OpenVPN in a pfSense CARP cluster

If you’ve set up a pfSense CARP cluster for high availability and you’re running OpenVPN on it there are a few tweaks you can make to improve your experience.

The issues:

  • OpenVPN client is unable to connect to WAN VIP…
  • …and when it does, no internet connection is available via OpenVPN.
  • You cannot reach the slave pfSense via OpenVPN.
  • OpenVPN doesn’t automatically reconnect on CARP failover.

OpenVPN client is unable to connect to WAN VIP

You need to tell your OpenVPN server what its local public IP address is. You do this with the local directive: in VPN > OpenVPN > Servers, click Edit to open your server configuration and scroll down to the Advanced Configuration section. In the Custom options field, add:


(…or whatever your CARP WAN virtual IP address is that your clients will be connecting to.)

No internet connection is available via OpenVPN

This is because the traffic is sent out via the cluster member’s public IP, not the WAN virtual IP. Like in the regular CARP settings you need to change the outbound NAT address to your WAN VIP so packets will actually be able to flow back to the cluster.

Go to Firewall > NAT > Outbound. There are several ways to go about this. If you went through my PfSense High Availability article to set this up you probably already have two outbound NAT rules:

You need to do the same for the OpenVPN subnet as specified in VPN > OpenVPN > [your OpenVPN server] > Tunnel Settings > IPv4 Tunnel Network (mine is

Find your LAN-to-WAN mapping witht the custom NAT rule and click the Copy icon.

Then change the Source network from your LAN subnet to your VPN subnet. Also change the Description while you’re at it.

Do this for both custom rules.

You cannot reach the slave pfSense via OpenVPN.

The CARP cluster consists of a master and one or more slaves. Through the cluster you are (by definition) connecting to the master. Since the slaves are essentially hot spares they are not serving OpenVPN (or any other) clients. So they have no active OpenVPN routing going on. The trick is to tell the slave(s) to send answers to traffic originating from OpenVPN to the master firewall. Again, this is done with an outbound NAT rule. Because all cluster members need this rule first create a firewall alias consisting of all cluster members’ local IP addresses.

Then from Firewall > NAT > Outbound, add a new rule.

Interface LAN
Protocol any
Source Network: your OpenVPN subnet as defined in VPN > OpenVPN > Servers > [your openvpn here] > IPv4 Tunnel Network
Destination Network: CARP_members (the alias you created) /32
Translation Address Interface Address

There we go.

OpenVPN doesn’t automatically reconnect on CARP failover

You can tell your OpenVPN to periodically check the connection and reconnect if it’s not there. Read up on the OpenVPN keepalive directive. Basically it takes two arguments: interval in seconds between pings and amount of seconds, divided by two, before reconnect if no ping is answered.

You can push this directive to your clients in the Advanced Configuration section, Custom options field, in your OpenVPN server configuration.

keepalive 2 10

means: send a ping every two seconds; if no answer is received for 20 seconds then reconnect. Adapt this to your needs; some experimentation will probably be required.


  1. ton


    i currently use pfsense with openvpn to build a s2s openvpn tunnel.

    Would it possible to make 2 pfsense on both sides to add HA to this setup?

    Maby you could write an article on that if the answer is to long for a single reply.

    • Kapitein Vorkbaard

      I guess that wouldn’t be a problem however I’m not going to write an article on that because I don’t need it myself. I don’t think you’d need to do anything exotic to make it work.

  2. tam

    hi, I tried your suggestion on adding “local x.x.x.x” on the configuration for an openvpn server. However, vpn client still cant connect to the carp VIP

  3. Mikael

    Works like charm!
    Started out with the netgate instructions for High Availability.
    Got the NAT part right for OpenVPN, but the other with “local” and access to both firewalls from VIP was nice to get explained like you’ve done here.
    Thank you for this write up, it seals the deal.
    Got a fully working High Availability solutions now with working OpenVPN.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Top