Project

General

Profile

Actions

Bug #15347

closed

OpenVPN Multiple WAN Asymmetric Routing

Added by Timo M 8 months ago. Updated 8 months ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Using OpenVPN in multi-wan / failover environment (a OpenVPN interface has been created and is used by the OpenVPN server). WAN1 is Tier 1 and WAN2 is Tier 2. To be able to access OpenVPN server through both WAN1 and WAN2, I used the port forward method to bind the OpenVPN server to localhost and forward traffic from both WAN1 and WAN2 to it as described in the documentation:

https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html#bind-to-localhost-and-setup-port-forwards

FreeRADIUS is used as the authentication backend for OpenVPN (to be able to use 2FA). When connecting through WAN2 (which is on Tier 2) traffic appears to exit back out WAN1 after the RADIUS authentication completes leading to asymmetric routing. I see the following in the logs from FreeRADIUS:

(0) Login OK: [user_id] (from client pfsenseclient port 1194 cli *WAN1_IP* :1194)

I can confirm that the connection to the OpenVPN server was indeed made through WAN2 by looking firewall states / traffic. Is this a bug, or is thus configuration (OpenVPN server with FreeRADIUS authentication) not supported (e.g. the reply-to functionality does not work properly)? Thanks in advance.

Actions

Also available in: Atom PDF