Hello all. I'm sorry to say, but I am a complete novice at this, so please bear with me. I am an MSP who's taken over a client that utilizes PFSense for their router and OpenVPN for their site to site VPN. So far everything has worked without issue, however I now am having to make a change, and it is not going as smoothly as I had hoped it would.
My client purchased a TMOBILE 5G Hotspot with unlimited data which they would like to utilize as their primary ISP, and continue to use their old ISP as a failover. The client utilizes site to site VPN's for data transfer, and I need to maintain this communication. I seem to be able to bring the network up under the new 5G connection, but I cannot make the VPN work. What I would like to do is create a Failover for VPN with the TMOBILE connection being the primary. When I attempt to do this however I loose VPN. I've tried just adding the Interface Group and changing what the primary was, but did not work.
I realize this is a fairly vague post, but I'm unsure what information would be most helpful here. I am running version 2.4.4-RELEASE-p3 for the PFSENSE, based on FreeBSD 11.2-RELEASE-p10 on both sides. I've created an interface for the 5G TMOBILE hotspot and set it to DHCP. I have a server (disabled) and a client (disabled) already configured, both using shared key, both with the same encryption.
Server Side:
Mode : Peer to Peer (Shared Key)
Protocol : UDP on IPv4 only
Device Mode : tun - Layer 3 tunnel mode
Interface : (Live ISP Connection, set correctly)
Local Port : (Unique, but matches on both sides)
Description : (Location) Site to (Location) Site
Shared Key : Generated from server (then copied to client)
Algorithm : AES-256-CBC (256 bit key, 128 bit block)
Enable NCP - AES-128-GCM, AES-256-CBC (Matches on both sides)
Auth Digest : SHA512 (512-bit)
No hardware crypto
Tunnel network : 192.168.61.0/24 (unique, does not overlap other tunnels)
IPV6 : Not configured
Remote Network: 192.168.5.0/24
LZO Compression [Legacy style, comp-lzo yes]
Gatway Creation : Both
Client Side:
Mode : Peer to Peer (Shared Key)
Protocol : UDP on IPv4 only
Device Mode : tun - Layer 3 tunnel mode
Interface : TMOBILEGATEWAY
Server Host: Omitted
Local Port : (Unique, but matches on both sides)
Description : (Location) Site to (Location) Site
Shared Key : Copied from the server
Algorithm : AES-256-CBC (256 bit key, 128 bit block)
Enable NCP - AES-128-GCM, AES-256-CBC (Matches on both sides)
Auth Digest : SHA512 (512-bit)
Tunnel: 192.168.61.0./24
Remote Network : 192.168.0.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24,192.168.6.0/24,192.168.16.0/20,192.168.17.0/24,192.168.32.0/20
LZO Compression [Legacy style, comp-lzo yes]
Gatway Creation : Both
PF-Sense Multi-WAN VPN Setup
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Sep 13, 2022 3:30 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: PF-Sense Multi-WAN VPN Setup
And you want us to teach you how to do your job.WonkoTheSane wrote: ↑Tue Sep 13, 2022 3:53 pmHello all. I'm sorry to say, but I am a complete novice at this, so please bear with me. I am an MSP who's taken over a client that utilizes PFSense
I believe that pfSense have paid support portal designed to provide support to people exactly like you.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Sep 13, 2022 3:30 pm
Re: PF-Sense Multi-WAN VPN Setup
Not trying to get anyone to "teach me how to do my job". I am trying to understand why my connection is failing despite having had followed guides.
If the client had purchased a PFSense instead of building one, yes. I would happily get real support. Real support is not available.
Thanks so much for your insight.
If the client had purchased a PFSense instead of building one, yes. I would happily get real support. Real support is not available.
Thanks so much for your insight.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: PF-Sense Multi-WAN VPN Setup
Hi Wonko,
Multi-WAN is generally an OS issue, not something relevant to OpenVPN. While I don't agree with the tone of what was said, in substance, it is valid: "you probably need to seek help for PFSense/BSD."
I suspect as well that part of the problem is how the T-Mobile router works. A WAG about that I can offer: see --float in the manual. Which peer has --remote, the "client"? Or both?
See also --comp-lzo, and disable that.
Hope you decide to hang around, good luck.
regards, rob0
Multi-WAN is generally an OS issue, not something relevant to OpenVPN. While I don't agree with the tone of what was said, in substance, it is valid: "you probably need to seek help for PFSense/BSD."
I suspect as well that part of the problem is how the T-Mobile router works. A WAG about that I can offer: see --float in the manual. Which peer has --remote, the "client"? Or both?
See also --comp-lzo, and disable that.
Hope you decide to hang around, good luck.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: PF-Sense Multi-WAN VPN Setup
Another thing to consider is --multihome, which allows using multiple incoming IPs. Otherwise OpenVPN would always use the same to send replies.
All this said, beware that Shared key is unsafe and not recommended.
All this said, beware that Shared key is unsafe and not recommended.