Bug #3266
closed
Synchronize OpenVPN + Site-Site = Fail
0%
Description
The 'Synchronize OpenVPN' HA checkbox prevents site-site OpenVPN from working in primary/backup setups. Two enabled clients trying to provide routes to the same subnet to two enabled servers on the same far subnet with identical settings creates intermittancy and routing confusions.
Next the 'Disable this server' and 'Disable this client' button should be forced 'ON' when HA Sync / copying connections from the primary to backup boxes.
Those two small changes would allow for the user creation of scripts that would bring the backup OpenVPN instances online when a CARP VIP changes to Master from Backup and off when changing to Backup from Master.
Best would be if PFSense would allow in the OpenVPN client and server setup GUI to allow the option to specify a CARP VIP and set whether the OpenVPN instance is enabled or disabled based on whether the specified CARP VIP is master or backup.
Of course 'most best' would be to allow all instances to be 'up and running' all the time, with the server side tied to a CARP VIP on the wan, two boxes acting as clients to the same subnet up and running on the far side and all four to not clash. Yeah, good luck with that. Watch the PFsync traffic explode as four boxes think they've got routes and active states to and from the same place for the same subnet. If that's possible the checkbox 'Duplicate Connections' should be forced 'on' on server setups when the 'Synchronize OpenVPN' is checked.
Better I think to bring the OpenVPN instances up and down when the carp vips go up and down.
Updated by 
Updated by