OpenVPN site-2-site over multiple links?
-
Hi!
We have two sites linked by an ISP via OpenVPN. All traffic from site B routes via site A (headoffice) to get to the internet (ie. default gateway def1 set on the OpenVPN client at siteB so all internet trafffic nat'd with siteA IP). And all local traffic from site B can reach the LAN at site A. Works great, no problems.
So along comes a second ISP, because sometimes the first ISP stops working for a while !
What's the best practise to have the OpenVPN link automatically fallover to ISP2 when ISP1 fails, and ideally automatically switch back again when ISP1 service resumes?
Or... perhaps even better, can one OpenVPN link just use both ISP's and somehow improve throughput? (Not really sure which solution would be best yet, but would be good to consider both if possible).
Considering both ISP links join site A&B, it would be nice is siteA's rules only need to deal with one incoming connection/IP from the remote site in it's rules, although I appreciate we could probably add an IP alias on siteA to include two remote IPs (or two remote OpenVPN links), if that's the only way to achieve such a thing.
I've read through lot's of examples for load balancing, OpenVPN multisite, etc, but haven't quite found this scenario of sharing two links with one OpenVPN connection, or something similar that would solve the task as I'm perhaps incorrectly thinking about it. Would be so grateful to be directed to some related links/examples, or for any advice.
All the best.
-
@atomitech said in OpenVPN site-2-site over multiple links?:
So along comes a second ISP, because sometimes the first ISP stops working for a while !
Which site, A or B?
Basically you can set up two of each, OpenVPN server and client, assign interfaces to them and create gateway failover groups.
This should switch over to the other connection if the first one fails and also switch back if the connection comes up again.However, it can also be solved with a single server and client, but the connection will only switch over in case of a failure.
-
@viragomann Good point... site B, the remote site, will get a 2nd ISP.
Site B currently runs as remote client, with A configured as OpenVPN server.
-
@atomitech
So you will have to connect the 2nd ISP line to an additional WAN on pfSense and create a gateway failover group. System > Routing > gateway groupsState a name for the gateway group. Set the preferred ISP as Tier 1, the other as Tier 2.
Then set the gateway group as default gateway on the Gateways tab.Nothing more to do in this case. If the primary gateway fails, pfSense will failover to the secondary and the client should automatically reconnect.
The connection will be down for a short time. If you don't wont this, you can set up a second client and bind each to a certain WAN. And create an additional gateway failover group for the VPN gateways. -
@viragomann That single OpenVPN solution sounds like what we need- I'll give that a try.
Depending on the period of downtime between switching, that seems simplest and just fine. I like to idea of having just the one OpenVPN tunnel, as hopefully that avoids needing any changes to siteA's rules.Thank you for the advice.
-
@atomitech
Not in the rules, but in the OpenVPN server settings you should make a change at A though: Check "Dynamic IP" in the "Client Settings" section.
This allows the client to change the IP address and retain the existing connection in case of a WAN failover. So the down-time should be rather short. -
@viragomann Make sense, thanks.
I've also spotted this setting on the client / siteB side that looks like it needs setting to the GW failover, instead of the WAN.OpenVPN / Client / Endpoint Configuration / Interface
I'm hoping to get the new line activated on Tuesday, and your extra tips are appreciated to save me from late-night gotchas and headaches on that day.
-
@atomitech
Yes, correct. The client has to be bound to the gateway failover group.