Messages

[Setup:]

Hello everyone,

I have a problem with OpenVPN in a HA Setup.

Setup:
2x Opnsense (v25.7.3_7) as Master/Slave HA Setup using CARP
OpenVPN S2S Tunnel using Instances

The OpenVPN Tunnel is configured using the 'Depend on (CARP)' setting.
During CARP Failover the configuration works fine. Master and Slave start/stop the client depending on their CARP Status.

But during a manual 'Synchronize and reconfigure all' under 'System -> High Availability -> Status' the OpenVPN client on the slave is started even thought he is not the CARP Master at the time.

This is leads to both Master and Slave trying to connect to the server stealing each others connection until I manually stop the client.

Using Cron to trigger 'Synchronize and reconfigure all' doesn't have this effect only the manual sync.

~Marius

Like @viragomann said, we change the configuration on the pfSense side.
We are now using a large Tunnel network and added a client spicific overrider for our opnsense to handle routing.
Addionally we had to deactivate OpenVPN compression on pfSense side which is deprecated anyway and it seems like not supported by Instances on OPNsense side.

Hello everyone,

We are currently migrating a pfSense infrastructure to OPNsense but ran into some problems with OpenVPN.

We have an OpenVPN server running in P2P mode with a /30 tunnel network on pfSense.
As client we are trying to connect an OPNsense.
Using the 'Client (Legacy)' method we got the tunnel working.
But trying to migrate to the new Instance method didn't work out.

While using the Instance the tunnel gets established and OPNsense shows the tunnel als connected.
But OPNsense dosen't assign an IP from the /30 network to it's tunnel interface.

Normally the OpenVPN server does assign an IP adress to the client when he connects. Atleast when using a bigger subnet.
However since our server is running in P2P mode (/30 subnet) no IP address gets assigned to the client.
So we have a client waiting to get an IP address and a server who doesn't assign them.

Comparing the configurations files from 'Client (Legacy)' and Instance there was 1 crucial settings missing.

ifconfig 10.0.0.2 10.0.0.1

Which assigns the first IP to the tunnel interface and uses the second IP as gateway.
This is achieved by setting the Tunnel Network in the 'Client (Legacy)' Configuration to 10.0.0.0/30.

Adding this settings manually to the Instance configuration file solved our problem but we didn't find a way to set this using the GUI.

Did we miss something or is this setup not possible while using Instances?

Best Regards
Marius

Today I updated our Master to 25.

First critical point was an update circle 24.7 -> 25.1 -> 24.7

I already had this behaviour on an other opnsense and fixed it:

If you enter at console pkg update you will see a segmentation fault.
Then you need:

Code Select Expand

pkg boostrap -fAfter this the update works as expected.

Ok, back to the problem:
In the GUI one OpenVPN server is marked red and it is not possible to start it.
In the log you can read ... device is busy

Solution was to kill the running openvpn task on the CLI.
Then it was possible to start the server in the GUI.

Thank you!

HAProxy 3.0.8 is starting via the GUI

Also with an update to 25.1.2 HA Proxy is not starting automatically or via GUI.

I need a solution, or I have to go back to 24.7.

Hi,

I'm not sure if it is a 25.1.1 problem, but with 24.7.12 this problem does not occure.

I updated the 'slave' to 25.1.1 and switched over from 'master' (24.7.11, before I syncronised the config)
Then I got infos that an internal web service was not reachable anymore.

HAProxy on 'slave' was not running.
I try to start it via web-gui -> no success
But also no warnings with the current date in the web-gui log.

Strange thing:
If I start HA proxy via CLI:

Code Select Expand

/usr/local/sbin/haproxy -f /usr/local/etc/haproxy.conf -dIt starts without any problems.
Also the state in the gui is green and I can stop it via gui, but I can still not start it again via gui.

The only thing what I can see in the gui log, when I try to start it via gui are the results of the health checks.
So it try to start.
But ... the logs in the gui have the level 'NOTICE' and in the end, the service is not running.

2025-02-19T09:23:01   Notice   haproxy   Health check for backup server isp-web-dmz-1_crm_backend/isp-web-dmz-1m succeeded, reason: Layer7 check passed, code: 200, check duration: 189ms, status: 3/3 UP.   
2025-02-19T09:23:00   Notice   haproxy   Health check for server isp-web-dmz-1_crm_backend/isp-web-dmz-1 succeeded, reason: Layer7 check passed, code: 200, check duration: 98ms, status: 3/3 UP.   
2025-02-19T09:22:59   Notice   haproxy   Health check for backup server isp-web-int-1_backend/isp-web-int-1m succeeded, reason: Layer7 check passed, code: 200, check duration: 89ms, status: 3/3 UP.   
2025-02-19T09:22:59   Notice   haproxy   Health check for server isp-web-int-1_backend/isp-web-int-1 succeeded, reason: Layer7 check passed, code: 200, check duration: 83ms, status: 3/3 UP.   
2025-02-19T09:22:58   Notice   haproxy   Health check for backup server isp-web-dmz-1_backend/isp-web-dmz-1m succeeded, reason: Layer7 check passed, code: 200, check duration: 226ms, status: 3/3 UP.   
2025-02-19T09:22:57   Notice   haproxy   Health check for server isp-web-dmz-1_backend/isp-web-dmz-1 succeeded, reason: Layer7 check passed, code: 200, check duration: 103ms, status: 3/3 UP.

If I start it via CLI I get the health checks with level 'WARNING'.

root@OPNsenseSlave:~ # /usr/local/sbin/haproxy -f /usr/local/etc/haproxy.conf -d
Note: setting global.maxconn to 353117.
Available polling systems :
    kqueue : pref=300,  test result OK
      poll : pref=200,  test result OK
    select : pref=150,  test result FAILED
Total: 3 (2 usable), will use kqueue.

Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace
Using kqueue() as the polling mechanism.
[WARNING]  (21747) : Health check for server isp-web-dmz-1_backend/isp-web-dmz-1 succeeded, reason: Layer7 check passed, code: 200, check duration: 103ms, status: 3/3 UP.
[WARNING]  (21747) : Health check for backup server isp-web-dmz-1_backend/isp-web-dmz-1m succeeded, reason: Layer7 check passed, code: 200, check duration: 226ms, status: 3/3 UP.
[WARNING]  (21747) : Health check for server isp-web-int-1_backend/isp-web-int-1 succeeded, reason: Layer7 check passed, code: 200, check duration: 83ms, status: 3/3 UP.
[WARNING]  (21747) : Health check for backup server isp-web-int-1_backend/isp-web-int-1m succeeded, reason: Layer7 check passed, code: 200, check duration: 89ms, status: 3/3 UP.
[WARNING]  (21747) : Health check for server isp-web-dmz-1_crm_backend/isp-web-dmz-1 succeeded, reason: Layer7 check passed, code: 200, check duration: 98ms, status: 3/3 UP.
[WARNING]  (21747) : Health check for backup server isp-web-dmz-1_crm_backend/isp-web-dmz-1m succeeded, reason: Layer7 check passed, code: 200, check duration: 189ms, status: 3/3 UP.
0000000c:GLOBAL.accept(0009)=000e from [unix:1] ALPN=<none>
0000000c:GLOBAL.clicls[000e:ffff]
0000000c:GLOBAL.srvcls[000e:ffff]
0000000c:GLOBAL.closed[000e:ffff]

What happens?

Any ideas?

In my opinion it is a bug.

The functionality is not as written.

Your hint gives a workaround. (Thanks for this)

Hi,

I added a rule where I want to block external access to the 'local' WAN addresses of a CARP system.

It looks like:

Block IPv4 * ! WAN net, LAN net * WAN_LocalAdresses * * *

I thought that then access from WAN net and LAN net is allowed.
But a ping in the shell from 'master' to 'slave' WAN address is then not possible

It does not work with multiple selected nets.

I had to remove the LAN net to make it work.

Is there a bug in the logic?
Is not the complete result is inverted?

Best regards

Ich habe nun beides mit drin, geht aber auch nicht.

Ich bin gerade über das gleiche Problem gestolpert.

Leider zeigt ein zusätzliches !github.com keinen Effekt.

OPNsense 24.7.5

Hat da jemand eine Idee dazu?

Yes, but pressing a button is not the solution.

Maybe you don't have to change anything. A working and running configuration.

The master refreshes the certs.
The old ones are outdated.

Now it happens. CARP is switching over and all HA with offloading results in a cert error.

There should be a 'schedule' in System, where you can include a sync job with restarting services.
(in my opinion)

Or an addition to the ACME job:
Sync the certs and restart all jobs which can be affected by the certs when one of the certs is renewed.

Hi,

today I did an update of our 2 OPNsense firewalls.
Update 'slave' no problem.
'Master' entering Persistent CARP Maintenance Mode -> colleagues noted that some webpages tells:
outdateded cert.

The certs are synchronized and the latest version were available on the 'slave'.
But the HA-Proxy on the 'slave' did never a restart to activate the new certs.
I had to restart the HA-Proxy on the 'slave' manually to activate the latest synchronized certs.

Is there a way to avoid this problem?

I only update the ACME certs on the 'master'.

Best regards,

Bernd

Hi,

I tried this with monit, but this is not possible.

I need to know when the address of the WAN interface changed.
Monit does only check in intervals and so it is not possible to detect the change.

Here in the forum were several same questions, but no solution.

Any hint?

Best regards.

You saved my day!

I had to add the PFSYNC interface, which is used for the High Availability, to the allowed interfaces for the Web-
GUI.

But we used the HA sync since ages with no problems in the same configuration.

Anyway,

thank you for this hint.