How to make VPN tunnel stay on 1 gateway in a failover group

Proton

@viragomann
What about this tip:
https://github.com/Ysurac/openmptcprouter/issues/2384

Proton

@Proton And anothe rtip usinf floating rules:
https://forum.opnsense.org/index.php?topic=26315.0

viragomann

@Proton
The first one is a completely different system, and the mentioned VXLAN is not supported on pfSense.

The latter solution is just an outbound floating rule for the remote VPN endpoint with policy routing. You can also add the gateway in your rule. But it won't detain the VPN to connect as soon as the gateway is online.
So the VPN will be connected if the tier 1 is used.

Proton

@viragomann

Now everything works as intended thanks to your help!

Thank's a million!!1

viragomann

@Proton
Nice. And you got it work even with Wireguard?

Proton

@viragomann said in How to make VPN tunnel stay on 1 gateway in a failover group:

@Proton
Nice. And you got it work even with Wireguard?

Yes , now i have default gateway for IPv4 setup using a gateway group consisting of 3 tiers. I have 2 tier 2 Mullvad VPN tunnels using wireguard for redundancy.
I had to use a static route to open the tunnels out on my preferred gateway/interface and i had to block the endpoint IPs on the wans i did not want the tunnels to be.
No policy routing nesessary.

Thanks for all your help!
I would not be able to solve this without your dedication and professional help!.
THX!

Proton

@viragomann

Sadly i must say i concluded to soon :(

It looked like it worked 100%, but when i tested today client PCs is not gettingf internet when failover to VPN gateway.

My guess is that i am missing a route, or i need a firewall rule.

I am not seeing the VPN gateway marked as default gateway either in widget.

Any ideas?

viragomann

@Proton said in How to make VPN tunnel stay on 1 gateway in a failover group:

It looked like it worked 100%, but when i tested today client PCs is not gettingf internet when failover to VPN gateway.

I am not seeing the VPN gateway marked as default gateway either in widget.

So what now? If the default gateway fails over the the VPN, I'd expect, that the VPN is the default gateway then. (?)

Proton

@viragomann
Now i added a FW rule to allow traffic from my WAN interface WAN1_GW to my VPN interface.

Now internet traffic works :)

in my routing table i see:

default link#15 US 31 1420 tun_wg1

So default route is through my tunnel :)

Proton

@Proton

I just found from mullvad VPN docs that my vpn gateways should tick the "use non-local gateway" in advanced settings

Not sure if i needed this or what this will do for the firewall since i already managed to get this working.

But in many of the docs i have read they seldom mention the firewall rule i had to add to allow access from WAN1_GW to VPN_GW? I did not get internett access for my clients in my lan if this rule is not there...