My problem is that the client is rejecting some packets because they come from the wrong IP address. Destination port rules would fix the problem, but as per documentation and also experience, the rules don't work on traffic originating in the gateway itself. Is there a solution to this problem?
Have you tried this document. Go down to the bit which says "--local host". If you want to try it, assuming you are using ClearOS 5.2, the file to add the line to (without the "--") is /etc/openvpn/clients.conf. I would expect you to need to restart OpenVPN after making the change.
I put the "local IP Address" in the server configuration file, and it did not seem to make a difference after restarting the service. So I added the "float" parameter in the client configuration file, and that stopped the original problem. However, now I get the following message, "Error: local/remote TLS keys are out of sync" and then the IP address that I don't want to use.
Seems like it doesn't make a difference. Now here is another temporary problem. How do you turn multi-wan off? If I want to turn it off to make sure the multi-wan is the problem, how do you do it? Just setting the undesired interface to 1 and the other to 200 does not turn it off.
Check out this post and do the update. You will have to update your certificates as well. This may get rid of the TLS keys problem. Then perhaps you can try the "--local host" bit. When you do try it, can you check the change is still there after you restart OpenVPN? If it disappears, you may have to edit another file instead. The init script can change bits of that file on start up.
The repo was there when I looked a few minutes ago. I'm not sure how to disable Multi-WAN. Pulling the card is a bit drastic. Alternatively you could try downing the interface and quickly renaming the /etc/sysconfig/network-scripts/ifcfg-ethX file before the syswatch daemon brings the interface back up again. No promises here.
I had it easy. I have three interfaces, so I just put wrong IP settings on the interface I didn't want to use. Fortunately I don't need that interface so there's no problem. OpenVPN works fine now too.
I think the principle is this: multi-WAN works just fine, but any services for the Internet should be on a computer behind the gateway, and the gateway be used for only a firewall and router (and proxy and Internet filtering). Not web services like ftp, http, etc.