Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual-WAN access configuration

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 5 Posters 1.5k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      chitchat
      last edited by

      OVPN newbie here. I'm trying to configure my dual-WAN Netgate 3100 for access from outside on both WANs.

      Using the wizard, I've successfully configured one service connection on WAN. But I can't get the second service to work on OPT1.

      The docs say:

      "Local port
      The port number upon which OpenVPN will listen for incoming connections from peers. Firewall rules must allow traffic to this port and this port must be specified in the client configuration.

      The port for each server must be unique for each interface when using a standard UDP or TCP Protocol choice and must be globally unique if using a multihome Protocol."

      My working OVPN server on WAN is using port 1194. Since the docs say "the port for each server must be unique" I've set the OPT1 server to use port 1195.

      Per the docs I'm trying to set a firewall rule to allow traffic on port 1195. However, the firewall rule dropdown menu doesn't present a choice for port 1195 - only 1194.

      Is there some place where I am supposed to configure port 1195 to be available in the dropdown? Or is there something I misunderstand in the configuration?

      Thanks in advance!

      Screenshot 2025-09-23 at 11.55.33 AM.png Screenshot 2025-09-23 at 11.54.37 AM.png Screenshot 2025-09-23 at 11.53.50 AM.png .

      M 1 Reply Last reply Reply Quote 0
      • M Offline
        mcury Rebel Alliance @chitchat
        last edited by

        @chitchat
        My two cents:

        Configure openvpn to tisten on localhost.
        Create a portforward in both WANs, from the Internet (any), to 127.0.0.1 port 1194 UDP.
        Use DDNS or configure two remote entries in the .ovpn, with a timeout of 2 seconds.

        dead on arrival, nowhere to be found.

        1 Reply Last reply Reply Quote 0
        • chpalmerC Offline
          chpalmer
          last edited by chpalmer

          Other. 1195.. however if this is for failover when you should use 1194 on that interface as well..

          The solution provided above seems interesting..

          If you are truly looking for multiple VPN instances then yes you do need to use a different port.

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • C Offline
            chitchat
            last edited by

            I configured both servers to listen on 1194 - that worked!

            My newbie skills do not understand how that should work. I would have thought that the two servers would trip over themselves trying to listen to the same port.

            Here's a related question - I'm trying to troubleshoot why I can't sucessfully connect via OpenVPN connect with my mobile phone over a certain cellular carrier. One carrier works, another doesn't.

            A suggestion was made that one carrier might be blocking UDP, so to set the OVPN server to use TCP instead (I know this is frowned upon for performance reasons).

            Can I set one OVPN server to use UDP and another OVPN server to use TCP, both listening on port 1194? Is that viable?

            Right now I'm remote, and the only access I have to the Netgate router is via the current OVPN setup. I'm afraid of borking things up and getting myself locked out by doing seemingly screwy like the above.

            Thanks.

            N 1 Reply Last reply Reply Quote 0
            • N Offline
              netblues @chitchat
              last edited by

              @chitchat said in Dual-WAN access configuration:

              Can I set one OVPN server to use UDP and another OVPN server to use TCP, both listening on port 1194? Is that viable

              Yes, of course.

              1 Reply Last reply Reply Quote 0
              • P Online
                pwood999
                last edited by

                The suggestion above by @mcury is the easiest method. It also means routes configured for VPN clients still apply regardless of which WAN they connect via.

                In the .ovpn client file, you simply have two remote entries:

                remote [WAN-1 Public IP Address] 1194 udp4
                remote [WAN-2 Public IP Address] 1194 udp4

                Pete

                C 1 Reply Last reply Reply Quote 0
                • C Offline
                  chitchat @pwood999
                  last edited by

                  @pwood999 As I said, I'm a newbie with OVPN, and I'm too sqeamish to try the @mcury solution without understanding what I'm doing, and GUI screenshots. Especially while I'm remote and could screw something up and get myself locked out.

                  As to your suggestion, first, thanks for that! But as I described it, one of the OVPN servers will be configured as accepting TCP and one UDP. So in the lines you were suggesting for the .ovpn file, shouldn't one of those servers show "TCP" (or is it "TCP4"?).

                  So more like:

                  remote [WAN-1 Public IP Address] 1194 tcp4
                  remote [WAN-2 Public IP Address] 1194 udp4

                  Do the above entries work even if I'm not doing the @mcury thing? Right now, I have two different .ovpn client files - that's how the GUI menu does it - one for each WAN, depending upon which one I try to attach to.

                  Thanks.

                  N P 2 Replies Last reply Reply Quote 0
                  • N Offline
                    netblues @chitchat
                    last edited by

                    @chitchat
                    It is tcp4 and udp4

                    Works for any configuration too

                    1 Reply Last reply Reply Quote 0
                    • P Online
                      pwood999 @chitchat
                      last edited by pwood999

                      @chitchat Assuming the two VPN servers use all the same certs then it should be ok.

                      In my case the single VPN server listens on Localhost. Then there's two port-forwards (one for each WAN) to the same VPN server.

                      eed1a7f9-d88e-4da3-bb46-e723e73ed01e-image.png

                      6d8d4837-2ea9-43eb-95c0-08358cd644b3-image.png

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.