Re: [pfSense] HA and OpenVPN

[Travis Hansen]

I'm not an expert here but what I understand is: while you can use pfsync to 
sync raw connection states the daemon(s) aren't 'aware' of those per-se.  You 
basically have 3 options that I can think of..
1. Let the daemon run on the WAN interface of each router and configure your 
clients with both IPs2. Use carp (clients configured to point the the single 
floating IP)(either of the above will require a client reconnect if the 
'active' machine goes down)3. Try to setup an active/active *cluster* scenario 
(see #1 below) (leveraging pfsync perhaps).  In order to do so I think you'd 
need clustered fs storage (glusterfs, nfs, etc) and maybe even OpenVPN-AS.
If anyone knows how to achieve a full active/active cluster in pfsense I'd love 
to know how.
Travis Hansen travisghan...@yahoo.com 
[1] 
https://docs.openvpn.net/how-to-tutorialsguides/administration/active-active-high-availability-setup-for-openvpn-access-server/

On Monday, April 25, 2016 2:11 PM, WebDawg  wrote:
 

 On Mon, Apr 25, 2016 at 2:12 PM, Steve Yates  wrote:

> I missed that also, way back when, thanks.  We had been connecting to
> either router1 or router2's WAN IP.  If router2 is not the CARP master, you
> can connect to it, but it will try to send the response back out through
> router1 so one can't get bi-directional communication.
>
> --
>
> Steve Yates
> ITS, Inc.
>
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier
> Mascia
> Sent: Monday, April 25, 2016 1:49 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] HA and OpenVPN
>
> > Le 25 avr. 2016 à 20:04, Travis Hansen  a
> écrit :
> > Did you select the carp IP as the 'interface' in the openvpn server
> config? or do you just have WAN selected?
>
>
> > Le 25 avr. 2016 à 20:21, Brady, Mike  a
> écrit :
> > Did you change the OpenVPN configured Interface to be the VIP rather
> than the WAN?
>
>
> No, I didn't. :(  That was the stupid mistake I was looking after.
> Thank you Brady and Travis.
>
> --
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>

OpenVPN I think has failover, multiple hostnames, can you utilize that?
Configure both systems at once?  Two different ports?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

  
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] CARP and both IPv4 and IPv6: do they live together?

[Olivier Mascia]

It looks like as soon as I bring IPv6 to the party, my secondary starts 
thinking it's MASTER instead of BACKUP.  Sometimes on the WAN side, sometimes 
on the LAN, sometimes both.  Quite hard to describe, I'm still trying to build 
up a reproducible test case on my 2.3 cluster.  So out of the blue, are there 
known-bugs or other kind of difficulties in having H.A. along with IPv4 and 
IPv6?

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HA and OpenVPN

[WebDawg]

On Mon, Apr 25, 2016 at 2:12 PM, Steve Yates  wrote:

> I missed that also, way back when, thanks.  We had been connecting to
> either router1 or router2's WAN IP.  If router2 is not the CARP master, you
> can connect to it, but it will try to send the response back out through
> router1 so one can't get bi-directional communication.
>
> --
>
> Steve Yates
> ITS, Inc.
>
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier
> Mascia
> Sent: Monday, April 25, 2016 1:49 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] HA and OpenVPN
>
> > Le 25 avr. 2016 à 20:04, Travis Hansen  a
> écrit :
> > Did you select the carp IP as the 'interface' in the openvpn server
> config? or do you just have WAN selected?
>
>
> > Le 25 avr. 2016 à 20:21, Brady, Mike  a
> écrit :
> > Did you change the OpenVPN configured Interface to be the VIP rather
> than the WAN?
>
>
> No, I didn't. :(  That was the stupid mistake I was looking after.
> Thank you Brady and Travis.
>
> --
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>

OpenVPN I think has failover, multiple hostnames, can you utilize that?
Configure both systems at once?  Two different ports?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HA and OpenVPN

[Olivier Mascia]

> Le 25 avr. 2016 à 20:04, Travis Hansen  a écrit :
> Did you select the carp IP as the 'interface' in the openvpn server config? 
> or do you just have WAN selected?


> Le 25 avr. 2016 à 20:21, Brady, Mike  a écrit :
> Did you change the OpenVPN configured Interface to be the VIP rather than the 
> WAN?


No, I didn't. :(  That was the stupid mistake I was looking after.
Thank you Brady and Travis.

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HA and OpenVPN

[Brady, Mike]

On 2016-04-26 05:36, Olivier Mascia wrote:

Hello,

I now have a HA cluster of 2 pfSense boxes pretty much well setup,
everything working as expected, excepted one thing.
Connecting to a remote access OpenVPN server on the WAN CARP IP fails 
here:


Apr 25 19:29:36: Vérification du statut d'accessibilité de la connexion 
...

Apr 25 19:29:36: La connexion est accessible. Tentative de démarrage
de la connexion.
Apr 25 19:29:38: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)]
[LZO] [PKCS11] [MH] [IPv6] built on Mar  2 2016
Apr 25 19:29:38: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Apr 25 19:30:00: Control Channel Authentication: using
'/var/folders/zz/zyxvpxvq6csfxvn_n0/T/connection.5wkLkh/ta.key'
as a OpenVPN static key file
Apr 25 19:30:00: UDPv4 link local (bound): [undef]
Apr 25 19:30:00: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...
and after a timeout:
Apr 25 19:31:00: TLS Error: TLS key negotiation failed to occur within
60 seconds (check your network connectivity)
Apr 25 19:31:00: TLS Error: TLS handshake failed
Apr 25 19:31:00: SIGUSR1[soft,tls-error] received, process restarting
Apr 25 19:31:01: UDPv4 link local (bound): [undef]
Apr 25 19:31:01: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...

When connecting to either box non CARP WAN address, ie w.x.y.z+1 or
z+2 in this example, it works.
Even accepting UDP OpenVPN on destination Any does not fix it. So this
does not look like a filter rule issue.
Is there something particular to take into account regarding UDP
traffic toward the WAN CARP IP or something specific regarding
OpenVPN?

I can live with having to establish VPN to the primary box and change
it should it fail (this is for maintenance only of the resources
behind the firewall), but I find it strange it does not work on the
CARP IP.

What obvious thing did I miss?


Did you change the OpenVPN configured Interface to be the VIP rather 
than the WAN?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HA and OpenVPN

[Olivier Mascia]

> Le 25 avr. 2016 à 20:04, Travis Hansen  a écrit :
> 
> Did you select the carp IP as the 'interface' in the openvpn server config? 
> or do you just have WAN selected?

Hmm... I'm on the move since my previous post, but this seems obvious enough 
for me having made that mistake. :)
I'll check back later today, but chances are the fault is there.
Thanks!!
-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HA and OpenVPN

[Travis Hansen]

Did you select the carp IP as the 'interface' in the openvpn server config? or 
do you just have WAN selected?
I have a similar setup that works fine.  Although if the carp address changes 
to a new machine I do need to reconnect (may be a way around this but my needs 
are simple). Travis Hansen travisghan...@yahoo.com 

On Monday, April 25, 2016 11:34 AM, Olivier Mascia  wrote:
 

 Hello,

I now have a HA cluster of 2 pfSense boxes pretty much well setup, everything 
working as expected, excepted one thing.
Connecting to a remote access OpenVPN server on the WAN CARP IP fails here:

Apr 25 19:29:36: Vérification du statut d'accessibilité de la connexion ...
Apr 25 19:29:36: La connexion est accessible. Tentative de démarrage de la 
connexion.
Apr 25 19:29:38: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] 
[PKCS11] [MH] [IPv6] built on Mar  2 2016
Apr 25 19:29:38: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Apr 25 19:30:00: Control Channel Authentication: using 
'/var/folders/zz/zyxvpxvq6csfxvn_n0/T/connection.5wkLkh/ta.key' as 
a OpenVPN static key file
Apr 25 19:30:00: UDPv4 link local (bound): [undef]
Apr 25 19:30:00: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...
and after a timeout:
Apr 25 19:31:00: TLS Error: TLS key negotiation failed to occur within 60 
seconds (check your network connectivity)
Apr 25 19:31:00: TLS Error: TLS handshake failed
Apr 25 19:31:00: SIGUSR1[soft,tls-error] received, process restarting
Apr 25 19:31:01: UDPv4 link local (bound): [undef]
Apr 25 19:31:01: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...

When connecting to either box non CARP WAN address, ie w.x.y.z+1 or z+2 in this 
example, it works.
Even accepting UDP OpenVPN on destination Any does not fix it. So this does not 
look like a filter rule issue.
Is there something particular to take into account regarding UDP traffic toward 
the WAN CARP IP or something specific regarding OpenVPN?

I can live with having to establish VPN to the primary box and change it should 
it fail (this is for maintenance only of the resources behind the firewall), 
but I find it strange it does not work on the CARP IP.

What obvious thing did I miss?

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

  
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] HA and OpenVPN

[Olivier Mascia]

Hello,

I now have a HA cluster of 2 pfSense boxes pretty much well setup, everything 
working as expected, excepted one thing.
Connecting to a remote access OpenVPN server on the WAN CARP IP fails here:

Apr 25 19:29:36: Vérification du statut d'accessibilité de la connexion ...
Apr 25 19:29:36: La connexion est accessible. Tentative de démarrage de la 
connexion.
Apr 25 19:29:38: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] 
[PKCS11] [MH] [IPv6] built on Mar  2 2016
Apr 25 19:29:38: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Apr 25 19:30:00: Control Channel Authentication: using 
'/var/folders/zz/zyxvpxvq6csfxvn_n0/T/connection.5wkLkh/ta.key' as 
a OpenVPN static key file
Apr 25 19:30:00: UDPv4 link local (bound): [undef]
Apr 25 19:30:00: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...
and after a timeout:
Apr 25 19:31:00: TLS Error: TLS key negotiation failed to occur within 60 
seconds (check your network connectivity)
Apr 25 19:31:00: TLS Error: TLS handshake failed
Apr 25 19:31:00: SIGUSR1[soft,tls-error] received, process restarting
Apr 25 19:31:01: UDPv4 link local (bound): [undef]
Apr 25 19:31:01: UDPv4 link remote: [AF_INET]w.x.y.z:1194
...

When connecting to either box non CARP WAN address, ie w.x.y.z+1 or z+2 in this 
example, it works.
Even accepting UDP OpenVPN on destination Any does not fix it. So this does not 
look like a filter rule issue.
Is there something particular to take into account regarding UDP traffic toward 
the WAN CARP IP or something specific regarding OpenVPN?

I can live with having to establish VPN to the primary box and change it should 
it fail (this is for maintenance only of the resources behind the firewall), 
but I find it strange it does not work on the CARP IP.

What obvious thing did I miss?

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Cisco VPN

[user49b]

Hi

I've got a terminal server that I use for VPN.
I can create the connection and I do receive a 172.x.x.x IP.
The connection then stays active for about 5 to 10 seconds, but I cannot 
send or receive any data.

The connection the drops and that’s it.

I currently have no firewall rules for the connection as I've tried a 
view things, but I not getting it to work.
I've read many googled posts, but I'm sure I not looking/finding 
anything meaningful.


Regards
Chris



How/when is it failing?

On Thu, Apr 21, 2016 at 10:01 AM, user49b  wrote:


Hi

Please could someone point me to some descent documentation.
I'm struggling to get IPsec VPN connection working to a Cisco VPN server
from behind pfSense.

So I have a terminal server behind pfSense, and trying to connect to VPN
server on internet.

Regards
Chris



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold