If you’ve set up a pfSense CARP cluster for high availability and you’re running OpenVPN on it there are a few tweaks you can make to improve your experience.

The issues:

  • OpenVPN client is unable to connect to WAN VIP…
  • …and when it does, no internet connection is available via OpenVPN.
  • You cannot reach the slave pfSense via OpenVPN.
  • OpenVPN doesn’t automatically reconnect on CARP failover.

OpenVPN client is unable to connect to WAN VIP

You need to tell your OpenVPN server what its local public IP address is. You do this with the local directive: in VPN > OpenVPN > Servers, click Edit to open your server configuration and scroll down to the Advanced Configuration section. In the Custom options field, add:

local 83.167.196.126

(…or whatever your CARP WAN virtual IP address is that your clients will be connecting to.)

No internet connection is available via OpenVPN

This is because the traffic is sent out via the cluster member’s public IP, not the WAN virtual IP. Like in the regular CARP settings you need to change the outbound NAT address to your WAN VIP so packets will actually be able to flow back to the cluster.

Go to Firewall > NAT > Outbound. There are several ways to go about this. If you went through my PfSense High Availability article to set this up you probably already have two outbound NAT rules:

You need to do the same for the OpenVPN subnet as specified in VPN > OpenVPN > [your OpenVPN server] > Tunnel Settings > IPv4 Tunnel Network (mine is 192.168.2.0/24).

Find your LAN-to-WAN mapping witht the custom NAT rule and click the Copy icon.

Then change the Source network from your LAN subnet to your VPN subnet. Also change the Description while you’re at it.

Do this for both custom rules.

You cannot reach the slave pfSense via OpenVPN.

The CARP cluster consists of a master and one or more slaves. Through the cluster you are (by definition) connecting to the master. Since the slaves are essentially hot spares they are not serving OpenVPN (or any other) clients. So they have no active OpenVPN routing going on. The trick is to tell the slave(s) to send answers to traffic originating from OpenVPN to the master firewall. Again, this is done with an outbound NAT rule. Because all cluster members need this rule first create a firewall alias consisting of all cluster members’ local IP addresses.

Then from Firewall > NAT > Outbound, add a new rule.

Interface LAN
Protocol any
Source Network: your OpenVPN subnet as defined in VPN > OpenVPN > Servers > [your openvpn here] > IPv4 Tunnel Network
Destination Network: CARP_members (the alias you created) /32
Translation Address Interface Address

There we go.

OpenVPN doesn’t automatically reconnect on CARP failover

You can tell your OpenVPN to periodically check the connection and reconnect if it’s not there. Read up on the OpenVPN keepalive directive. Basically it takes two arguments: interval in seconds between pings and amount of seconds, divided by two, before reconnect if no ping is answered.

You can push this directive to your clients in the Advanced Configuration section, Custom options field, in your OpenVPN server configuration.

keepalive 2 10

means: send a ping every two seconds; if no answer is received for 20 seconds then reconnect. Adapt this to your needs; some experimentation will probably be required.