Re: [pfSense] HA and OpenVPN
I'm not an expert here but what I understand is: while you can use pfsync to sync raw connection states the daemon(s) aren't 'aware' of those per-se. You basically have 3 options that I can think of.. 1. Let the daemon run on the WAN interface of each router and configure your clients with both IPs2. Use carp (clients configured to point the the single floating IP)(either of the above will require a client reconnect if the 'active' machine goes down)3. Try to setup an active/active *cluster* scenario (see #1 below) (leveraging pfsync perhaps). In order to do so I think you'd need clustered fs storage (glusterfs, nfs, etc) and maybe even OpenVPN-AS. If anyone knows how to achieve a full active/active cluster in pfsense I'd love to know how. Travis Hansen travisghan...@yahoo.com [1] https://docs.openvpn.net/how-to-tutorialsguides/administration/active-active-high-availability-setup-for-openvpn-access-server/ On Monday, April 25, 2016 2:11 PM, WebDawgwrote: On Mon, Apr 25, 2016 at 2:12 PM, Steve Yates wrote: > I missed that also, way back when, thanks. We had been connecting to > either router1 or router2's WAN IP. If router2 is not the CARP master, you > can connect to it, but it will try to send the response back out through > router1 so one can't get bi-directional communication. > > -- > > Steve Yates > ITS, Inc. > > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier > Mascia > Sent: Monday, April 25, 2016 1:49 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] HA and OpenVPN > > > Le 25 avr. 2016 à 20:04, Travis Hansen
a > écrit : > > Did you select the carp IP as the 'interface' in the openvpn server > config? or do you just have WAN selected? > > > > Le 25 avr. 2016 à 20:21, Brady, Mike a > écrit : > > Did you change the OpenVPN configured Interface to be the VIP rather > than the WAN? > > > No, I didn't. :( That was the stupid mistake I was looking after. > Thank you Brady and Travis. > > -- > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > OpenVPN I think has failover, multiple hostnames, can you utilize that? Configure both systems at once? Two different ports? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] CARP and both IPv4 and IPv6: do they live together?
It looks like as soon as I bring IPv6 to the party, my secondary starts thinking it's MASTER instead of BACKUP. Sometimes on the WAN side, sometimes on the LAN, sometimes both. Quite hard to describe, I'm still trying to build up a reproducible test case on my 2.3 cluster. So out of the blue, are there known-bugs or other kind of difficulties in having H.A. along with IPv4 and IPv6? -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HA and OpenVPN
On Mon, Apr 25, 2016 at 2:12 PM, Steve Yateswrote: > I missed that also, way back when, thanks. We had been connecting to > either router1 or router2's WAN IP. If router2 is not the CARP master, you > can connect to it, but it will try to send the response back out through > router1 so one can't get bi-directional communication. > > -- > > Steve Yates > ITS, Inc. > > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier > Mascia > Sent: Monday, April 25, 2016 1:49 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] HA and OpenVPN > > > Le 25 avr. 2016 à 20:04, Travis Hansen
a > écrit : > > Did you select the carp IP as the 'interface' in the openvpn server > config? or do you just have WAN selected? > > > > Le 25 avr. 2016 à 20:21, Brady, Mike a > écrit : > > Did you change the OpenVPN configured Interface to be the VIP rather > than the WAN? > > > No, I didn't. :( That was the stupid mistake I was looking after. > Thank you Brady and Travis. > > -- > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > OpenVPN I think has failover, multiple hostnames, can you utilize that? Configure both systems at once? Two different ports? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HA and OpenVPN
> Le 25 avr. 2016 à 20:04, Travis Hansena écrit : > Did you select the carp IP as the 'interface' in the openvpn server config? > or do you just have WAN selected? > Le 25 avr. 2016 à 20:21, Brady, Mike a écrit : > Did you change the OpenVPN configured Interface to be the VIP rather than the > WAN? No, I didn't. :( That was the stupid mistake I was looking after. Thank you Brady and Travis. -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HA and OpenVPN
On 2016-04-26 05:36, Olivier Mascia wrote: Hello, I now have a HA cluster of 2 pfSense boxes pretty much well setup, everything working as expected, excepted one thing. Connecting to a remote access OpenVPN server on the WAN CARP IP fails here: Apr 25 19:29:36: Vérification du statut d'accessibilité de la connexion ... Apr 25 19:29:36: La connexion est accessible. Tentative de démarrage de la connexion. Apr 25 19:29:38: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016 Apr 25 19:29:38: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09 Apr 25 19:30:00: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0/T/connection.5wkLkh/ta.key' as a OpenVPN static key file Apr 25 19:30:00: UDPv4 link local (bound): [undef] Apr 25 19:30:00: UDPv4 link remote: [AF_INET]w.x.y.z:1194 ... and after a timeout: Apr 25 19:31:00: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Apr 25 19:31:00: TLS Error: TLS handshake failed Apr 25 19:31:00: SIGUSR1[soft,tls-error] received, process restarting Apr 25 19:31:01: UDPv4 link local (bound): [undef] Apr 25 19:31:01: UDPv4 link remote: [AF_INET]w.x.y.z:1194 ... When connecting to either box non CARP WAN address, ie w.x.y.z+1 or z+2 in this example, it works. Even accepting UDP OpenVPN on destination Any does not fix it. So this does not look like a filter rule issue. Is there something particular to take into account regarding UDP traffic toward the WAN CARP IP or something specific regarding OpenVPN? I can live with having to establish VPN to the primary box and change it should it fail (this is for maintenance only of the resources behind the firewall), but I find it strange it does not work on the CARP IP. What obvious thing did I miss? Did you change the OpenVPN configured Interface to be the VIP rather than the WAN? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HA and OpenVPN
> Le 25 avr. 2016 à 20:04, Travis Hansena écrit : > > Did you select the carp IP as the 'interface' in the openvpn server config? > or do you just have WAN selected? Hmm... I'm on the move since my previous post, but this seems obvious enough for me having made that mistake. :) I'll check back later today, but chances are the fault is there. Thanks!! -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HA and OpenVPN
Did you select the carp IP as the 'interface' in the openvpn server config? or do you just have WAN selected? I have a similar setup that works fine. Although if the carp address changes to a new machine I do need to reconnect (may be a way around this but my needs are simple). Travis Hansen travisghan...@yahoo.com On Monday, April 25, 2016 11:34 AM, Olivier Masciawrote: Hello, I now have a HA cluster of 2 pfSense boxes pretty much well setup, everything working as expected, excepted one thing. Connecting to a remote access OpenVPN server on the WAN CARP IP fails here: Apr 25 19:29:36: Vérification du statut d'accessibilité de la connexion ... Apr 25 19:29:36: La connexion est accessible. Tentative de démarrage de la connexion. Apr 25 19:29:38: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016 Apr 25 19:29:38: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09 Apr 25 19:30:00: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0/T/connection.5wkLkh/ta.key' as a OpenVPN static key file Apr 25 19:30:00: UDPv4 link local (bound): [undef] Apr 25 19:30:00: UDPv4 link remote: [AF_INET]w.x.y.z:1194 ... and after a timeout: Apr 25 19:31:00: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Apr 25 19:31:00: TLS Error: TLS handshake failed Apr 25 19:31:00: SIGUSR1[soft,tls-error] received, process restarting Apr 25 19:31:01: UDPv4 link local (bound): [undef] Apr 25 19:31:01: UDPv4 link remote: [AF_INET]w.x.y.z:1194 ... When connecting to either box non CARP WAN address, ie w.x.y.z+1 or z+2 in this example, it works. Even accepting UDP OpenVPN on destination Any does not fix it. So this does not look like a filter rule issue. Is there something particular to take into account regarding UDP traffic toward the WAN CARP IP or something specific regarding OpenVPN? I can live with having to establish VPN to the primary box and change it should it fail (this is for maintenance only of the resources behind the firewall), but I find it strange it does not work on the CARP IP. What obvious thing did I miss? -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] HA and OpenVPN
Hello, I now have a HA cluster of 2 pfSense boxes pretty much well setup, everything working as expected, excepted one thing. Connecting to a remote access OpenVPN server on the WAN CARP IP fails here: Apr 25 19:29:36: Vérification du statut d'accessibilité de la connexion ... Apr 25 19:29:36: La connexion est accessible. Tentative de démarrage de la connexion. Apr 25 19:29:38: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016 Apr 25 19:29:38: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09 Apr 25 19:30:00: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0/T/connection.5wkLkh/ta.key' as a OpenVPN static key file Apr 25 19:30:00: UDPv4 link local (bound): [undef] Apr 25 19:30:00: UDPv4 link remote: [AF_INET]w.x.y.z:1194 ... and after a timeout: Apr 25 19:31:00: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Apr 25 19:31:00: TLS Error: TLS handshake failed Apr 25 19:31:00: SIGUSR1[soft,tls-error] received, process restarting Apr 25 19:31:01: UDPv4 link local (bound): [undef] Apr 25 19:31:01: UDPv4 link remote: [AF_INET]w.x.y.z:1194 ... When connecting to either box non CARP WAN address, ie w.x.y.z+1 or z+2 in this example, it works. Even accepting UDP OpenVPN on destination Any does not fix it. So this does not look like a filter rule issue. Is there something particular to take into account regarding UDP traffic toward the WAN CARP IP or something specific regarding OpenVPN? I can live with having to establish VPN to the primary box and change it should it fail (this is for maintenance only of the resources behind the firewall), but I find it strange it does not work on the CARP IP. What obvious thing did I miss? -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Cisco VPN
Hi I've got a terminal server that I use for VPN. I can create the connection and I do receive a 172.x.x.x IP. The connection then stays active for about 5 to 10 seconds, but I cannot send or receive any data. The connection the drops and that’s it. I currently have no firewall rules for the connection as I've tried a view things, but I not getting it to work. I've read many googled posts, but I'm sure I not looking/finding anything meaningful. Regards Chris How/when is it failing? On Thu, Apr 21, 2016 at 10:01 AM, user49bwrote: Hi Please could someone point me to some descent documentation. I'm struggling to get IPsec VPN connection working to a Cisco VPN server from behind pfSense. So I have a terminal server behind pfSense, and trying to connect to VPN server on internet. Regards Chris ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold