wakame 0 Posted ... Hi, is there any rule or technical limitation preventing from making two connections to two entry servers in two different countries from the same IP? I'm using an OPNsense firewall and I'd like to do this for downtime prevention, to access some sites from a specific country while the rest go through another, and also for the technical challenge, but every time I get the second connection up, IPv4 stops working for both, while IPv6 keeps working. The connections are configured as two devices from AirVPN side, each with its own client cert. I already tried using different server ports on each connection. It works if I make one connection through my cable provider and the other through LTE, so I'm not sure it's an OPNsense problem or an AirVPN config. Thanks. Quote Share this post Link to post
SurprisedItWorks 49 Posted ... I have three concurrent Air connections going from my IP at this moment, actually, one OpenVPN and two wireguard. The only catch I've come across regarding multiple connections from the same router or whatever, besides the one you noted of using separate Air devices, is that you need to make sure the local IP ranges of the VPN interfaces do not overlap. If one connection is via OpenVPN and the other is via wireguard, you won't have a problem with this. But as hinted at in https://airvpn.org/specs/ ,the IP assignment for a wireguard interface using Air will be 10.128.X.Y/10 for some X and Y specific to the server. If you have two interfaces up simultaneously in one router or one computer with IP specs of that form, their IP ranges will overlap (completely, in fact), causing routing trouble. Per staff instructions when I first ran into this, the solution is simply to change the /10 to /32 in the IP spec in each configuration. The actual Air setup for wireguard behind the scenes is perfectly fine with that. Quote Share this post Link to post
Staff 9972 Posted ... 17 hours ago, SurprisedItWorks said: the solution is simply to change the /10 to /32 in the IP spec in each configuration. Hello! Note that it was a Configuration Generator bug which has been fixed after you found it. Now the CG correctly compiles the profile interface with a /32 address. Kind regards Quote Share this post Link to post
SurprisedItWorks 49 Posted ... Thank you staff for that reminder/clarification! My memory can be pretty leaky, so all help is welcome. (My original comment above would seem to apply then only to fairly old wireguard config files.) Quote Share this post Link to post
wakame 0 Posted ... (edited) Oops, sorry, turns out I was misconfiguring my firewall xD if I set both OpenVPN gateways as same group gateway tier, it goes nuts, it works with just one gateway per tier. At least most of the time... xD SurprisedItWorks, thanks for your help, I see what you are hinting but my two attempted connections are OpenVPN and the two virtual IPv4 addresses are /24 so they are two different subnets, each with its own gateway, also I don't think I can change anything there since they are served to me by DHCP. Now I'm happy as I can further play with my firewall toy. Thanks everybody. Edited ... by wakame Quote Share this post Link to post
wakame 0 Posted ... On 12/6/2022 at 11:07 AM, wakame said: Oops, sorry, turns out I was misconfiguring my firewall xD if I set both OpenVPN gateways as same group gateway tier, it goes nuts, it works with just one gateway per tier. At least most of the time... xD SurprisedItWorks, thanks for your help, I see what you are hinting but my two attempted connections are OpenVPN and the two virtual IPv4 addresses are /24 so they are two different subnets, each with its own gateway, also I don't think I can change anything there since they are served to me by DHCP. Now I'm happy as I can further play with my firewall toy. Thanks everybody. Well, it wasn't the tiering either. Seems like it has something to do with the pinger daemons that check the connection status, if I configure them to ping other servers different than the gateways it works, at least for a while, even with my gateways in the same tier so I get some sort of load balancing. But in that scenario the pingers end up going crazy too, it's not very stable nor fast. So maybe WireGuard is the way... Quote Share this post Link to post