• A cross-post of sorts (apologies if there's a x-post function on the forums, I couldn't find it).

    Context: https://forum.pfsense.org/index.php?topic=106497.0

    I'd love a bit of guidance on getting this working. Currently, configured as in the linked thread, along with the suggestion to use topology subnet.

    Do I need to configure loopback interfaces for the Router IDs? Do I need to assign the OpenVPN tunnel as an OPT interface? Am I missing something else?

    Running version 2.2.6 - the information below is for Site 1.

    OSPF General
    OSPF Routing Process, Router ID:
    Supports only single TOS (TOS0) routes
    This implementation conforms to RFC2328
    RFC1583Compatibility flag is disabled
    OpaqueCapability flag is disabled
    Initial SPF scheduling delay 200 millisec(s)
    Minimum hold time between consecutive SPFs 1000 millisec(s)
    Maximum hold time between consecutive SPFs 10000 millisec(s)
    Hold time multiplier is currently 1
    SPF algorithm last executed 10h12m46s ago
    SPF timer is inactive
    Refresh timer 10 secs
    Number of external LSA 0. Checksum Sum 0x00000000
    Number of opaque AS LSA 0. Checksum Sum 0x00000000
    Number of areas attached to this router: 1
    All adjacency changes are logged

    Area ID: (Backbone)
      Number of interfaces in this area: Total: 10, Active: 10
      Number of fully adjacent neighbors in this area: 0
      Area has no authentication
      SPF algorithm executed 1 times
      Number of LSA 1
      Number of router LSA 1. Checksum Sum 0x00000d41
      Number of network LSA 0. Checksum Sum 0x00000000
      Number of summary LSA 0. Checksum Sum 0x00000000
      Number of ASBR summary LSA 0. Checksum Sum 0x00000000
      Number of NSSA LSA 0. Checksum Sum 0x00000000
      Number of opaque link LSA 0. Checksum Sum 0x00000000
      Number of opaque area LSA 0. Checksum Sum 0x00000000

    OSPF Neighbours
    Neighbor ID Pri State          Dead Time Address        Interface            RXmtL RqstL DBsmL

    OSPF Database
    OSPF Router with ID (

    Router Link States (Area

    Link ID        ADV Router      Age  Seq#      CkSum  Link count          809 0x8000001f 0x0d41 10

    OSPF Routes
    ============ OSPF network routing table ============
    N          [10] area:
                              directly attached to igb1
    N        [10] area:
                              directly attached to ovpns15
    N        [10] area:
                              directly attached to ovpns17
    N        [10] area:
                              directly attached to ovpns18
    N        [10] area:
                              directly attached to ovpns19
    N        [10] area:
                              directly attached to ovpns20
    N        [10] area:
                              directly attached to ovpns21
    N        [10] area:
                              directly attached to ovpns22
    N        [10] area:
                              directly attached to ovpns23
    N        [10] area:
                              directly attached to ovpns24

    ============ OSPF router routing table =============

    ============ OSPF external routing table ===========

    Zebra Routes
    Omitted due to size - let me know if needed!

    OSPF Interfaces
    Omitted due to size - let me know if needed!

    OSPF configuration (raw)

    This file was created by the pfSense package manager.  Do not edit!

    password *******************
    log syslog
    interface ovpns16
      ip ospf cost 10
      ip ospf authentication-key **********
    interface igb1

    router ospf
      ospf router-id
      log-adjacency-changes detail
      passive-interface igb1
      network area
      network area

    Zebra Configuration (raw)

    This file was created by the pfSense package manager.  Do not edit!

    password *******************
    log syslog
    ip prefix-list ACCEPTFILTER deny
    ip prefix-list ACCEPTFILTER permit any
    route-map ACCEPTFILTER permit 10
    match ip address prefix-list ACCEPTFILTER
    ip protocol ospf route-map ACCEPTFILTER

    Note: There is only one physical interface attached to OSPF at the moment, which is the pfSense management network. Site 4 router has a VLAN attached to OSPF, but the rest of the configuration is the same.

  • - indistinguishable tunnel networks of the OpenVPN servers?
    What is OpenVPN - Sever Mode? In case of 'Peer to Peer ( Shared Key )', you don't need topology subnet - it breaks routing

  • @rubic: - indistinguishable tunnel networks of the OpenVPN servers?

    Good spot. Any idea how that might have come about?
    There are several /30 subnets for OpenVPN, starting at and currently ending at

    Yes, there are multiple server instances in Peer to Peer (shared key) TUN mode - two per site (two WAN connections). Subnets for the OpenVPN networks are specified at both the server and client side, and they do manage to assign themselves unique IPs in this; if I manually add a route at each side for one of the tunnels, traffic can pass.

    I have removed the topology subnet configuration line.

    There are also some remote access OpenVPN instances set up for road warriors, using RADIUS auth and certificates, but these reside in a different subnet and aren't given to OSPF as interfaces.

    Thanks for your reply, by the way - I appreciate it!

  • @ajrg:

    Good spot. Any idea how that might have come about?

    The probably comes from ACCEPTFILTER, however check the ovpns16 tunnel network mask.
    Remove filters, fill in 'Master Password', 'Router ID' and 'Area' in the Quagga OSPFd > Global Settings, leaving other fields blank. Select an interface, fill in 'Area' (set 'Interface is Passive' in case of stub network interface, i. e. LAN) in the Quagga OSPFd > Interface Settings. Leave other fields blank. Test it

  • Thanks for that! Just made those changes, unfortunately, Zebra now won't start.

    I'm going to reboot both ends tonight, once the sites are unstaffed. Fingers crossed! I'll post back here in a few hours.

    I did check the ovpns net mask - it's definitely /30, in webconfigurator and in the config.xml.

    Assuming the ACCEPTFILTER directive is the cause of this issue, is there any other way to exclude the OpenVPN subnets being pushed by OSPF? I've seen a couple of posts here and on Reddit that suggest that this can cause OpenVPN to fail restarting if the daemon crashes, as the routes are already in place at both ends.
    This might not be true / may not still be a problem.

  • I do not filter OpenVPN networks and have no issues so far. I've attached screenshots of simple but working setings you may want to start with --- pfSenese1(OpenVPN server) <-- INTERNET <-- pfSense2(OpenVPN client) ---

    ![1. pfSense1 OpenVPN server.png_thumb](/public/imported_attachments/1/1. pfSense1 OpenVPN server.png_thumb)
    ![1. pfSense1 OpenVPN server.png](/public/imported_attachments/1/1. pfSense1 OpenVPN server.png)
    ![2. pfSense1 WAN rule.png](/public/imported_attachments/1/2. pfSense1 WAN rule.png)
    ![2. pfSense1 WAN rule.png_thumb](/public/imported_attachments/1/2. pfSense1 WAN rule.png_thumb)
    ![3. pfSense1 OpenVPN rule.png](/public/imported_attachments/1/3. pfSense1 OpenVPN rule.png)
    ![3. pfSense1 OpenVPN rule.png_thumb](/public/imported_attachments/1/3. pfSense1 OpenVPN rule.png_thumb)
    ![4. pfSense1 Quagga Interfaces.png](/public/imported_attachments/1/4. pfSense1 Quagga Interfaces.png)
    ![4. pfSense1 Quagga Interfaces.png_thumb](/public/imported_attachments/1/4. pfSense1 Quagga Interfaces.png_thumb)
    ![5. pfSense1 Quagga Global Settings.png](/public/imported_attachments/1/5. pfSense1 Quagga Global Settings.png)
    ![5. pfSense1 Quagga Global Settings.png_thumb](/public/imported_attachments/1/5. pfSense1 Quagga Global Settings.png_thumb)
    ![6. pfSense2 OpenVPN client.png](/public/imported_attachments/1/6. pfSense2 OpenVPN client.png)
    ![6. pfSense2 OpenVPN client.png_thumb](/public/imported_attachments/1/6. pfSense2 OpenVPN client.png_thumb)
    ![7. pfSense2 OpenVPN rule.png](/public/imported_attachments/1/7. pfSense2 OpenVPN rule.png)
    ![7. pfSense2 OpenVPN rule.png_thumb](/public/imported_attachments/1/7. pfSense2 OpenVPN rule.png_thumb)
    ![8. pfSense2 Quagga Interfaces.png](/public/imported_attachments/1/8. pfSense2 Quagga Interfaces.png)
    ![8. pfSense2 Quagga Interfaces.png_thumb](/public/imported_attachments/1/8. pfSense2 Quagga Interfaces.png_thumb)
    ![9. pfSense2 Quagga Global Settings.png](/public/imported_attachments/1/9. pfSense2 Quagga Global Settings.png)
    ![9. pfSense2 Quagga Global Settings.png_thumb](/public/imported_attachments/1/9. pfSense2 Quagga Global Settings.png_thumb)
    ![10. pfSense1 Quagga Status - Neighbors.png](/public/imported_attachments/1/10. pfSense1 Quagga Status - Neighbors.png)
    ![10. pfSense1 Quagga Status - Neighbors.png_thumb](/public/imported_attachments/1/10. pfSense1 Quagga Status - Neighbors.png_thumb)
    ![11. pfSense1 Quagga Status - Routes.png](/public/imported_attachments/1/11. pfSense1 Quagga Status - Routes.png)
    ![11. pfSense1 Quagga Status - Routes.png_thumb](/public/imported_attachments/1/11. pfSense1 Quagga Status - Routes.png_thumb)

  • Many, many thanks for that! It's up and running now.

    After removing the ACCEPTFILTER and rebooting at both ends, the OpenVPN subnet was listed correctly and traffic now moves over the tunnel as you'd expect.

    Gonna start on the other sites shortly :)

    Thanks again!

  • ajrg,
    It would be interesting to see how you made out with the other sites. If you can post back that would be great!
    Also, do you just have 1 WAN at the sites? We are working on a project now and every site has multi WAN (with carp) and we are looking to use OpenVPN/Quagga.

    Hope all goes well for you.


  • It's been fine - I've been bringing the other sites into the OSPF scope through the day. No issues at all.

    We have a total of four sites, with a fifth coming in a few weeks;

    Site 1: Two-node CARP, with three WAN connections (2x fibre, 1x LTE - this site is in an area where one ISP has an effective monopoly so both fibres are with the same ISP)
    Sites 2, 3 and 4: Single node, two WAN connections
    Site 5: Two-node CARP, with thee WAN connections (1x WiMax, 1x fibre, 1x LTE - similar single ISP situation, but at least with two different connection methods)

    I'll post back once site 5 is working, but I don't see any reason why we'd have issues running another CARP node. I've tested CARP failover and failback, and multi-WAN failover and failback at all sites. It all works brilliantly with default timer settings, though I suppose you could reduce the timers if you needed faster OSPF response, probably at the expense of CPU usage/bandwidth.