I have two pfSense Clusters, and am trying to connect them with an OpenVPN site-to-site VPN. Initially, the client was a single pfSense system, and all was well. Now that one system is a cluster, and the OpenVPN site-to-site would go down on a regular and cyclical basis with a ping restart.
After much hair-pulling, it turned out that the problem was the secondary client. The server (cluster) was configured not to allow duplicate CNs to connect.
Apparently, in a cluster, running services are mirrored. Thus, two OpenVPN servers are actually running – and two OpenVPN clients. Turning off the secondary OpenVPN client was insufficient: next pfsync, it restarts. Disconnecting the external network fixed it.
The "new" pfSense cluster (client) is v2.1.4; the "old" pfSense cluster (server) is v2.1.3.
When I turn on the Duplicate CN option on the server (v2.1.3) I get this error:
openvpn[41232]: Options error: --duplicate-cn requires --mode server
When I added mode server to the the Advanced Settings section of the server, the site-to-site VPN worked.
Question is this: Is it feasible to have OpenVPN failover? Do I want both clients to be running? Will having both server (or client) nodes running OpenVPN cause troubles? I read that OpenVPN failover is not possible – but pfSense is acting like it is.
UPDATE: We're using OpenVPN for site-to-site as that was what was set up in the beginning, and using IPSec wasn't considered. It's still a possibility in the future.
We have this now:
M1 -+ +- Q1
| |
+---inet--+
| |
M2 -+ +- Q2
Before M2 was brought up, the OpenVPN to Q1/Q2 worked fine.
It's been trouble since. I've heard that OpenVPN doesn't handle failover – and also that mixing IPsec and OpenVPN on the same pfSense system is a bad idea. If I could phase in IPsec I'll bet that would improve matters. (I control all four endpoints by the way.)
UPDATE 2 Tried enabling "Duplicate Connections" … that actually turned out to actually shutdown the link invisibly (everything appeared normal). Disabling that made things flow again. What am I missing?
Best Answer
Nothing wrong with mixing IPsec and OpenVPN, nor is there a problem doing OpenVPN with HA. When using OpenVPN client instances on an HA pair, you must bind them to a CARP IP so they only run when CARP has master status.