Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "Backup" VPN Client server settings possible in pfsense?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      My pfSense setup uses one "Clear", so to speak, network and one network where the pfSense is setup as a OpenVPN clinet, so that every device connected to that Network is routed though my VPN provider.

      The current VPN provider I use, has multiple servers in one country and uses has a clustered "resolver", meaning that, although you can connect to a server directly, you can also connect to the country resolver (for instance de.myvpnprovider.net), it will redirect you to one of the German, in my example, servers that are online.

      Normally, connecting directly to a specific (for instance de02.myvpnprovider.net) is not an issue at all. The problem arises if that server disconnects.
      For my setup, using the resolver, it's not a problem, because pfSense reconnects to the resolver, and it will route me to a different server, sensing that de02 is down.
      Since I am using pfSense, and not a Provider specific VPN software, the resolver setup will only work (I think) if all servers in that cluster has the same CA and certificate, which my current provider has.

      However, the provider I am looking at changing to has different CA and Certificate for all servers, and do not use a clustered resolver in the same way. All servers are standalone.

      Therefore, when using pfSense, I will have to connect to a specific server. So if in turn that server goes down, my pfSense will hammer away at the same server until it is back online, causing my network to be without connection.

      So my question is this, is there a feature or possibility of having a "backup" server in the pfSense configuration with a different set of CA and Certificates but following the same local firewall rules, so that if no connection to the primary can be established, it uses the backup?

      If don't know if this feature is already present, and has a more appropriate name attached to it, but I'm a network and pfSense novice at best, and this was my best attempt at describing my problem :)

      Thanks for your help!

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        I don't know of a way to have one pfSense instance use a different set of credentials for different remotes.

        You might look at creating two different instances and putting them in a failover gateway group like a regular multi-WAN and policy routing to the group instead.

        If that sort of redundancy is what you are after, you might consider a different VPN provider. One with different IP addresses/FQDNs for the server locations but the same set of certificates / credentials on each. Then you can just add another "remote" to the advanced config. Like this: https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN#Configure_Clients

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • PippinP Offline
          Pippin
          last edited by

          Yeah ^^^

          And to add, OpenVPN supports <connection>…</connection> blocks.

          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
          Halton Arp

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            I don't know that that is possible with the current gui. I would be surprised if the advanced option field would allow < >

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • PippinP Offline
              Pippin
              last edited by

              Good point, didn`t think about that.

              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
              Halton Arp

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                Thank you for your reply's.

                Trouble is that most of the better VPN providers setup their servers with different CA and Certificates. They have sort of a resolver function, but that is usually included in their proprietary software, and not for "generic" setups like pfSense or connecting from Linux even.

                Derelict,
                This failover gateway group that you mentioned. Is there some more information on this other than;
                https://doc.pfsense.org/index.php/Multi-WAN#Failover
                that is more related to my issue? I could not find anything.

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  I doubt it. Your situation seems new to me.

                  All of the walkthroughs that cover routing traffic out public VPN providers should apply. You will just be doing everything twice, making a gateway group of the two VPN endpoints, and routing to that gateway group instead of the single gateway.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.