Bug #15347
closed
OpenVPN Multiple WAN Asymmetric Routing
0%
Description
Using OpenVPN in multi-wan / failover environment (a OpenVPN interface has been created and is used by the OpenVPN server). WAN1 is Tier 1 and WAN2 is Tier 2. To be able to access OpenVPN server through both WAN1 and WAN2, I used the port forward method to bind the OpenVPN server to localhost and forward traffic from both WAN1 and WAN2 to it as described in the documentation:
FreeRADIUS is used as the authentication backend for OpenVPN (to be able to use 2FA). When connecting through WAN2 (which is on Tier 2) traffic appears to exit back out WAN1 after the RADIUS authentication completes leading to asymmetric routing. I see the following in the logs from FreeRADIUS:
(0) Login OK: [user_id] (from client pfsenseclient port 1194 cli *WAN1_IP* :1194)
I can confirm that the connection to the OpenVPN server was indeed made through WAN2 by looking firewall states / traffic. Is this a bug, or is thus configuration (OpenVPN server with FreeRADIUS authentication) not supported (e.g. the reply-to functionality does not work properly)? Thanks in advance.
Updated by Timo M about 2 months ago
Forgot to mention, I see this behavior on pfSense Plus 23.09.1.
Updated by Jim Pingle about 2 months ago
- Status changed from New to Not a Bug
The RADIUS authentication is a separate request that is unrelated to the incoming VPN connection at a packet level. It's the OS itself calling out to the RADIUS server, which will follow the routing table to reach the target server. That has nothing to do with the client traffic and what happens to it before/after authentication.
This site is not for support or diagnostic discussion.
For assistance in solving problems, please post on the Netgate Forum .
See Reporting Issues with pfSense Software for more information.