{"id":452,"date":"2016-07-08T22:58:57","date_gmt":"2016-07-09T01:58:57","guid":{"rendered":"http:\/\/wordpress.jpcorp.eti.br\/?p=452"},"modified":"2021-12-26T12:31:17","modified_gmt":"2021-12-26T15:31:17","slug":"pfsense-openvpn-server-com-multi-wan","status":"publish","type":"post","link":"https:\/\/wordpress.jpcorp.eti.br\/?p=452","title":{"rendered":"pfSense – OpenVPN Server com Multi-Wan"},"content":{"rendered":"

Quem nunca teve este cen\u00e1rio: uma Matriz com dois links que fecha VPN com as Filiais.<\/p>\n

O mundo ideal \u00e9 ter ativo a redund\u00e2ncia para automatizar a troca em caso de uma indisponibilidade no link principal e minimizar o tempo de downtime do servi\u00e7o. Objetivo aqui n\u00e3o \u00e9 criar os confs todo da VPN e sim direcionar os pontos pertinentes para que funcione a Multi-Wan no OpenVPN Server, a homologa\u00e7\u00e3o destas configura\u00e7\u00f5es foram feitas no pfSense 2.3.<\/p>\n

1 - Cen\u00e1rio<\/h3>\n

\"OPENVPN-MULTIWAN\"<\/a>2 - NAT<\/h3>\n

Essa configura\u00e7\u00e3o \u00e9 uma das principais, pois iremos direcionar toda entrada na porta 1194 em ambos links para 127.0.0.1:1194, ou seja, a loopback firewall:<\/p>\n

<\/a>3 - OpenVPN Server<\/h3>\n

Na interface ao inv\u00e9s de setar a interface WAN1 ou WAN2 setamos a Localhost (127.0.0.1) e a porta utilizada, pois acima fizemos o NAT das duas interfaces direcionando a Localhost:<\/p>\n

\"openvpn1\"<\/a>Abaixo o direcionamento da rota:<\/p>\n

\"openvpn2\"<\/a>E por fim na parte do Server o Client Specific Override:<\/p>\n

\"openvpn3\"<\/a>4 - OpenVPN Client<\/h3>\n

No client so devemos acrescentar em \"Custom options\" o par\u00e2metro \"remote\" com o link secund\u00e1rio:<\/p>\n

\"openvpn4\"<\/a> \"openvpn5\"<\/a>5 - Confs gerados<\/h3>\n

server.conf<\/p>\n

dev ovpns1\r\nverb 1\r\ndev-type tun\r\ntun-ipv6\r\ndev-node \/dev\/tun1\r\nwritepid \/var\/run\/openvpn_server1.pid\r\n#user nobody\r\n#group nobody\r\nscript-security 3\r\ndaemon\r\nkeepalive 10 60\r\nping-timer-rem\r\npersist-tun\r\npersist-key\r\nproto udp\r\ncipher BF-CBC\r\nauth SHA1\r\nup \/usr\/local\/sbin\/ovpn-linkup\r\ndown \/usr\/local\/sbin\/ovpn-linkdown\r\nlocal 127.0.0.1\r\ntls-server\r\nserver 10.10.10.0 255.255.255.0\r\nclient-config-dir \/var\/etc\/openvpn-csc\/server1\r\nifconfig 10.10.10.1 10.10.10.2\r\nlport 1194\r\nmanagement \/var\/etc\/openvpn\/server1.sock unix\r\npush \"route 192.168.20.0 255.255.255.0\"\r\nca \/var\/etc\/openvpn\/server1.ca\r\ncert \/var\/etc\/openvpn\/server1.cert\r\nkey \/var\/etc\/openvpn\/server1.key\r\ndh \/etc\/dh-parameters.1024\r\ncomp-lzo adaptive\r\ntopology subnet\r\nroute 192.168.30.0 255.255.255.0<\/pre>\n
client.conf<\/p>\n
dev ovpnc1\r\nverb 1\r\ndev-type tun\r\ntun-ipv6\r\ndev-node \/dev\/tun1\r\nwritepid \/var\/run\/openvpn_client1.pid\r\n#user nobody\r\n#group nobody\r\nscript-security 3\r\ndaemon\r\nkeepalive 10 60\r\nping-timer-rem\r\npersist-tun\r\npersist-key\r\nproto udp\r\ncipher BF-CBC\r\nauth SHA1\r\nup \/usr\/local\/sbin\/ovpn-linkup\r\ndown \/usr\/local\/sbin\/ovpn-linkdown\r\nlocal 192.168.1.123\r\ntls-client\r\nclient\r\nlport 0\r\nmanagement \/var\/etc\/openvpn\/client1.sock unix\r\nremote 192.168.1.121 1194\r\nca \/var\/etc\/openvpn\/client1.ca\r\ncert \/var\/etc\/openvpn\/client1.cert\r\nkey \/var\/etc\/openvpn\/client1.key\r\ncomp-lzo adaptive\r\nresolv-retry infinite\r\nremote 192.168.1.200 1194<\/pre>\n
6 - Documenta\u00e7\u00e3o refer\u00eancias<\/h3>\n
OpenVPN - https:\/\/openvpn.net\/index.php\/open-source\/documentation\/howto.html#loadbalance<\/a><\/p>\n
\n
Implementing a load-balancing\/failover configuration<\/p>\n
Client<\/strong>
\nThe OpenVPN client configuration can refer to multiple servers for load balancing and failover. For example:<\/p>\n
remote server1.mydomain
\nremote server2.mydomain
\nremote server3.mydomain<\/p>\n
will direct the OpenVPN client to attempt a connection with server1, server2, and server3 in that order. If an existing connection is broken, the OpenVPN client will retry the most recently connected server, and if that fails, will move on to the next server in the list. You can also direct the OpenVPN client to randomize its server list on startup, so that the client load will be probabilistically spread across the server pool.<\/p>\n
remote-random<\/p>\n
If you would also like DNS resolution failures to cause the OpenVPN client to move to the next server in the list, add the following:<\/p>\n
resolv-retry 60<\/p>\n
The 60 parameter tells the OpenVPN client to try resolving each remote DNS name for 60 seconds before moving on to the next server in the list.<\/p>\n
The server list can also refer to multiple OpenVPN server daemons running on the same machine, each listening for connections on a different port, for example:<\/p>\n
remote smp-server1.mydomain 8000
\nremote smp-server1.mydomain 8001
\nremote smp-server2.mydomain 8000
\nremote smp-server2.mydomain 8001<\/p>\n
If your servers are multi-processor machines, running multiple OpenVPN daemons on each server can be advantageous from a performance standpoint.<\/p>\n
OpenVPN also supports the remote directive referring to a DNS name which has multiple A records in the zone configuration for the domain. In this case, the OpenVPN client will randomly choose one of the A records every time the domain is resolved.<\/p>\n
Server<\/strong>
\nThe simplest approach to a load-balanced\/failover configuration on the server is to use equivalent configuration files on each server in the cluster, except use a different virtual IP address pool for each server. For example:<\/p>\n
server1
\nserver 10.8.0.0 255.255.255.0
\nserver2
\nserver 10.8.1.0 255.255.255.0
\nserver3
\nserver 10.8.2.0 255.255.255.0<\/p><\/blockquote>\n
pfSense - https:\/\/doc.pfsense.org\/index.php\/Multi-WAN_OpenVPN<\/p>\n
\n
OpenVPN Configuration<\/strong>
\nFirst, get OpenVPN working as desired on the primary WAN interface. Once it is properly functioning, make a backup just in case.<\/p>\n
Bind to Localhost and Setup Port Forwards<\/strong>
\nThe OpenVPN configuration needs to be adjusted so it can be reached from either WAN. The simplest way to do this is by changing the Interface on the VPN connection to be Localhost, and then adding a port forward on each WAN to redirect the OpenVPN port to Localhost (127.0.0.1).<\/p>\n
For example: If there are two WANs and the OpenVPN server is running on port 1194, set the Interface to Localhost, then add two port forwards:<\/p>\n
WAN1 - UDP, Source *, Destination WAN1 Address port 1194, redirect target 127.0.0.1 port 1194
\nWAN2 - UDP, Source *, Destination WAN2 Address port 1194, redirect target 127.0.0.1 port 1194<\/p>\n
Configure Clients<\/strong>
\nClients may be configured to use the second WAN by adding a second remote statement to their configuration, such as:<\/p>\n
remote x.x.x.x 1194 udp<\/p>\n
Where x.x.x.x is the second WAN IP address or host name.<\/p>\n
This process can be automated by using the OpenVPN Client Export package. When exporting a client, in Host Name Resolution choose one of:<\/p>\n
Automagic Multi-WAN IPs (port forward targets): Adds a remote statement for each port forward found targeting the interface binding and port used by this VPN, uses the IP address of each WAN as-is.
\nAutomagic Multi-WAN DDNS Hostnames (port forward targets): Like above, but uses the first located Dynamic DNS hostname for a given WAN. If the WAN is a private IP, this may be the better choice.<\/p>\n
More than two WAN connections<\/strong>
\nThe same steps can be repeated to add more WAN connections. Add a port forward to any additional WAN. Clients will need an updated configuration file if another WAN is added later.<\/p><\/blockquote>\n
Aproveitar e documentar fixa\u00e7\u00e3o IP no tunel:<\/p>\n
\n
\n\n\n\n
Now place special configuration files in the ccd<\/strong> subdirectory to define the fixed IP address for each non-Employee VPN client.<\/p>\n
ccd\/sysadmin1<\/p>\n
\n
ifconfig-push 10.8.1.1 10.8.1.2<\/p>\n<\/blockquote>\n
ccd\/contractor1<\/p>\n
\n
ifconfig-push 10.8.2.1 10.8.2.2<\/p>\n<\/blockquote>\n
ccd\/contractor2<\/p>\n
\n
ifconfig-push 10.8.2.5 10.8.2.6<\/p>\n<\/blockquote>\n
Each pair of ifconfig-push<\/strong> addresses represent the virtual client and server IP endpoints. They must be taken from successive \/30 subnets in order to be compatible with Windows clients and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
\n
[  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]\r\n[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]\r\n[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]\r\n[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]\r\n[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]\r\n[101,102] [105,106] [109,110] [113,114] [117,118]\r\n[121,122] [125,126] [129,130] [133,134] [137,138]\r\n[141,142] [145,146] [149,150] [153,154] [157,158]\r\n[161,162] [165,166] [169,170] [173,174] [177,178]\r\n[181,182] [185,186] [189,190] [193,194] [197,198]\r\n[201,202] [205,206] [209,210] [213,214] [217,218]\r\n[221,222] [225,226] [229,230] [233,234] [237,238]\r\n[241,242] [245,246] [249,250] [253,254]<\/pre>\n<\/blockquote>\n<\/blockquote>\n
\n","protected":false},"excerpt":{"rendered":"
Quem nunca teve este cen\u00e1rio: uma Matriz com dois links que fecha VPN com as Filiais. O mundo ideal \u00e9 ter ativo a redund\u00e2ncia para automatizar a troca em caso de uma indisponibilidade no link principal e minimizar o tempo de downtime do servi\u00e7o. Objetivo aqui n\u00e3o \u00e9 criar os confs todo da VPN e…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[43],"tags":[33,44],"class_list":["post-452","post","type-post","status-publish","format-standard","hentry","category-pfsense","tag-openvpn","tag-pfsense"],"_links":{"self":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts\/452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=452"}],"version-history":[{"count":11,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts\/452\/revisions"}],"predecessor-version":[{"id":479,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts\/452\/revisions\/479"}],"wp:attachment":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}