openvpn-csc
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'firewall3' 1 "
      lport 1195
      management /var/etc/openvpn/server2.sock unix
      push "route 192.168.248.0 255.255.255.0"
      push "route 192.168.251.0 255.255.255.0"
      ca /var/etc/openvpn/server2.ca
      cert /var/etc/openvpn/server2.cert
      key /var/etc/openvpn/server2.key
      dh /etc/dh-parameters.1024
      comp-lzo yes
      route 13.13.13.0 255.255.255.0
      route 10.16.242.0 255.255.255.0
      push "route 192.168.248.0 255.255.255.0"
      push "route 192.168.251.0 255.255.255.0"

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        you run identical tunnel networks on both servers ? i don't think thats a good idea.

        wouldn't it be better todo it like this? https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN#Bind_to_Localhost_and_Setup_Port_Forwards

        1 Reply Last reply Reply Quote 0
        • S
          Slicster
          last edited by

          Hi, the two OPENVPN server are on two different devices at two different locations.  I'm NOT trying to get the pfSense to work on a single device with two WAN interfaces so the article you sent doesn't apply.

          Thanks anyway.

          1 Reply Last reply Reply Quote 0
          • S
            Slicster
            last edited by

            Anyone? :(

            1 Reply Last reply Reply Quote 0
            • First post
              Last post